ispCP - Board - Support
[HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Contributions Area (/forum-40.html)
+--- Forum: Howtos (/forum-41.html)
+--- Thread: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls (/thread-4696.html)

Pages: 1 2


RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - allrob - 07-23-2010 07:38 PM

did a clean install latest debian

this works, but when trying to upload a language file, i noticed the return of an empty file to my browser and nothing uploaded, disabling gnutls fixes this, so it's not working now.

got none of the above errors, checked and working, but now this issue started... (Affected all sites on a live system, now falling back to the ssl mod.)

anyone has an idea? still researching it further...


RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - Top44 - 07-23-2010 09:27 PM

Did you compile it or is that the version from the repo ?

The repo´s version is 0.51 ? and the newest on the Homepage is 0.57 ?

Greets


RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - allrob - 07-24-2010 01:24 AM

hmmm, good point, ill compile something myself off that website, thnx Wink ill let you know if it works


RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - allrob - 07-24-2010 10:46 AM

i tried compiling the whole bunch, apache restarts clean, no errors, but it still does the same thing, also strange cache problems now surface (those are brand new to me) images load partially, and slow, reloading a page seems to fix it (temporally, it will be back later).
also tried to install the testing debian packages, same story, so at the moment, i'm stuck
ill investigate upstream apache packages & launchpad, might find something, but that's for tomorrow Smile
@Top44 #10

hmmmm, that is a problem indeed
if you add it as an alias in the 2nd host? does that fix it? so add an alias with the www. to the 2nd host (or both) and restart that apache, hope that fixes it, im still stuck


RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - Top44 - 07-24-2010 11:25 PM

I tested it with aliases but did not work.

There is a another possibility with a patch for mod_ssl with SNI support.
Would also be a good chance to try.

greets


RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - D4rKr0W - 07-29-2010 10:35 PM

Excellent guide, i would like to add a couple of things since i had to go through some extra steps to get the whole thing working with a ssl certificate generated from GoDaddy.

Once you've completed the request procedure, you will be given two certificate files:
yourdomain.tld.crt and gd_bundle.crt

Merge the two files in a file called yourdomain.tld.pem, appending the chain certificate at the end of the cert issued for your domain.
The chain certificate is the one you should be setting as SSLCertificateChainFile if you were using mod_ssl.

This is the file you will be using as GnuTLSCertificateFile

Once you've done that, you will be required to create a private key file that is not password protected. mod_gnutls does not support passworded private keys.

For that you will have to run the following command on your private key:

Code:
openssl rsa -in server.key -out server.key.insecure

I was getting the following error because i didn't do the step just above:

Code:
GnuTLS: Failed to Import Private Key '/my/path/to/ssl.key/server.key': (-69) ASN1 parser: Error in DER parsing.


You will be using the non passworded private key in GnuTLSKeyFile.

I would also suggest to run

Code:
chmod 400 server.key
chmod 400 server.key.insicure
chmod 444 yourdomain.tld.pem

for security reasons.


RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - Max13 - 11-23-2010 05:07 AM

Hello !

I read this How-To and some others on the net.
I'm now using gnutls, but it can't parse the crt I think...:
Code:
Syntax error on line 40 of /etc/apache2/sites-enabled/00_master_ssl.conf:
GnuTLS: Failed to Import Certificate '/etc/apache2/ssl/ispcp.crt': (-207) Base64 unexpected header error.
failed!

Here it is... It was generated by InstantSSL, and it's a free ssl certificate...

Google doesn't know anything about this (or not in the first page), so I came here to have more info.

Any idea ?
Thanks.


RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - 3dp - 11-24-2010 06:51 AM

I keep getting an apache error when it fires back up:

Quote:... waiting Syntax error on line 3 of /etc/apache2/sites-enabled/02_ssl.conf:
<VirtualHost> directive requires additional arguments

My 02_ssl.conf file:
Code:
NameVirtualHost xx.xx.xx.xx[/quote]:443

<VirtualHost>

ServerName mydomain2.com:443

GnuTLSEnable on
GnuTLSCertificateFile /var/www/web24/ssl/gd_bundle.crt
GnuTLSKeyFile /var/www/web24/ssl/www.mydomain2.com.key
GnuTLSPriorities NORMAL # this can be changed to a wide range of options - see http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#GnuTLSPriorities

DocumentRoot /var/www/web24/web/

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/web24/web/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /var/www/web24/cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/ssl_access.log combined

        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

</VirtualHost>


<VirtualHost>

ServerName mydomain1.com:443

GnuTLSEnable on
GnuTLSCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
GnuTLSKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
GnuTLSPriorities NORMAL # this can be changed to a wide range of options - see http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#GnuTLSPriorities

ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/ssl_access.log combined

        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
</VirtualHost>

Thanks from an SSL noob.


RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - Max13 - 11-24-2010 07:17 AM

(11-24-2010 06:51 AM)3dp Wrote:  I keep getting an apache error when it fires back up:

Quote:... waiting Syntax error on line 3 of /etc/apache2/sites-enabled/02_ssl.conf:
<VirtualHost> directive requires additional arguments

My 02_ssl.conf file:
Code:
NameVirtualHost xx.xx.xx.xx[/quote]:443

<VirtualHost>

ServerName mydomain2.com:443

GnuTLSEnable on
GnuTLSCertificateFile /var/www/web24/ssl/gd_bundle.crt
GnuTLSKeyFile /var/www/web24/ssl/www.mydomain2.com.key
GnuTLSPriorities NORMAL # this can be changed to a wide range of options - see http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#GnuTLSPriorities

DocumentRoot /var/www/web24/web/

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/web24/web/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /var/www/web24/cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/ssl_access.log combined

        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

</VirtualHost>


<VirtualHost>

ServerName mydomain1.com:443

GnuTLSEnable on
GnuTLSCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
GnuTLSKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
GnuTLSPriorities NORMAL # this can be changed to a wide range of options - see http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#GnuTLSPriorities

ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/ssl_access.log combined

        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
</VirtualHost>

Thanks from an SSL noob.

Hi,

I think <VirtualHost> expects an ip:port, or at least a port...
I think...
--
Cheers, Max13


RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - 3dp - 11-24-2010 07:43 AM

(11-24-2010 07:17 AM)Max13 Wrote:  Hi,

I think <VirtualHost> expects an ip:port, or at least a port...
I think...
--
Cheers, Max13

Yep...that was it.