Sorry if this has been covered before, i searched for a while and couldn't find a solution. I have 3 domain names going to 3 external ip addresses going through the NAT to the web server inside. All was good until i wanted the 3 sites to have ssl certs. The certs are registerd, the domains are pointed to different IPs and the virtualhosts are workingish. It always get the result of the first ssl virtual host. I have the external ips resolving to the gate, the gate forwarding to 3 internal ips and the virtual hosts set to accept those internal ips and it still gets the the wrong vhost... any ideas what i am doing wrong? Here is the offending NAT line for the 1 of them virtual host:
Hey falko, Yeah i have a public ip for each domain, each public ip is routed by iptables to a local ip address on the same box (2 virtual) I have done a tcp dump and hit f5 a few times while accessing the 2 domains that have their own certificates and i can see that the requests hit apache with their relevant local ips as they should but the first vhost is the only one that is seen. I am using a CMS system that looks at the request URI to decide what site it is so the content is correct but the www.davisnet.co.nz site reports to have the www.weatherdata.co.nz ssl certificate.. its most annoying! My only assumption is that there is something wrong with apache or the ssl vhost settings... Ps. if i put the last vhost at the start, the problem is inverted... Its really annoying!
Ok, so now i am really confused! I have moved the hosted sites to a newer version of apache, running on the Gateway server. The gateway has about 15 public ips and 2 private ips. It doesn't matter which ip i use, it will always return the first :443 virtual host in the file. Apache is listening on all of these IP's :::::443 to be precise. I am totally confused now, in its simplicity it should just work. I must be doing something wrong? this is the first half of the only /sites-enabled/ file: Code: <IfModule mod_ssl.c> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache dbm:/var/run/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/var/run/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> ### ### WeatherData vhost ### NameVirtualHost 202.27.218.164:443 <VirtualHost 202.27.218.164:443> ErrorLog /var/log/apache2/s_powersite5-error.log SSLEngine on SSLCertificateFile /etc/apache2/ssl/weatherdata.co.nz.crt SSLCertificateKeyFile /etc/apache2/ssl/weatherdata.co.nz.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown Include /etc/apache2/powersiteInclude ServerAlias www.weatherdata.co.nz ServerAlias weatherdata.co.nz </VirtualHost> ### ### Davisnet vhost ### NameVirtualHost 202.27.218.165:443 <VirtualHost 202.27.218.165:443> ErrorLog /var/log/apache2/s_powersite5-error.log SSLEngine on SSLCertificateFile /etc/apache2/ssl/davisnet.co.nz.crt SSLCertificateKeyFile /etc/apache2/ssl/davisnet.co.nz.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown Include /etc/apache2/powersiteInclude ServerAlias www.davisnet.co.nz ServerAlias davisnet.co.nz </VirtualHost> anyone got any ideas?
Hey falko, To simplify routing i moved the websites to our gateway so now its listening on the public IPs and apache is listening on the right ports. Have updated to apache 2.2.3 on the chance that it was the apache version but the problem [persists, it must be a configuration error. ifconfig Code: eth0 Link encap:Ethernet HWaddr 00:04:23:C4:5F:3A inet addr:202.27.218.143 Bcast:202.27.218.191 Mask:255.255.255.192 inet6 addr: fe80::204:23ff:fec4:5f3a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:191439541 errors:0 dropped:0 overruns:0 frame:0 TX packets:183719638 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:3651188107 (3.4 GiB) TX bytes:1735234654 (1.6 GiB) Base address:0x3080 Memory:d0240000-d0260000 eth0:0 Link encap:Ethernet HWaddr 00:04:23:C4:5F:3A inet addr:202.27.219.153 Bcast:202.27.218.191 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Base address:0x3080 Memory:d0240000-d0260000 eth0:1 Link encap:Ethernet HWaddr 00:04:23:C4:5F:3A inet addr:202.27.218.177 Bcast:202.27.218.191 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Base address:0x3080 Memory:d0240000-d0260000 eth0:2 Link encap:Ethernet HWaddr 00:04:23:C4:5F:3A inet addr:202.27.218.178 Bcast:202.27.218.191 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Base address:0x3080 Memory:d0240000-d0260000 eth0:3 Link encap:Ethernet HWaddr 00:04:23:C4:5F:3A