SSL Vhost Problems: Please help
Forums
»
Apache - General
>
SSL Vhost Problems: Please help
Mewbie Mewbie
mewbie for mewbies
Member since Jun 24, 2009
Forum Posts: 2
Forum Posts: 2
I didn't want to mess up your post with newbie questions as it's a very informative post. Hope that is OK.
I feel I'm over thinking this, just confused and have been trying literally for weeks to get this to work. Here goes:
I'm running remotely: Linux Debian / apache2-mpm-prefork 2.2.9-10+lenny2
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Server at ********* Port 80
I have been trying to install AjaxTerm (www page can access your nix box via terminal window): http://antony.lesuisse.org/software/ajaxterm/
Once it's installed properly it can be accessed at:
http://localhost:8022 (works for me using lynx)
https://yoursite.com:8022 (doesn't work)
I have followed a variety of tutorials:
https://help.ubuntu.com/community/AjaxTerm
and:
https://svn.kirya.net/filedetails.php?repname=ajaxterm&path=%2Ftrunk%2Fdebian%2FREADME.Debian&rev=96&sc=1
and every post I can find out there....
It either makes entire site stop working (except tomcat on port 8080), or redirects entire site to a non working AjaxTerm page (except tomcat on port 8080).
The last URL (kirya) I get this error in apache2 logs:
[Tue Jun 23 10:20:36 2009] [warn] Init: SSL server IP/port conflict: localhost:443 (/etc/apache2/sites-enabled/ajaxterm:4) vs. mysite.org:443 (/etc/apache2/sites-enabled/ssl:1)
[Tue Jun 23 10:20:36 2009] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
and then 100's of these errors:
[Tue Jun 23 10:20:36 2009] [notice] child pid 27477 exit signal Segmentation fault (11)
So that error is what brought me here on google searching. From what I understand in the SSL Vhost Problems post in this forum:
1 IP can host multiple domains.
But what if, like me, it's 1 IP and 1 domain. On the post it says:
ServerName webmail.example.com
....
ServerName secure.example.com
Now are these domains you must own? Or you can put any name and it's just for the config to reference to?
I don't 'own' any domain names, I just have a free domain name from DYNDNS that i use and it works fine.
Confusing as I never read about anyone needing to do this on all AjaxTerm post that I could find. It was all about adding those configs only.
(btw I have posted about my AjaxTerm problems at 4-5 forums.. all unanswered :( and from what I see it's not an AjaxTerm problem, but putting the proper configs in 000-default file or the SSL file or creating new site enabled file like on the kirya site tutorial)
These are some of the changes I have done for this:
As per Ubuntu tutorial:
pico /etc/apache2/sites-enabled/ssl
This section had this:
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
<Directory />
Changed it to:
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
SetEnvIf Request_URI "^/u" dontlog
ErrorLog /var/log/apache2/error.log
Loglevel warn
ProxyRequests Off
<Proxy *>
AuthUserFile /srv/ajaxterm/.htpasswd
AuthName EnterPassword
AuthType Basic
require valid-user
Order Deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8022/
ProxyPassReverse / http://localhost:8022/
<Directory />
=============================================
As per kirya site:
pico /etc/apache2/sites-available/ajaxterm <makes new file
add these lines:
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
ServerName mysite.org
SSLEngine On
SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
SSLCertificateFile /etc/apache2/ssl/apache.pem
# Suppresses the Via header
ProxyVia Off
# Do not flood the log
#CustomLog /var/log/apache2/access.log combined env=!dontlog
#SetEnvIf Request_URI "^/ajaxterm/u" dontlog
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /ajaxterm/ http://localhost:8022/
ProxyPassReverse /ajaxterm/ http://localhost:8022/
</VirtualHost>
Then enable it by: a2ensite ajaxterm
Thank you very much for your time and help :D !
PS. I use a self signed certificate that I made doing (as per a post on ubuntu):
mkdir /etc/apache2/ssl
/usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
I made a typo in my sites name (though my https does work).
When I try to repeat those steps to fix it I get permission denied. Is there a way to edit it or should I just delete 'apache.pem' then find another method to make this cert so I have options to add wild card names?
