Sorry, brevity is not my strong point.
Because I do not know what your certs look like as far as what domain(s) are
considered CNs I'm going to guess it has something to do with the following...
SSL wraps http and you need a cert to decrypt the data sent via SSL. If you
have 3 virtual hosts and you are using Name Based Virtual Hosting how does the
Apache web server know which cert to use to decrypt and read the header so it
can properly route the data. The short answer per my understanding is that
Apache has no clue and uses the default vhost's cert (the first one in the
confi file) to read the SSL. If these were all the same domain such as
tuna.foo.com, seabass.foo.com and marlin.foo.com you could get away with using
the same *.foo.com wildcard cert. Here is a good doc with these work arounds:
https://www.switch.ch/pki/meetings/2007-01/namebased_ssl_virtualhosts.pdf
I'm guessing your problem is somewhere in this domain. I believe that Name
Based Virtual Hosting is not the answer for you. Try IP Based:
http://httpd.apache.org/docs/2.2/vhosts/ip-based.html
or use a wildcard cert... Here is a warning about your config and a better
explanation I presume:
http://wiki.apache.org/httpd/NameBasedSSLVHosts
I just ran into this. Silly me for not realizing that a Web Server that routes
bases on headers would need to read the encrypted header to route it.
Chicken-Egg problem.
Chris --V
>>> Dennis Putnam <d...@bellsouth.net> 10/22/2013 8:26 AM >>>
I have 3 virtual hosts that for all I can see are configured identically
other the the obviously needed differences. The same is true of the 3
crt files.
<VirtualHost *:443>
ServerName public.mydomain.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/httpd/SSL/public.crt
SSLCertificateKeyFile /etc/postfix/SSL/server.key
</VirtualHost>
<VirtualHost *:443>
ServerName distrib.mydomain.com
DocumentRoot /var/www/html/distrib
SSLEngine on
SSLCertificateFile /etc/httpd/SSL/distrib.crt
SSLCertificateKeyFile /etc/postfix/SSL/server.key
</VirtualHost>
<VirtualHost *:443>
ServerName mail.mydomain.com
DocumentRoot /usr/local/squirrelmail/www
SSLEngine on
SSLCertificateFile /etc/httpd/SSL/mail.crt
SSLCertificateKeyFile /etc/postfix/SSL/server.key
</VirtualHost>
The problem is that 2 of them work perfectly and the lock shows up in
the browser. With the third (public), I get a gray globe indicating
partial encryption which does not prevent eavesdropping. I have no clue
how to debug this or even where to look. Can someone point me in the
right direction? Thanks.
The information contained in this e-mail and any accompanying documents may
contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if this
message has been addressed to you in error, please immediately alert the sender
by reply e-mail and then delete this message, including any attachments. Any
dissemination, distribution or other use of the contents of this message by
anyone other than the intended recipient is strictly prohibited.