inet addr:202.27.218.164 Bcast:202.27.218.191 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Base address:0x3080 Memory:d0240000-d0260000 eth0:4 Link encap:Ethernet HWaddr 00:04:23:C4:5F:3A inet addr:202.27.218.165 Bcast:202.27.218.191 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Base address:0x3080 Memory:d0240000-d0260000 eth0:5 Link encap:Ethernet HWaddr 00:04:23:C4:5F:3A inet addr:202.27.218.166 Bcast:202.27.218.191 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Base address:0x3080 Memory:d0240000-d0260000 eth0:6 Link encap:Ethernet HWaddr 00:04:23:C4:5F:3A inet addr:202.27.218.167 Bcast:202.27.218.191 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Base address:0x3080 Memory:d0240000-d0260000 eth0:7 Link encap:Ethernet HWaddr 00:04:23:C4:5F:3A inet addr:202.27.218.161 Bcast:202.27.218.191 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Base address:0x3080 Memory:d0240000-d0260000 eth0:8 Link encap:Ethernet HWaddr 00:04:23:C4:5F:3A inet addr:202.27.218.162 Bcast:202.27.218.191 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Base address:0x3080 Memory:d0240000-d0260000 eth1 Link encap:Ethernet HWaddr 00:04:23:C4:5F:39 inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::204:23ff:fec4:5f39/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:266786329 errors:0 dropped:0 overruns:0 frame:0 TX packets:271779331 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2246381457 (2.0 GiB) TX bytes:2068435776 (1.9 GiB) Base address:0x3040 Memory:d0220000-d0240000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:101096 errors:0 dropped:0 overruns:0 frame:0 TX packets:101096 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:9468670 (9.0 MiB) TX bytes:9468670 (9.0 MiB)
There's no ServerName directive in your vhosts. Please add one. also, you can put all the ServerAliases in one line: Code: ServerAlias [url]www.davisnet.co.nz[/url] davisnet.co.nz
Put those in, it made no difference. Cheers for the heads up on the alias by the way, i didn't know that I am really confused now, i mean the ssl encap should query apache with the requested ip address and shouldn't that resolve the virtual host. Its almost like its getting the request but apache doesn't know which ip is being requested so its returning the first 443 vhost. Thank you for you help.
Ok, just tested accessing the server via ip address, i can confirm that the request is coming through on the correct IP. Regardless of what ip it comes from, it uses the first ssl virtualhost. If i change the order of the vhosts the problem is reversed, i.e. the site that reports the wrong cert works fine and the other one that was working fine all of a sudden complains about the wrong cert. I have re-written the apache host code and re-vised it allot but it seems to make no difference. Code: # Use this file if you're adding a domain to PowerSite - you'll need to add an alias for each domain # into both of the powersite virtual host statements below (one secure, one normal) # see the weatherdata.co.nz as an example <IfModule mod_ssl.c> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache dbm:/var/run/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/var/run/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> ### ### WeatherData vhost ### NameVirtualHost 202.27.218.164:443 <VirtualHost 202.27.218.164:443> ServerName weatherdata.co.nz ErrorLog /var/log/apache2/s_powersite5-error.log SSLEngine on SSLCertificateFile /etc/apache2/ssl/weatherdata.co.nz.crt SSLCertificateKeyFile /etc/apache2/ssl/weatherdata.co.nz.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown Include /etc/apache2/powersiteInclude ServerAlias www.weatherdata.co.nz weatherdata.co.nz </VirtualHost> ### ### Davisnet vhost ### NameVirtualHost 202.27.218.165:443 <VirtualHost 202.27.218.165:443> ServerName davisnet.co.nz ErrorLog /var/log/apache2/s_powersite5-error.log SSLEngine on SSLCertificateFile /etc/apache2/ssl/davisnet.co.nz.crt SSLCertificateKeyFile /etc/apache2/ssl/davisnet.co.nz.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown Include /etc/apache2/powersiteInclude ServerAlias www.davisnet.co.nz davisnet.co.nz </VirtualHost> It shouldn't be this hard?
Thats because the CMS uses the request uri to determine the site, so regardless of which virtualhost it finds it will be the right site. Because they are both using the first ssl virtual host, the site is correct but its getting the wrong certificate.