(I have no idea where it put the .key & .crt files I have read about, but like I say https does work)
I'm thinking to use this method for a new cert if you think this will work:
http://blog.bodhizazen.net/linux/ssl-certificate-with-virtual-hosts/
I feel I'm over thinking this, just confused and have been trying literally for weeks to get this to work. Here goes:
I'm running remotely: Linux Debian / apache2-mpm-prefork 2.2.9-10+lenny2
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Server at ********* Port 80
I have been trying to install AjaxTerm (www page can access your nix box via terminal window): http://antony.lesuisse.org/software/ajaxterm/
Once it's installed properly it can be accessed at:
http://localhost:8022 (works for me using lynx)
https://yoursite.com:8022 (doesn't work)
I have followed a variety of tutorials:
https://help.ubuntu.com/community/AjaxTerm
and:
https://svn.kirya.net/filedetails.php?repname=ajaxterm&path=%2Ftrunk%2Fdebian%2FREADME.Debian&rev=96&sc=1
and every post I can find out there....
It either makes entire site stop working (except tomcat on port 8080), or redirects entire site to a non working AjaxTerm page (except tomcat on port 8080).
The last URL (kirya) I get this error in apache2 logs:
[Tue Jun 23 10:20:36 2009] [warn] Init: SSL server IP/port conflict: localhost:443 (/etc/apache2/sites-enabled/ajaxterm:4) vs. mysite.org:443 (/etc/apache2/sites-enabled/ssl:1)
[Tue Jun 23 10:20:36 2009] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
and then 100's of these errors:
[Tue Jun 23 10:20:36 2009] [notice] child pid 27477 exit signal Segmentation fault (11)
So that error is what brought me here on google searching. From what I understand in the SSL Vhost Problems post in this forum:
1 IP can host multiple domains.
But what if, like me, it's 1 IP and 1 domain. On the post it says:
ServerName webmail.example.com
....
ServerName secure.example.com
Now are these domains you must own? Or you can put any name and it's just for the config to reference to?
I don't 'own' any domain names, I just have a free domain name from DYNDNS that i use and it works fine.
Confusing as I never read about anyone needing to do this on all AjaxTerm post that I could find. It was all about adding those configs only.
(btw I have posted about my AjaxTerm problems at 4-5 forums.. all unanswered :( and from what I see it's not an AjaxTerm problem, but putting the proper configs in 000-default file or the SSL file or creating new site enabled file like on the kirya site tutorial)
These are some of the changes I have done for this:
As per Ubuntu tutorial:
pico /etc/apache2/sites-enabled/ssl
This section had this:
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
<Directory />
Changed it to:
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
SetEnvIf Request_URI "^/u" dontlog
ErrorLog /var/log/apache2/error.log
Loglevel warn
ProxyRequests Off
<Proxy *>
AuthUserFile /srv/ajaxterm/.htpasswd
AuthName EnterPassword
AuthType Basic
require valid-user
Order Deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8022/
ProxyPassReverse / http://localhost:8022/
<Directory />
=============================================
As per kirya site:
pico /etc/apache2/sites-available/ajaxterm <makes new file
add these lines:
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
ServerName mysite.org
SSLEngine On
SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
SSLCertificateFile /etc/apache2/ssl/apache.pem
# Suppresses the Via header
ProxyVia Off
# Do not flood the log
#CustomLog /var/log/apache2/access.log combined env=!dontlog
#SetEnvIf Request_URI "^/ajaxterm/u" dontlog
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /ajaxterm/ http://localhost:8022/
ProxyPassReverse /ajaxterm/ http://localhost:8022/
</VirtualHost>
Then enable it by: a2ensite ajaxterm
Thank you very much for your time and help :D !
PS. I use a self signed certificate that I made doing (as per a post on ubuntu):
mkdir /etc/apache2/ssl
/usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
I made a typo in my sites name (though my https does work).
When I try to repeat those steps to fix it I get permission denied. Is there a way to edit it or should I just delete 'apache.pem' then find another method to make this cert so I have options to add wild card names?
(I have no idea where it put the .key & .crt files I have read about, but like I say https does work)
I'm thinking to use this method for a new cert if you think this will work:
http://blog.bodhizazen.net/linux/ssl-certificate-with-virtual-hosts/
Edited one time. Last edit by Mewbie Mewbie on Jun 14, 2010 at 6:04:12 PM (about one year ago).
Aleksandar GargentaCTO
Marakana, Inc.
Member since Jan 19, 2007
Location: San Francisco
Forum Posts: 47
Location: San Francisco
Forum Posts: 47
Mewbie,
I am not sure what exactly is your question.
But, as far as Apache's warning (not an error) goes:
that's because the SSL (actually TLS) sits below HTTP on the protocol stack.
To establish an SSL connection the server needs to know which certificate to send to the client. But the server can only determine this based on the protocols below SSL (IP-address and TCP-port) and not protocols above it (HTTP-server name).
The only time you can use SSL in conjunction with the name-based virtual hosting is when you use wild-card certificates (e.g. *.example.com), but even then, Apache will give you the same warning - though everything will work fine.
