[users@httpd] Apache serving up default certificate for certain domains
Hi, Up until roughly a week ago, my VPS web server was working properly. >From what I can see, the only change is that nss, nss-tools, openssl and gnutls were updated. On Monday, Jan 11, I noticed that I was getting an SSL error when running "svn up". When trying to open the url in a web browser, the page would not open but I could open it with w3m by accepting the certificate -- I was directed to the default CentOS apache start page. The strange thing is that it only happens for a minority of my domains/subdomains. I am running Apache 2.4.6 on a Centos 7 box. Any thoughts/suggestions for what could be going on here? Thanks in advance! Ted To - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache serving up default certificate for certain domains
So having run httpd -S, I can see that for port 443, default server theo.to (/etc/httpd/conf.d/ssl.conf:68) shows up (which is not right) but then shows up again: port 443 namevhost theo.to (/etc/httpd/sites-enabled/theo.to.conf:7) alias www.theo.to Looking in /etc/httpd/conf.d, I see that there is an ssl.conf.rpmnew. Do I need to merge in changes from the new default configuration? Thanks, Ted On 01/16/2016 07:44 PM, Yehuda Katz wrote: > Maybe the updated openssl doesn't like something about your certificates. > > Does Apache have any warnings or notices when it starts up? > Try running httpd -S which lists all the vhosts Apache has and see if it > matches what you expect. > You may also see the errors from that command (tested on RHEL 7 - not > quite the same as Centos, but should be pretty close). > > - Y > > On Sat, Jan 16, 2016 at 3:18 PM, Ted To <mailto:t...@theo.to>> wrote: > > Hi, > > Up until roughly a week ago, my VPS web server was working properly. > From what I can see, the only change is that nss, nss-tools, openssl and > gnutls were updated. On Monday, Jan 11, I noticed that I was getting an > SSL error when running "svn up". When trying to open the url in a web > browser, the page would not open but I could open it with w3m by > accepting the certificate -- I was directed to the default CentOS apache > start page. The strange thing is that it only happens for a minority of > my domains/subdomains. > > I am running Apache 2.4.6 on a Centos 7 box. > > Any thoughts/suggestions for what could be going on here? > > Thanks in advance! > > Ted To > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > <mailto:users-unsubscr...@httpd.apache.org> > For additional commands, e-mail: users-h...@httpd.apache.org > <mailto:users-h...@httpd.apache.org> > > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache serving up default certificate for certain domains
So in looking at the differences between ssl.conf and ssl.conf.rpmnew, in addition to my own additions for selecting cipher suites, etc, I see: 92c80 < SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 --- > SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA where the 2nd line is from ssl.conf.rpmnew. Could the fact that ":!SEED:!IDEA" is missing from my ssl.conf be causing this problem? On 01/17/2016 11:36 AM, Ted To wrote: > So having run httpd -S, I can see that for port 443, > > default server theo.to (/etc/httpd/conf.d/ssl.conf:68) > > shows up (which is not right) but then shows up again: > > port 443 namevhost theo.to > (/etc/httpd/sites-enabled/theo.to.conf:7) > alias www.theo.to > > Looking in /etc/httpd/conf.d, I see that there is an ssl.conf.rpmnew. > Do I need to merge in changes from the new default configuration? > > Thanks, > Ted > > On 01/16/2016 07:44 PM, Yehuda Katz wrote: >> Maybe the updated openssl doesn't like something about your certificates. >> >> Does Apache have any warnings or notices when it starts up? >> Try running httpd -S which lists all the vhosts Apache has and see if it >> matches what you expect. >> You may also see the errors from that command (tested on RHEL 7 - not >> quite the same as Centos, but should be pretty close). >> >> - Y >> >> On Sat, Jan 16, 2016 at 3:18 PM, Ted To > <mailto:t...@theo.to>> wrote: >> >> Hi, >> >> Up until roughly a week ago, my VPS web server was working properly. >> From what I can see, the only change is that nss, nss-tools, openssl and >> gnutls were updated. On Monday, Jan 11, I noticed that I was getting an >> SSL error when running "svn up". When trying to open the url in a web >> browser, the page would not open but I could open it with w3m by >> accepting the certificate -- I was directed to the default CentOS apache >> start page. The strange thing is that it only happens for a minority of >> my domains/subdomains. >> >> I am running Apache 2.4.6 on a Centos 7 box. >> >> Any thoughts/suggestions for what could be going on here? >> >> Thanks in advance! >> >> Ted To >> >> - >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> <mailto:users-unsubscr...@httpd.apache.org> >> For additional commands, e-mail: users-h...@httpd.apache.org >> <mailto:users-h...@httpd.apache.org> >> >> > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache serving up default certificate for certain domains
Fixed it -- I commented out the ... section of /etc/httpd/conf.d/ssl.conf and it is now working again. On 01/17/2016 11:48 AM, Ted To wrote: > So in looking at the differences between ssl.conf and ssl.conf.rpmnew, > in addition to my own additions for selecting cipher suites, etc, I see: > > 92c80 > < SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 > --- >> SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA > > where the 2nd line is from ssl.conf.rpmnew. Could the fact that > ":!SEED:!IDEA" is missing from my ssl.conf be causing this problem? > > On 01/17/2016 11:36 AM, Ted To wrote: >> So having run httpd -S, I can see that for port 443, >> >> default server theo.to (/etc/httpd/conf.d/ssl.conf:68) >> >> shows up (which is not right) but then shows up again: >> >> port 443 namevhost theo.to >> (/etc/httpd/sites-enabled/theo.to.conf:7) >> alias www.theo.to >> >> Looking in /etc/httpd/conf.d, I see that there is an ssl.conf.rpmnew. >> Do I need to merge in changes from the new default configuration? >> >> Thanks, >> Ted >> >> On 01/16/2016 07:44 PM, Yehuda Katz wrote: >>> Maybe the updated openssl doesn't like something about your certificates. >>> >>> Does Apache have any warnings or notices when it starts up? >>> Try running httpd -S which lists all the vhosts Apache has and see if it >>> matches what you expect. >>> You may also see the errors from that command (tested on RHEL 7 - not >>> quite the same as Centos, but should be pretty close). >>> >>> - Y >>> >>> On Sat, Jan 16, 2016 at 3:18 PM, Ted To >> <mailto:t...@theo.to>> wrote: >>> >>> Hi, >>> >>> Up until roughly a week ago, my VPS web server was working properly. >>> From what I can see, the only change is that nss, nss-tools, openssl and >>> gnutls were updated. On Monday, Jan 11, I noticed that I was getting an >>> SSL error when running "svn up". When trying to open the url in a web >>> browser, the page would not open but I could open it with w3m by >>> accepting the certificate -- I was directed to the default CentOS apache >>> start page. The strange thing is that it only happens for a minority of >>> my domains/subdomains. >>> >>> I am running Apache 2.4.6 on a Centos 7 box. >>> >>> Any thoughts/suggestions for what could be going on here? >>> >>> Thanks in advance! >>> >>> Ted To >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >>> <mailto:users-unsubscr...@httpd.apache.org> >>> For additional commands, e-mail: users-h...@httpd.apache.org >>> <mailto:users-h...@httpd.apache.org> >>> >>> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
