In this line you sould put the certificate of your rootCA which has signed your certificate. SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/<root-ca>.crt "VerifyDepth 5" seems to be to high because than you need certificates in chain up to 5 like (e.g.cert1 + cert2 +cert3 +cert4 +rootCA) but you only have 2 (with the root certificate) oder 1 (without root cert)
With a certificate where the common name is not the same like the server name (in this case here of the virtual host) than you won't get any https connection, they have to be the same. Here are some examples http://www.openssl.org/docs/apps/x509.html and here is one to show into a certificate: openssl x509 -in cert.pem -noout -text Greets Oliver -----Ursprüngliche Nachricht----- Von: Brian V. Hughes [mailto:[EMAIL PROTECTED] Gesendet: Mo 23.01.2006 17:31 An: users@httpd.apache.org Betreff: [EMAIL PROTECTED] Apache 2 and SSL on server with multiple IPs, SSL won't load... Hey gang. I've got a problem that's been giving me fits for the past several days and I just can't figure out what's wrong. Here's the situation: I've got an Apple Xserve, with a standard install of Apache 2.0.55 with mod_ssl. The server has 2 IP addresses assigned to it, lets call them foo.dartmouth.edu and bar.dartmouth.edu. I've also got 2 instances of Apache configured to run, since I believe I need to do IP-based virtual hosting to accomplish what I need: foo is an HTTP server and bar needs to be an HTTP/HTTPS server. We have a key file and a Dartmouth-signed certificate built for bar.dartmouth.edu and I'm using an ssl.conf file that looks like this: ---------------- #SSL.CONF for bar.dartmouth.edu Listen 129.170.xxx.yyy:443 SSLEngine on AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache2/conf/ssl.crt/bar.crt SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/bar.key SSLCACertificatePath /usr/local/apache2/conf/ssl.crt SSLVerifyClient optional SSLVerifyDepth 5 SSLPassPhraseDialog builtin SSLSessionCache dbm:/usr/local/apache2/logs/ssl_scache SSLSessionCacheTimeout 300 AcceptMutex flock LockFile /usr/local/apache2/logs/httpd.lock SSLMutex file:/usr/local/apache2/logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin <VirtualHost 129.170.xxx.yyy:443> DocumentRoot "/Library/WebServer/Documents" ServerName bar.dartmouth.edu ServerAdmin [EMAIL PROTECTED] ErrorLog /usr/local/apache2/logs/error_log TransferLog /usr/local/apache2/logs/access_log CustomLog /usr/local/apache2/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> ---------------- When I try to launch Apache with this config file, I get this in my logs/error_log: [Fri Jan 20 13:09:36 2006] [warn] RSA server certificate CommonName (CN) `bar.dartmouth.edu' does NOT match server name!? [Fri Jan 20 13:09:36 2006] [error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!) I think these errors are trying to point me in the right direction, but I just don't know enough about mod_ssl to know what direction that is. Given that the HTTP responder on port 80 works just fine for bar.dartmouth.edu, I can't see how there could be confusion over the CommonName. Can someone help me decipher this and figure out why I can't get my SSL instance running? Is there something I'm just not setting in my ssl.conf file? Is there more info that I need to post? Things are getting a little desperate for us with this server, so any help I can get would be most appreciated. Thanks. -Brian ---- Brian V. Hughes Associate Director for Web Operations (aka. Webmaster) Computing Technical Services Dartmouth College --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
<<winmail.dat>>
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
