I recently aquired a Verisign SSL certificate for my web server on Centos 4, with apache 2.0.59 from centosplus.
It however doesn't seem to be working the way I've set it up, browsers connect but are told the certiticate is not recognized. Showing more info, the information looks correct.
I think it has probably to do with the fact that I'm using the certificate on a virtual named host, and I wonder If any body has experience doing this? A few places in the apache documentation suggest that SSL cannot be used with name based virtual hosting, but I don't if that means, not at all, or not with multiple named hosts.
I have multiple NameVirtualHost on port 80, but will only plan to use one of the names on port 443.
The start of the section in my ssl.conf goes like this:
<VirtualHost _default_:443> ServerName nameprotected.domain.edu:443 ServerAdmin me@domain.edu DocumentRoot /var/www/docs/nameprotected
nameprotected.domain.edu is a DNS CNAME to the actual host.
How do folks do SSL and virtual hosts? multiple IP addresses is not an option for me.
TIA Tony Schreiner
On Wed, Apr 9, 2008 at 2:22 PM, Tony Schreiner schreian@bc.edu wrote:
nameprotected.domain.edu is a DNS CNAME to the actual host.
How do folks do SSL and virtual hosts? multiple IP addresses is not an option for me.
It better be, because for apache 2.0, it's the ONLY way you can do vhosts. You have to have 1 ip per vhost for ssl. This is in the apache documentation
For httpd 2.2, you can do name based vhosts, but not with standard ssl certs like verisign ships.
On Apr 9, 2008, at 2:37 PM, Jim Perrin wrote:
On Wed, Apr 9, 2008 at 2:22 PM, Tony Schreiner schreian@bc.edu wrote:
nameprotected.domain.edu is a DNS CNAME to the actual host.
How do folks do SSL and virtual hosts? multiple IP addresses is not an option for me.
It better be, because for apache 2.0, it's the ONLY way you can do vhosts. You have to have 1 ip per vhost for ssl. This is in the apache documentation
For httpd 2.2, you can do name based vhosts, but not with standard ssl certs like verisign ships.
crud...
but thanks for the info
On Wed, Apr 9, 2008 at 3:15 PM, Tony Schreiner schreian@bc.edu wrote:
crud...
Well, as Kai brings up, you get one cert per IP. If you're using subdomains you *might* be able to get away with this.
*.example.com as a cert common name will work for foo.example.com, and bar.example.com. etc. So long as you're using subdomain certs this works okay. If you're doing different names, you're pretty sunk.
"Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol." See http://httpd.apache.org/docs/2.0/vhosts/name-based.html for more info
Jim Perrin napsal(a):
"Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol." See http://httpd.apache.org/docs/2.0/vhosts/name-based.html for more info
Jim, you are not right... SSL 3.0 support Server Name Indication and of course TLS 1.0. For those who are interested there are repos for C{4,5} located here:
http://fs12.vsb.cz/hrb33/el4/hrb-tls/stable/i386/ http://fs12.vsb.cz/hrb33/el5/hrb-tls/stable/i386/ http://fs12.vsb.cz/hrb33/el4/hrb-tls/stable/x86_64/ http://fs12.vsb.cz/hrb33/el5/hrb-tls/stable/x86_64/
Regards, David
On Wed, Apr 9, 2008 at 4:35 PM, David Hrbác( hrbac.conf@seznam.cz wrote:
Jim, you are not right... SSL 3.0 support Server Name Indication and of course TLS 1.0. For those who are interested there are repos for C{4,5} located here:
My comments were/are based on the apache documentation (linked previously in the thread), and the distro base as it ships. Your packages work, yes, but do they function with the verisign cert he's already got?
Jim Perrin wrote on Wed, 9 Apr 2008 16:40:24 -0400:
Your packages work, yes, but do they function with the verisign cert he's already got?
