I've been running an Apache 2.0 server for a while with multiple name-
based virtual sites on port 80 and one SSL site on the same IP
address.  I need to add a second SSL site and I'm having trouble with
the configuration.  I have an available IP Address so that's not a
problem.  In /etc/httpd/conf/httpd.conf I have these lines (among many
others, of course):

NameVirtualHost *:80
NameVirtualHost *:443

Then, in the /etc/httpd/conf.d/sslsite.conf file, I have this:

<VirtualHost *:80>
ServerName              www.foobar.com
Redirect        /       http://www.foobar.com/
</VirtualHost>

<VirtualHost *:443>
DocumentRoot    /path/to/foobar/docs
ServerName      www.foobar.com:443
ServerAdmin     hls@foobar.com
...

That's working right now.

When I tried to add a second SSL server, however, I get the same
certificate for both, (when I can get anything at all).  What I'm
thinking is that the problem comes from the fact that although I have
two public IP Addresses, the router is converting them to the same
private address for use on the server.

To test this, I set everything back to the working (single SSL site)
state.  Then I changed the <VirtualHost *:443> line above to
<VirtualHost 198.162.1.2:443>.  When I restart apache now, it
complains that NameVirtualHost *:443 has no VirtualHosts but I figured
that's okay but maybe not.  When I browse to the site, Firefox gives
me an error message saying:

www.foobar.com has sent an incorrect or unexpected message. Error
Code: -12263

So, that's not right.  What should the VirtualHost line have in it?
The public IP Address behaves the same way (Error -12263).

So, first question -- Is the router and single private address at
least part of my problem?  If so, I'll create a second for the other
site.

Second question -- What should my apache configuration file look like?

--
HHH

[ Post a follow-up to this message ]

On Nov 19, 1:21 pm, Harvey Schmidlapp <henryhart...@westat.com> wrote:
> To test this, I set everything back to the working (single SSL site)
> state.  Then I changed the <VirtualHost *:443> line above to
> <VirtualHost 198.162.1.2:443>.

Doh!  When I used 192.168.1.2 instead, which is the correct private
address, it worked.  So, my guess is that I'd just add a second
private address and then set up static NAT to map the public IP
address for the second site to that.  I'll try that.  Sorry for the
bother.  If this is wrong, feel free to jump in and correct me.

--
HHH

[ Post a follow-up to this message ]

"Harvey Schmidlapp" <henryhartley@westat.com> wrote in message
news:f27a7941-ea71-42b9-8e02-29990e318569@f3g2000hsg.googlegroups.com...
> I've been running an Apache 2.0 server for a while with multiple name-
> based virtual sites on port 80 and one SSL site on the same IP
> address.  I need to add a second SSL site and I'm having trouble with
> the configuration.  I have an available IP Address so that's not a
> problem.  In /etc/httpd/conf/httpd.conf I have these lines (among many
> others, of course):
>
> NameVirtualHost *:80
> NameVirtualHost *:443
>
> Then, in the /etc/httpd/conf.d/sslsite.conf file, I have this:
>
> <VirtualHost *:80>
>        ServerName              www.foobar.com
>        Redirect        /       http://www.foobar.com/
> </VirtualHost>
>
> <VirtualHost *:443>
>        DocumentRoot    /path/to/foobar/docs
>        ServerName      www.foobar.com:443
>        ServerAdmin     hls@foobar.com
> ...

You can only properly have one SSL site per IP address, so you need to throw
away any reference to *:443 and use something similar to the following:

NameVirtualHost 1.1.1.1:443
<VirtualHost 1.1.1.1:443>
...
</VirtualHost>

NameVirtualHost 1.1.1.2:443
<VirtualHost 1.1.1.2:443>
...
</VirtualHost>

[ Post a follow-up to this message ]

On Nov 20, 9:12 am, "phantom" <nob...@blueyonder.invalid> wrote:
> "Harvey Schmidlapp" <henryhart...@westat.com> wrote in message
>
> news:f27a7941-ea71-42b9-8e02-29990e318569@f3g2000hsg.googlegroups.com...
>
>
> 
> 
> 
> 
> 
>
> You can only properly have one SSL site per IP address, so you need to thr
ow
> away any reference to *:443 and use something similar to the following:
>
> NameVirtualHost 1.1.1.1:443
> <VirtualHost 1.1.1.1:443>
> ...
> </VirtualHost>
>
> NameVirtualHost 1.1.1.2:443
> <VirtualHost 1.1.1.2:443>
> ...
> </VirtualHost>

theres info on how to generate multiple certs for a single ip address
here:
http://wiki.cacert.org/wiki/VhostTaskForce
http://www.cacert.org (which hasnt reached the status of a recognized
Certificate Authority, but is aiming to be included in browsers
soonish) can do it free

[ Post a follow-up to this message ]

"shimmyshack" <matt.farey@gmail.com> wrote in message
news:0d2bd90a-3ccd-4f2c-a369-50ad4a84a586@41g2000hsh.googlegroups.com...
> On Nov 20, 9:12 am, "phantom" <nob...@blueyonder.invalid> wrote: 
>
> theres info on how to generate multiple certs for a single ip address
> here:
> http://wiki.cacert.org/wiki/VhostTaskForce
> http://www.cacert.org (which hasnt reached the status of a recognized
> Certificate Authority, but is aiming to be included in browsers
> soonish) can do it free

BS.  It's not possible to have multiple certificates.  The SSL layer is
negotiated before the application layer - and only the application layer kno
ws
which virtual host is being contacted.  As the certificate DN must match and
 the
certificate is selected based on IP, there can only be one certificate per I
P
address+port.  Wldcarding of the DN may have been proposed but never made it
into the standard - because it weakens security.

[ Post a follow-up to this message ]