Multiple SSL certificates Apache2

Tag: apache , ssl , certificate , virtualhost Author: ZHANGRUIFANG1371 Date: 2012-03-12

secure.dynaccount.com (Thawte cert) http://certlogik.com/sslchecker/secure.dynaccount.com/

api.dynaccount.com (self-signed) http://certlogik.com/sslchecker/api.dynaccount.com/

httpd.conf

# Thawte certified
<VirtualHost 88.198.55.138:443>
    ServerName secure.dynaccount.com
    DocumentRoot /var/www/dynaccount.com

    SSLEngine on
    SSLCertificateKeyFile /var/ini/ssl/secure.dynaccount.com/private.key
    SSLCertificateFile /var/ini/ssl/secure.dynaccount.com/public.crt
    SSLCertificateChainFile /var/ini/ssl/secure.dynaccount.com/intermediate.crt
    SSLVerifyDepth 1
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
</VirtualHost>

# self-signed
<VirtualHost 88.198.55.154:443>
    ServerName api.dynaccount.com
    DocumentRoot /var/www/dynaccount.com

    SSLEngine on
    SSLCertificateKeyFile /var/ini/ssl/api.dynaccount.com/private.key
    SSLCertificateFile /var/ini/ssl/api.dynaccount.com/public.crt
    SSLVerifyDepth 0
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
</VirtualHost>
Not a programming question -> voted to move to ServerFault.

Other Answer1

Did you read Apache HTTP docs?

http://httpd.apache.org/docs/2.0/vhosts/name-based.html

Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol.

You can have one SSL host per IP.

Reason?

SSL connection parameters are set per-vhosts, but must be negotiated before httpd reads host HTTP header.

That give a sense, isn't it?

UPDATE:

Change SSLCACertificateFile to SSLCertificateChainFile and provide correct format of file according to docs or disable client cert verification at all

comments:

You don't mentioned that you use SNI.Do you have SNI-capable apache running?
I'm not sure.. Have updated my question with openssl info.. I don't know how to check if the TLS extension is enabled and the other two prerequisites..
Based on docs OpenSSL must have enable-tlsext option compiled in.From your openssl version I can't see it, so probably not.
ok, I have now an additional IP available.. But when I restart the server I get an error.. if api.dynaccount.com is commented out there are no errors

Other Answer2

Your problem here is that you have twice the same ServerName.

In your 2nd VHost, you should have ServerName api.dynaccount.com and no ServerAlias

I'm not sure it's the problem, but give it a try :)


edit: For the Server could not reliably resolve server name error, you have to define a ServerName in httpd.conf (not in VirtualHost, that will be the default server name)

comments:

the error about the servername still pops up
The 2 notices? I also have it, don't worry to much about this one. I think it's because you use an asterisk to define VirtualHost (as I do), and Apache doesn't likes it too much. So far he understood it anyway, so I keep using it & it works.
I've found how to fix it, see my updated answer
still doen't work
@haltanbush > Apache won't even start.. So I can't ignore it