More important: do they work with most browsers? There is a test page for this (don't recall URL, but can be found on apache bugzilla) and last time I tried it with Internet Explorer it didn't work with it. :-(
Kai
On Wed, Apr 9, 2008 at 4:35 PM, David Hrbác( hrbac.conf@seznam.cz wrote:
Jim, you are not right... SSL 3.0 support Server Name Indication and of course TLS 1.0. For those who are interested there are repos for C{4,5} located here:
Since I should have included this in my previous reply... I don't mind being wrong, so long as it's documented.
Can you show the config for CentOS 4, (without the TLS packages you list) to do name based vhosts with ssl? I'd be interested in this myself. Given that the apache documentation for 2.0.x says it can't be done, I was basing my statements off that.
Jim Perrin wrote:
On Wed, Apr 9, 2008 at 4:35 PM, David Hrbác( hrbac.conf@seznam.cz wrote:
Jim, you are not right... SSL 3.0 support Server Name Indication and of course TLS 1.0. For those who are interested there are repos for C{4,5} located here:
Since I should have included this in my previous reply... I don't mind being wrong, so long as it's documented.
Can you show the config for CentOS 4, (without the TLS packages you list) to do name based vhosts with ssl? I'd be interested in this myself. Given that the apache documentation for 2.0.x says it can't be done, I was basing my statements off that.
Do browsers do TLS these days? I thought https had to negotiate the ssl connection before the browser would send anything - so you don't have the host header when you need to find the right certificate. It doesn't matter if the ssl layer knows how to do TLS if the browser side won't use it.
Les Mikesell wrote on Wed, 09 Apr 2008 16:06:59 -0500:
Do browsers do TLS these days?
IE does and I think FF does as well. But IE doesn't support this specific extension.
Kai
Jim Perrin wrote on Wed, 9 Apr 2008 15:24:09 -0400:
"Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol."
that documentation (also in the 2.2 one) in the way that they have written it as an exclusive truth is simply not true. One just needs to know the caveats. It's for instance perfect for an organization to offer several SSL vhosts under one IP and with one wildcard certificate. It doesn't work for webhosting different clients, of course.
Kai
Jim Perrin wrote on Wed, 9 Apr 2008 14:37:11 -0400:
It better be, because for apache 2.0, it's the ONLY way you can do vhosts. You have to have 1 ip per vhost for ssl. This is in the apache documentation
For httpd 2.2, you can do name based vhosts, but not with standard ssl certs like verisign ships.
Apache 2.0 and 2.2 behave the same in this regard, you *can* have one IP for multiple SSL vhosts. And one certificate for one IP. Which means in case of multiple SSL vhosts you ened a wildcard certificate. But this doesn't seem the poster's problem. But as he doesn't allow us a view at the cert ...
Kai
Tony Schreiner wrote:
I recently aquired a Verisign SSL certificate for my web server on Centos 4, with apache 2.0.59 from centosplus.
It however doesn't seem to be working the way I've set it up, browsers connect but are told the certiticate is not recognized. Showing more info, the information looks correct.
I think it has probably to do with the fact that I'm using the certificate on a virtual named host, and I wonder If any body has experience doing this? A few places in the apache documentation suggest that SSL cannot be used with name based virtual hosting, but I don't if that means, not at all, or not with multiple named hosts.
I have multiple NameVirtualHost on port 80, but will only plan to use one of the names on port 443.
The start of the section in my ssl.conf goes like this:
<VirtualHost _default_:443> ServerName nameprotected.domain.edu:443 ServerAdmin me@domain.edu DocumentRoot /var/www/docs/nameprotected
nameprotected.domain.edu is a DNS CNAME to the actual host.
the ServerName should match the name in the certificate.
How do folks do SSL and virtual hosts? multiple IP addresses is not an option for me.
Tony Schreiner wrote on Wed, 9 Apr 2008 14:22:22 -0400:
It however doesn't seem to be working the way I've set it up, browsers connect but are told the certiticate is not recognized.
Unfortunately, the most important information is missing from your explanation: please give the exact URL, so one can see the *actual* message and the actual certificate. From first "sight" it looks like the site is not using the certificate you think it uses.
FYI: You can have *one* certificate per IP address. It doesn't matter if name-based or not. (So, if you want to have 5 name-based SSL virtual hosts you have to use the same certificate for all of them. That's obviously not the case for you.)