So, unless you are planning on using a wild-card cert, I suggest you configure Apache for IP or port-based virtual hosting.
I am not sure what exactly is your question.
But, as far as Apache's warning (not an error) goes:
Init: You should not use name-based virtual hosts in conjunction with SSL!!that's because the SSL (actually TLS) sits below HTTP on the protocol stack.
To establish an SSL connection the server needs to know which certificate to send to the client. But the server can only determine this based on the protocols below SSL (IP-address and TCP-port) and not protocols above it (HTTP-server name).
The only time you can use SSL in conjunction with the name-based virtual hosting is when you use wild-card certificates (e.g. *.example.com), but even then, Apache will give you the same warning - though everything will work fine.
So, unless you are planning on using a wild-card cert, I suggest you configure Apache for IP or port-based virtual hosting.
Mewbie Mewbie
mewbie for mewbies
Member since Jun 24, 2009
Forum Posts: 2
Forum Posts: 2
Thank you Aleksandar Gargenta for your reply and time! You lit up my day :) , seriously. I've become quite down about this whole thing.
haha, understandable, sorry.. I think my post is sprinkled with too many questions as I'm confused and feeling overwhelmed with trying to get AjaxTerm to work for almost a month.
Mainly I just want my AjaxTerm to work. But because of the error I got it brought me here and now more confused as all example configs given for AjaxTerm do not mention about having more than 1 domain etc.
I don't 'own' any domain names, I just have a free domain name from DynDNS that I use and it works fine. You see I have 1 IP that I use 1 domain but need to 2 sections in the config files that both state port 443. I can get more free domain names if you say I need them.
So my questions would be as per the example config you give-
ServerName webmail.example.com
....
ServerName secure.example.com
1. Now are these domains you must have or are they just any made up name and it's just for the apache2 config to cross reference to in the cert files?
2. Would you please please look at my configs I have posted above to see why this isn't working? They both make my site stop working. I have tried so many configs, methods, all do not work :( and seems impossible to find someone who understands this. What am I doing wrong? I'm almost in tears trying to get this to work. All post that ppl have got their AjaxTerm to work either 1. Don’t work for me or 2. They say 'oh I got it to work', but never post how even when asked. :( I just know the answer lies in those darn configs…
3. Do I even need to use multiple vhost/servernames for AjaxTerm/those configs to work? (If not I'm still curious about question #1.)
4. Because of the typo I made while making my cert, is it safe to delete ' apache.pem', and make a new cert? (I can not find a .cert or .key file so I presume it's bundled with the .pem file). I don’t want to make my site stop working because of a mistake I can't go back and fix.
At this point I would like to make a wildcard cert for the simple reasons of understanding it and I might need in future even if I do not need it for AjaxTerm.
Thank you again!
I am not sure what exactly is your question.
haha, understandable, sorry.. I think my post is sprinkled with too many questions as I'm confused and feeling overwhelmed with trying to get AjaxTerm to work for almost a month.
Mainly I just want my AjaxTerm to work. But because of the error I got it brought me here and now more confused as all example configs given for AjaxTerm do not mention about having more than 1 domain etc.
I don't 'own' any domain names, I just have a free domain name from DynDNS that I use and it works fine. You see I have 1 IP that I use 1 domain but need to 2 sections in the config files that both state port 443. I can get more free domain names if you say I need them.
So my questions would be as per the example config you give-
ServerName webmail.example.com
....
ServerName secure.example.com
1. Now are these domains you must have or are they just any made up name and it's just for the apache2 config to cross reference to in the cert files?
2. Would you please please look at my configs I have posted above to see why this isn't working? They both make my site stop working. I have tried so many configs, methods, all do not work :( and seems impossible to find someone who understands this. What am I doing wrong? I'm almost in tears trying to get this to work. All post that ppl have got their AjaxTerm to work either 1. Don’t work for me or 2. They say 'oh I got it to work', but never post how even when asked. :( I just know the answer lies in those darn configs…
3. Do I even need to use multiple vhost/servernames for AjaxTerm/those configs to work? (If not I'm still curious about question #1.)
4. Because of the typo I made while making my cert, is it safe to delete ' apache.pem', and make a new cert? (I can not find a .cert or .key file so I presume it's bundled with the .pem file). I don’t want to make my site stop working because of a mistake I can't go back and fix.
So, unless you are planning on using a wild-card cert, I suggest you configure Apache for IP or port-based virtual hosting.
At this point I would like to make a wildcard cert for the simple reasons of understanding it and I might need in future even if I do not need it for AjaxTerm.
Thank you again!
