secure.dynaccount.com (Thawte cert)
http://certlogik.com/sslchecker/secure.dynaccount.com/
api.dynaccount.com (self-signed)
http://certlogik.com/sslchecker/api.dynaccount.com/
httpd.conf
# Thawte certified
<VirtualHost 88.198.55.138:443>
ServerName secure.dynaccount.com
DocumentRoot /var/www/dynaccount.com
SSLEngine on
SSLCertificateKeyFile /var/ini/ssl/secure.dynaccount.com/private.key
SSLCertificateFile /var/ini/ssl/secure.dynaccount.com/public.crt
SSLCertificateChainFile /var/ini/ssl/secure.dynaccount.com/intermediate.crt
SSLVerifyDepth 1
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
</VirtualHost>
# self-signed
<VirtualHost 88.198.55.154:443>
ServerName api.dynaccount.com
DocumentRoot /var/www/dynaccount.com
SSLEngine on
SSLCertificateKeyFile /var/ini/ssl/api.dynaccount.com/private.key
SSLCertificateFile /var/ini/ssl/api.dynaccount.com/public.crt
SSLVerifyDepth 0
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
</VirtualHost>
Did you read Apache HTTP docs?
http://httpd.apache.org/docs/2.0/vhosts/name-based.html
Name-based virtual hosting cannot be used with SSL secure servers
because of the nature of the SSL protocol.
You can have one SSL host per IP.
Reason?
SSL connection parameters are set per-vhosts, but must be negotiated before httpd reads host HTTP header.
That give a sense, isn't it?
UPDATE:
Change SSLCACertificateFile to SSLCertificateChainFile and provide correct format of file according to docs or disable client cert verification at all
Your problem here is that you have twice the same ServerName.
In your 2nd VHost, you should have ServerName api.dynaccount.com and no ServerAlias
I'm not sure it's the problem, but give it a try :)
edit:
For the Server could not reliably resolve server name error, you have to define a ServerName in httpd.conf (not in VirtualHost, that will be the default server name)
Related
I'm using Apache as a reverse proxy to redirect all requests. I need to forward client cert details to my apps within the request. For testing purposes, I'm simply trying to attach CN to the forwarded request. This is my conf file (simplified):
<VirtualHost _default_:443>
ServerName localhost
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/CA.pem
SSLCertificateKeyFile /etc/ssl/private/CA.key
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +ExportCertData +StdEnvVars
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}:8443/myapp?cn=%{SSL_CLIENT_S_DN_CN}
</VirtualHost>
If I navigate to https://localhost browser asks for a cert, and then I get redirected to:
https://localhost:8443/myapp?cn=
So it appears that it's not reading SSL_CLIENT_S_DN_CN. What am I missing?
EDIT: If I set request header, e.g.:
RequestHeader set XYZ %{SSL_CLIENT_S_DN_CN}e
I don't see it in dev tools, either. So there must be something wrong with my configuration. %{SERVER_NAME} works, %{SSL_CLIENT_S_DN_CN} doesn't.
I am trying to install a certificate for all my subdomain on GCE VM, here is what I've done so far:
Allow HTTPS traffic is enabled in the VM settings.
I enabled the certificate on apache and default-ssl.conf looks like this
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin fadi#domain.com
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ProxyPreserveHost On
ProxyPass /console https://0.0.0.0:8080/console
ProxyPassReverse /console https://0.0.0.0:8080/console
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
But still I can not reach my server on https but am still able to access it via http, even though I enabled ssl using
sudo a2ensite default-ssl.conf
sudo service apache2 restart
Can someone help me please figure out this issue! the app is actually running on apache tomcat but proxied through apache if that make any difference!
443 is the default port used by Compute Engine for its services . Better you use any other port like 7443 or 8443 , then i guess it will work . I myself faced this issue on Compute Engine with Tomcat , and used other than the default ports . And also don't forget to mention whatever port you choose in the Firewall Rules section in the Networking . Let me know if that works !!
We have a customer that does not want anymore ssl client verification in their webapp.
We have an apache2 server in front of jboss that serves all requests for that webapp.
I have set SSLVerifyClient to none in apache config and restarted apache, and the first landing page does not request the certificate anymore, but there are some other pages inside the application that still requests the client certificate.
This hapens only in IE in other browsers it works ok.
Is there some cache in IE that stores something and neads to be celared? I have already cleaned all history data an also the SSL cache but the problem still perists.
I have to mention that all requests are made to the same cname and that cname has one virtualhost settings on the apache server.
I also have to mention that this happens only on when I try to serve some office files trugh the applicatoin
the vhost settigns are like this:
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLOptions +ExportCertData +StdEnvVars
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLVerifyClient none
SSLVerifyDepth 1
SSLCertificateFile /etc/pki/tls/certs/****_wildcard.crt
SSLCertificateKeyFile /etc/pki/tls/private/****_wildcard.key
SSLCACertificateFile /etc/pki/tls/certs/ca_cert_bundle.crt
RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s
AddDefaultCharset utf-8
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
#ProxyPreserveHost On
ProxyPass / http://****:8080/ retry=0 timeout=600
ProxyPassReverse / http://****:8080/
ServerName ****
So I got an SSL from GoDaddy.