Kai
On Apr 9, 2008, at 3:16 PM, Kai Schaetzl wrote:
Tony Schreiner wrote on Wed, 9 Apr 2008 14:22:22 -0400:
It however doesn't seem to be working the way I've set it up, browsers connect but are told the certiticate is not recognized.
Unfortunately, the most important information is missing from your explanation: please give the exact URL, so one can see the *actual* message and the actual certificate. From first "sight" it looks like the site is not using the certificate you think it uses.
FYI: You can have *one* certificate per IP address. It doesn't matter if name-based or not. (So, if you want to have 5 name-based SSL virtual hosts you have to use the same certificate for all of them. That's obviously not the case for you.)
Kai
I was under the (obviously mistaken) impression that one certificate per hostname was the rule. and I created the certificate with the hostname I want to use; which is resolvable; and reachable with regular http over port 80. And that is the only SSL enabled site I want to use on this server.
Getting multiple IP addresses on my server will require a change of plan of action for me; but may be possible.
Tony
Tony Schreiner wrote on Wed, 9 Apr 2008 15:29:16 -0400:
I was under the (obviously mistaken) impression that one certificate per hostname was the rule. and I created the certificate with the hostname I want to use; which is resolvable; and reachable with regular http over port 80. And that is the only SSL enabled site I want to use on this server.
I didn't say anything that should make you believe this would not work. Why do you think that? I just explained that if you want to have *more* SSL vhosts than you either need more IP addresses or use the same certificate (wildacrd) for all of them. If you just want to have one SSL site your are fine. However, you didn't provide any of the information I asked for. You are not talking of www.bc.edu, do you?
Kai
Kai Schaetzl wrote:
Tony Schreiner wrote on Wed, 9 Apr 2008 15:29:16 -0400:
I was under the (obviously mistaken) impression that one certificate per hostname was the rule. and I created the certificate with the hostname I want to use; which is resolvable; and reachable with regular http over port 80. And that is the only SSL enabled site I want to use on this server.
I didn't say anything that should make you believe this would not work. Why do you think that? I just explained that if you want to have *more* SSL vhosts than you either need more IP addresses or use the same certificate (wildacrd) for all of them. If you just want to have one SSL site your are fine. However, you didn't provide any of the information I asked for. You are not talking of www.bc.edu, do you?
Kai
ok, ok.
Tony
Tony Schreiner wrote on Wed, 09 Apr 2008 18:25:55 -0400:
That is just fine, as expected. If a browser doesn't like it, it's a problem in the browser. Probably it hasn't updated it's root CA list for some time and is missing the intermediary certificate (which is from 2005, so that's some time ago ...).
Kai
Tony Schreiner wrote:
Kai Schaetzl wrote:
Tony Schreiner wrote on Wed, 9 Apr 2008 15:29:16 -0400:
However, you didn't provide any of the information I asked for. You are not talking of www.bc.edu, do you?
Kai
ok, ok.
Tony
I could be full of cheese here, but did VeriSign send you an "intermediate" certificate along with your "real" certificate? If not, forget the
When I went to the site and examined the cert I noticed that the cert was not signed by one of the CAs in the ca-bundle.crt provided by my copy of openSSL (openssl-0.9.8b-8.3.el5_0.2) on CentOS 5.1. You can examine the "Issuer" field of the certificate to see who signed it.
I suspect that VeriSign sent you an "intermediate" certificate that was actually used to sign your cert. Apache has to present the intermediate cert at the same time it presents your "real" cert. Basically, since the intermediate cert was signed by a recognized CA cert and your cert was signed by the intermediate cert, then your cert is "trustworthy".
The easiest way to fix this is to append the intermediate certificate to your "real" certificate file. I've had a few of these in the past, particularly from smaller CAs that resell other folks's service.
Just a thought!
Jay Leafey wrote:
Tony Schreiner wrote:
Kai Schaetzl wrote:
Tony Schreiner wrote on Wed, 9 Apr 2008 15:29:16 -0400:
However, you didn't provide any of the information I asked for. You are not talking of www.bc.edu, do you?
