Apache ssl questions for experts

UNIX for Advanced & Expert Users
1

Hi,

I have configured apache 2.0.59 with mod_ssl to set up a proxy to my app server. Incomming traffic https outgoing http. The listen port for the ssl port is 8050 not 443. When I start the server and I test it i get an error message. I googled for it and found the following expaination.

Your error: "[Hint: Subject CN in certificate not server name or
identical to CA!?]"

means: the Common Name in the certificate is not the same as the
ServerName in the URL - e.g. the certificate belongs to abcdef.com
but you are using it in a server whose URL is uvwxyz. This makes
the browser think your site is impersonating another site and so throws
a warning.

But what do I have to do to sove it?

Cheers
Markus

2

You should regenerate your Apache server cert to reflect how people will access from the URL.

However, be noted that if your setup requires name-based virtual hosting this will not work. Make sure you read the following two FAQs and your case does not apply:

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html\#vhosts2
SSL/TLS Strong Encryption: FAQ - Apache HTTP Server

3

Hi,

here my configuration:

The simple question is. Is this possible or not?

----------------------

#SSL PORT 1, LISTENS ON BOTH INTERFACES TO MAKE A LATER MIGRATION EASIER
Listen web1.service.de2.sp.somecompany.com:58401
Listen web1-fe.service.de2.sp.somecompany.com:58401
NameVirtualHost web1.service.de2.sp.somecompany.com:58401
NameVirtualHost web1-fe.service.de2.sp.somecompany.com:58401

#SSL PORT 2, LISTENS ON BOTH INTERFACES TO MAKE A LATER MIGRATION EASIER
Listen web1-fe.service.de2.sp.somecompany.com:58406
Listen web1.service.de2.sp.somecompany.com:58406
NameVirtualHost web1.service.de2.sp.somecompany.com:58406
NameVirtualHost web1-fe.service.de2.sp.somecompany.com:58406

######################################################################
###
### Host for HTTPS access
###

<VirtualHost web1.service.de2.sp.somecompany.com:58401 web1-fe.service.de2.sp.somecompany.com:58401>

ServerName service-lit-uk.sp.somecompany.com

SSLEngine on

LogLevel warn

ErrorLog "|/opt/SP/apacheas/current/bin/rotatelogs \
/opt/SP/apacheas/current/logs/http_error_58401_log.%Y%m%d%H%M 600 120"

CustomLog "|/opt/SP/apacheas/current/bin/rotatelogs \
/opt/SP/apacheas/current/logs/http_access_58401_log.%Y%m%d%H%M 600 120" combined

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

ProxyPass / http://l1-v10.service.de2.sp.somecompany.com:8081/
ProxyPassReverse / http://l1-v10.service.de2.sp.somecompany.com:8081/
ProxyHTMLURLMap http://l1-v10.service.de2.sp.somecompany.com:8081/ /
RequestHeader unset Accept-Encoding

SSLCertificateFile /opt/SP/apacheas/current/conf/service-uk.crt/service-uk.cer
SSLCertificateKeyFile /opt/SP/apacheas/current/conf/service-uk.crt/service-uk.key
SSLProtocol -all +TLSv1 +SSLv3

</VirtualHost>

##################################
###
### Host for OTHER Trigger
###
<VirtualHost web1.service.de2.sp.somecompany.com:58406 web1-fe.service.de2.sp.somecompany.com:58406>

ServerName service-lit-uk.sp.somecompany.com

SSLEngine on

LogLevel warn

ErrorLog "|/opt/SP/apacheas/current/bin/rotatelogs \
/opt/SP/apacheas/current/logs/http_error_58406.%Y%m%d%H%M 600 120"

CustomLog "|/opt/SP/apacheas/current/bin/rotatelogs \
/opt/SP/apacheas/current/logs/http_access_58406.%Y%m%d%H%M 600 120" combined

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

RequestHeader unset Accept-Encoding

    ProxyPass / http://l1-v10.service.de2.sp.somecompany.com:8050/
    ProxyPassReverse / http://l1-v10.service.de2.sp.somecompany.com:8050/
    ProxyHTMLURLMap  http://l1-v10.service.de2.sp.somecompany.com:8050/ /

SSLCertificateFile /opt/SP/apacheas/current/conf/service-uk.crt/service-uk.cer
SSLCertificateKeyFile /opt/SP/apacheas/current/conf/service-uk.crt/service-uk.key
SSLCACertificateFile /opt/SP/apacheas/current/conf/service-uk.crt/ca.cer
SSLProtocol -all +TLSv1 +SSLv3

</VirtualHost>

------------------------------------

4

I think your case matches the name-based virtual hosting scenario mentioned in the FAQ, and dedicated SSL is only possible if you can switch to IP-based virtual hosting (that means multiple IP addresses one for each virtual host).