It works for my public site mysite.com.
I would like now to have an SSL connection for my administrator.mysite.com
So I created a self signed certificate using openssl because I don't mind managing my own site with a red mark on the lock.
inside httpd-ssl.conf
<VirtualHost *:443>
ServerName mysite.com:443
ServerAlias www.mysite.com
DocumentRoot /opt/lampp/htdocs/MySite/
ServerAdmin admin#mysite.com
ErrorLog /opt/lampp/htdocs/MySite/logfiles/ssl_errors.log
TransferLog /opt/lampp/htdocs/MySite/logfiles/ssl_access.log
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /opt/lampp/etc/ssl.crt/mysite.com.crt
SSLCertificateKeyFile /opt/lampp/etc/ssl.key/server_nopwd.key
SSLCertificateChainFile /opt/lampp/etc/ssl.crt/gd_bundle.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /opt/lampp/htdocs/MySite/logfiles/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/opt/lampp/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
<VirtualHost *:443>
ServerName administrator.mysite.com:443
DocumentRoot "/opt/lampp/htdocs/"
ServerAdmin admin#mysite.com
ErrorLog /opt/lampp/htdocs/MySite/logfiles/ssl_errors_admin.log
TransferLog /opt/lampp/htdocs/MySite/logfiles/ssl_access_admin.log
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /opt/lampp/etc/ssl.crt/admin.crt
SSLCertificateKeyFile /opt/lampp/etc/ssl.key/admin.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /opt/lampp/htdocs/MySite/logfiles/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/opt/lampp/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
And I get this warning:
[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
What happens is that the administrator host is redirected to the regular host, which is very annoying
I had the same issue. Strangely some report it works for them like a charm but for others not. I even tried using SNI via SSLStrictSNIVHostCheck apache directive but no luck.
When using the ServerAlias directive with a wildcard domain like eg. *.snakeoil.com then order of the VirtualHost configs matters. If the VirtualHost with the wildcard domain alias:
ServerAlias *.snakeoil.com
is the first one it will be processed first and avoids resolution of other vhosts. Try to reverse vhosts so that this catch all is the last one eg.
<IfModule mod_ssl.c>
# first vhost
<VirtualHost *:443>
ServerName vhost1.snakeoil.com
[...]
</VirtualHost>
# second vhost
<VirtualHost *:443>
ServerName vhost2.snakeoil.com
[...]
</VirtualHost>
# Attention!
# All other vhost requests end up here
# Order matters, keep this entry to be the last one
# as a last resort if any of the above don't apply
<VirtualHost *:443>
ServerName snakeoil.com
ServerAlias *.snakeoil.com
[...]
</VirtualHost>
</IfModule>
Worked for me at least with with apache 2.2.14
That should work fine for newer browsers, although it might be worth checking your htaccess rules incase one of them is inadvertently redirecting admin.mysite.com to mysite.com.
The warning message you're getting is explained more here: https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI (essentially older browsers can only view the default virtualhost).
We've got multiple subdomains, each with it's own virtualhost entry in httpd.conf and (for those supporting https) in ssl.conf as well. Our main www subdomain has a GoDaddy cert associated with it. The subdomain I'm configuring right now on our dev server ("api.bulbstorm.com") has an ssl.conf virtualhost entry that looks like this:
<VirtualHost 172.16.247.153:443>
DocumentRoot "/var/www/api"
ServerName api.bulbstorm.com:443
ErrorLog logs/api-error_log
CustomLog logs/api-access_log common
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /var/www/certs/api/server.crt
SSLCertificateKeyFile /var/www/certs/api/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
<Directory "/var/www/api">
Options +FollowSymLinks
RewriteEngine On
AllowOverride All
Order allow,deny
Allow from all
</Directory>
php_value include_path "/var/www/inc"
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
... the crt & key files in /var/www/certs/api/ were generated using openssl per instructions found here.
The api subdomain originally pointed to the godaddy cert for the www subdomain. But even though I've changed the virtualhost entry associated with the api subdomain to point to the self-signed certificate/key pair (and have restarted httpd, completely cleared browser settings related to the previous exception for the godaddy cert, etc.) browsers are still throwing warnings saying that the cert is for the www domain. When I look at the cert the browsers are pulling it looks like they're still getting the godaddy cert.
Higher up in the ssl.conf file there are these lines:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
This cert/key pair is different than the godaddy cert/key pair referenced in the virtualhost entry for the www subdomain, which looks like this:
SSLCertificateFile /etc/www.bulbstorm.com_ssl/www.bulbstorm.com.crt
SSLCertificateKeyFile /etc/www.bulbstorm.com_ssl/www.bulbstorm.com.key
SSLCertificateChainFile /etc/www.bulbstorm.com_ssl/gd_intermediate_bundle.crt
Any light that anyone can shed on the issue I'm having will be appreciated.
The "answer" to this question was to repost it on serverfault.com.