Kai
ok, ok.
Tony
I could be full of cheese here, but did VeriSign send you an "intermediate" certificate along with your "real" certificate? If not, forget the
When I went to the site and examined the cert I noticed that the cert was not signed by one of the CAs in the ca-bundle.crt provided by my copy of openSSL (openssl-0.9.8b-8.3.el5_0.2) on CentOS 5.1. You can examine the "Issuer" field of the certificate to see who signed it.
I suspect that VeriSign sent you an "intermediate" certificate that was actually used to sign your cert. Apache has to present the intermediate cert at the same time it presents your "real" cert. Basically, since the intermediate cert was signed by a recognized CA cert and your cert was signed by the intermediate cert, then your cert is "trustworthy".
The easiest way to fix this is to append the intermediate certificate to your "real" certificate file. I've had a few of these in the past, particularly from smaller CAs that resell other folks's service.
Just a thought!
I'm away from the office now, but I only got one certificate. I didn't deal directly with Verisign, but rather went through someone in my IT department. I will check on that. Thanks.
Kai, in response to your last message, you say it's fine. Does that mean you don't get a dialog saying the site is not verifiable? Because I sure do, with several browsers on different platforms. Tony
on 4-9-2008 6:14 PM Tony Schreiner spake the following:
Jay Leafey wrote:
Tony Schreiner wrote:
Kai Schaetzl wrote:
Tony Schreiner wrote on Wed, 9 Apr 2008 15:29:16 -0400:
However, you didn't provide any of the information I asked for. You are not talking of www.bc.edu, do you?
Kai
ok, ok.
Tony
I could be full of cheese here, but did VeriSign send you an "intermediate" certificate along with your "real" certificate? If not, forget the
When I went to the site and examined the cert I noticed that the cert was not signed by one of the CAs in the ca-bundle.crt provided by my copy of openSSL (openssl-0.9.8b-8.3.el5_0.2) on CentOS 5.1. You can examine the "Issuer" field of the certificate to see who signed it.
I suspect that VeriSign sent you an "intermediate" certificate that was actually used to sign your cert. Apache has to present the intermediate cert at the same time it presents your "real" cert. Basically, since the intermediate cert was signed by a recognized CA cert and your cert was signed by the intermediate cert, then your cert is "trustworthy".
The easiest way to fix this is to append the intermediate certificate to your "real" certificate file. I've had a few of these in the past, particularly from smaller CAs that resell other folks's service.
Just a thought!
I'm away from the office now, but I only got one certificate. I didn't deal directly with Verisign, but rather went through someone in my IT department. I will check on that. Thanks.
Kai, in response to your last message, you say it's fine. Does that mean you don't get a dialog saying the site is not verifiable? Because I sure do, with several browsers on different platforms. Tony
It went OK at work for me, but at home on my laptop it is untrusted. So maybe verisign needs to verify it for you.
Scott Silva wrote:
on 4-9-2008 6:14 PM Tony Schreiner spake the following:
Jay Leafey wrote:
Tony Schreiner wrote:
Kai Schaetzl wrote:
Tony Schreiner wrote on Wed, 9 Apr 2008 15:29:16 -0400:
However, you didn't provide any of the information I asked for. You are not talking of www.bc.edu, do you?
Kai
ok, ok.
Tony
I could be full of cheese here, but did VeriSign send you an "intermediate" certificate along with your "real" certificate? If not, forget the
When I went to the site and examined the cert I noticed that the cert was not signed by one of the CAs in the ca-bundle.crt provided by my copy of openSSL (openssl-0.9.8b-8.3.el5_0.2) on CentOS 5.1. You can examine the "Issuer" field of the certificate to see who signed it.
I suspect that VeriSign sent you an "intermediate" certificate that was actually used to sign your cert. Apache has to present the intermediate cert at the same time it presents your "real" cert. Basically, since the intermediate cert was signed by a recognized CA cert and your cert was signed by the intermediate cert, then your cert is "trustworthy".
The easiest way to fix this is to append the intermediate certificate to your "real" certificate file. I've had a few of these in the past, particularly from smaller CAs that resell other folks's service.
Just a thought!
I'm away from the office now, but I only got one certificate. I didn't deal directly with Verisign, but rather went through someone in my IT department. I will check on that. Thanks.
Kai, in response to your last message, you say it's fine. Does that mean you don't get a dialog saying the site is not verifiable? Because I sure do, with several browsers on different platforms. Tony
It went OK at work for me, but at home on my laptop it is untrusted. So maybe verisign needs to verify it for you.
here is a possibly related thread:
http://groups.google.com/group/mozilla.support.firefox/browse_thread/thread/...
Tony Schreiner wrote on Wed, 09 Apr 2008 21:14:25 -0400:
Does that mean you don't get a dialog saying the site is not verifiable?
Correct. With IE7.
Because I sure do, with several browsers on different platforms.
Checked now with FF2 and get a warning. They don't recognize the intermediate certificate (IE has it in it's certificate store) and don't go up in the chain. That's really their fault, not yours. It's possible that the solution that Ross explains would help, I didn't ever need to do that. Talk to your colleague at https://www.bc.edu, they use the same cert chain. If you don't get a warning you might be able to get the intermediary certificate from them which might be faster than waiting for Verisign support.
Kai
on 4-10-2008 2:31 AM Kai Schaetzl spake the following:
Tony Schreiner wrote on Wed, 09 Apr 2008 21:14:25 -0400:
Does that mean you don't get a dialog saying the site is not verifiable?
Correct. With IE7.
Because I sure do, with several browsers on different platforms.
Checked now with FF2 and get a warning. They don't recognize the intermediate certificate (IE has it in it's certificate store) and don't go up in the chain. That's really their fault, not yours. It's possible that the solution that Ross explains would help, I didn't ever need to do that. Talk to your colleague at https://www.bc.edu, they use the same cert chain. If you don't get a warning you might be able to get the intermediary certificate from them which might be faster than waiting for Verisign support.
Kai
I think you can download the intermediate certs from their webpage.
Scott Silva wrote on Thu, 10 Apr 2008 12:28:42 -0700:
I think you can download the intermediate certs from their webpage.
I had a look at their KB website yesterday and exactly the page that explains how to get and install the intermediates is gone: https://knowledge.verisign.com/support/ssl-certificates-support/index?page =content&id=AR179 How encouraging. I would have thought they supply the intermediary with every signed cert, anyway, but apparently they don't.
Kai
On Apr 10, 2008, at 6:08 PM, Kai Schaetzl wrote:
Scott Silva wrote on Thu, 10 Apr 2008 12:28:42 -0700:
I think you can download the intermediate certs from their webpage.
I had a look at their KB website yesterday and exactly the page that explains how to get and install the intermediates is gone: https://knowledge.verisign.com/support/ssl-certificates-support/ index?page =content&id=AR179 How encouraging. I would have thought they supply the intermediary with every signed cert, anyway, but apparently they don't.
Kai
I've been on jury duty for a couple of days so I apologize for not following up. Many thanks for all suggestions so far.
The issue with the intermediate cert looks the most promising and I am following up with my local IT.
Tony
Take a look at
http://www.verisign.com/support/advisories/page_040611.html
You can download the intermediate cert and install it in your file system and point to it with SSLCertificateChainFile in your Apache's SSL configuration as Ross Cavanagh pointed out.
I've been bit by this one personally.
-- Curt
On Fri, 2008-04-11 at 11:47, Tony Schreiner wrote:
On Apr 10, 2008, at 6:08 PM, Kai Schaetzl wrote:
Scott Silva wrote on Thu, 10 Apr 2008 12:28:42 -0700:
I think you can download the intermediate certs from their webpage.
I had a look at their KB website yesterday and exactly the page that explains how to get and install the intermediates is gone: https://knowledge.verisign.com/support/ssl-certificates-support/ index?page =content&id=AR179 How encouraging. I would have thought they supply the intermediary with every signed cert, anyway, but apparently they don't.
Kai
I've been on jury duty for a couple of days so I apologize for not following up. Many thanks for all suggestions so far.
The issue with the intermediate cert looks the most promising and I am following up with my local IT.
Tony _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Apr 11, 2008, at 1:10 PM, Curtis H. Wilbar Jr. wrote:
Take a look at
http://www.verisign.com/support/advisories/page_040611.html
You can download the intermediate cert and install it in your file system and point to it with SSLCertificateChainFile in your Apache's SSL configuration as Ross Cavanagh pointed out.
I've been bit by this one personally.
-- Curt
I believe I'm all set. I had gone down that road once before but downloaded the wrong intermediate cert. After getting the right one, things look good. Thanks everybody Tony
Tony Schreiner wrote:
I recently aquired a Verisign SSL certificate for my web server on Centos 4, with apache 2.0.59 from centosplus.
It however doesn't seem to be working the way I've set it up, browsers connect but are told the certiticate is not recognized. Showing more info, the information looks correct.
I think it has probably to do with the fact that I'm using the certificate on a virtual named host, and I wonder If any body has experience doing this? A few places in the apache documentation suggest that SSL cannot be used with name based virtual hosting, but I don't if that means, not at all, or not with multiple named hosts.
I have multiple NameVirtualHost on port 80, but will only plan to use one of the names on port 443.
The start of the section in my ssl.conf goes like this:
<VirtualHost _default_:443> ServerName nameprotected.domain.edu:443 ServerAdmin me@domain.edu DocumentRoot /var/www/docs/nameprotected
nameprotected.domain.edu is a DNS CNAME to the actual host.
How do folks do SSL and virtual hosts? multiple IP addresses is not an option for me.
This is how I do it: NameVirtualHost IP.AD.DR.ESS:443
<VirtualHost IP.AD.DR.ESS:443> SSLEngine On SSLCertificateFile path/to/domain.crt SSLCertificateKeyFile path/to/domain.key ServerName domain.tld ServerAdmin webmaster@domain.tld DocumentRoot /path/to/webroot ErrorLog /path/to/logs/errors.log CustomLog /path/to/logs/access.log combined </VirtualHost>
Rick
Rick Barnes wrote:
Tony Schreiner wrote:
I recently aquired a Verisign SSL certificate for my web server on Centos 4, with apache 2.0.59 from centosplus.
It however doesn't seem to be working the way I've set it up, browsers connect but are told the certiticate is not recognized. Showing more info, the information looks correct.
I think it has probably to do with the fact that I'm using the certificate on a virtual named host, and I wonder If any body has experience doing this? A few places in the apache documentation suggest that SSL cannot be used with name based virtual hosting, but I don't if that means, not at all, or not with multiple named hosts.
I have multiple NameVirtualHost on port 80, but will only plan to use one of the names on port 443.
The start of the section in my ssl.conf goes like this:
<VirtualHost _default_:443> ServerName nameprotected.domain.edu:443 ServerAdmin me@domain.edu DocumentRoot /var/www/docs/nameprotected
nameprotected.domain.edu is a DNS CNAME to the actual host.
How do folks do SSL and virtual hosts? multiple IP addresses is not an option for me.
This is how I do it: NameVirtualHost IP.AD.DR.ESS:443
<VirtualHost IP.AD.DR.ESS:443> SSLEngine On SSLCertificateFile path/to/domain.crt SSLCertificateKeyFile path/to/domain.key ServerName domain.tld ServerAdmin webmaster@domain.tld DocumentRoot /path/to/webroot ErrorLog /path/to/logs/errors.log CustomLog /path/to/logs/access.log combined </VirtualHost>
Rick
SSLCertificateChainFile /path/to/chain/chain.crt
I don't know much about the ssl stuff, I just know if I'm missing the chain file I have issues with the key not being correctly recognised.
-
Curtis H. Wilbar Jr. -
David Hrbác( -
Jay Leafey -
Jim Perrin -
Kai Schaetzl -
Les Mikesell -
mouss -
Rick Barnes -
Ross Cavanagh -
Scott Silva -
Tony Schreiner