Hi 2gether I faced a very strange behavior and got a big problem now. I upgraded to ISPConfig 3.0.4. Everything worked liked a charm. Then I wanted to try out SNI for multiple SSL on one IP. So I activated SSL on two different webs. Which didn't worked. I alway got the one (the first activated SSL Web) certificate, no matter if I took the one or other URL from the both SSL activated webs. Then all of a sudden apache2 didn't worked anymore. I had a look into the apache2 log: [Wed Nov 16 17:08:02 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Wed Nov 16 17:08:02 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec) [Wed Nov 16 17:08:02 2011] [notice] Digest: generating secret for digest authentication ... [Wed Nov 16 17:08:02 2011] [notice] Digest: done PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imagick.ini on line 1 in Unknown on line 0 PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imap.ini on line 1 in Unknown on line 0 PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/mcrypt.ini on line 1 in Unknown on line 0 [Wed Nov 16 17:08:02 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Wed Nov 16 17:08:02 2011] [notice] Apache/2.2.14 (Ubuntu) DAV/2 mod_fcgid/2.3.4 PHP/5.3.2-1ubuntu4.10 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.7(2010-01-10) mod_ssl/2.2.14 OpenSSL/0.9.8k configured -- resuming normal operations [Wed Nov 16 17:08:05 2011] [notice] caught SIGTERM, shutting down Then I tried to restart apache2 with /etc/init.d/apache2 I got 2 errors: * Starting web server apache2 Warning: DocumentRoot [/var/www/[one_of_my_webs_SYMLINK]/web] does not exist [Wed Nov 16 18:22:52 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence [fail] So apache2 doesn't start anymore, even not the ISPConfig Webpanel.. I think I also actived "VServer-Server"..perhaps that was the problem? And I tried to "Send a Message" or "Read a Message" in the Webpanel..nothing happend and then apache2 crashed down and doesn't start again. Can anybody please help me to get apache2/ISPConfig 3 running again? Thanks so much again in advance P@sco
This can have two resaons: a) Either the apache version or openssl version on your server does not support SNI. See wikipedia which server versions and browsers support SNI: http://en.wikipedia.org/wiki/Server_Name_Indication b) The ssl cert of the second site is corrupted and has to be recreated. Thats not related. http://www.howtoforge.com/forums/showpost.php?p=266155&postcount=2
First of all: thanks for your reply and help. Following are the versions of my apache2 and openssl: Server version: Apache/2.2.14 (Ubuntu) Server built: Nov 3 2011 03:29:23 OpenSSL 0.9.8k 25 Mar 2009 This versions should support SNI following http://en.wikipedia.org/wiki/Server_Name_Indication. So I just activate SSL on two different webs and SNI should work? (with a SNI capable browser of course) Great, that was the solution! Thanks a lot Till..you saved my day, apache2 is running again . But why do I still get: Code: Warning: DocumentRoot [/var/www/[one_of_my_webs_SYMLINK]/web] does not exist I deleted the concerning web2 a day ago via webpanel. I had no error message. Should I delete the still existing symlink in /var/www manually? Thx p@sco
OK I managed this, thanks. If I enable SSL on two webs at the same time, I got still this error, if I start apache2: Code: * Restarting web server apache2 [Sun Nov 20 17:40:45 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence ... waiting [Sun Nov 20 17:40:47 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence [ OK ] When I try to access the webs by https I got always the cert from the first enabled SSL web and it redirects me always to that web. In the vhost-file there is configured a virtual host on *:443 and the paths to the certs of the corresponding web are correct set. apache2 and openssl Version are SNI capable. My browser too (Firefox Vers. 3.6.24 for Ubuntu) I don't get it. What I'm doing wrong?
I had the same issue. I have the solution, but let's outline the problem more thoroughly, first. I want to take advantage of SNI support in ISPConfig > 3.0.4, but when I (re)start Apache, I see the following: Code: # service apache2 restart * Restarting web server apache2 [Thu Dec 15 09:03:32 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence ... waiting [Thu Dec 15 09:03:33 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence The relevant Apache documentation ( http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI ) states: My software supports SNI as evidenced by the following message in my error log upon Apache startup: Code: [Thu Dec 15 09:03:33 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) Further, if I examine the Apache environment variables (e.g. via PHP's phpinfo() function), I see: Code: _SERVER["SSL_TLS_SNI"] example.com So, Apache and my browser are SNI-enabled. And now for the solution: As always, "the devil is in the details". The only part you missed was adding this to your Apache configuration, e.g., at the top of /etc/apache2/httpd.conf (this is from the same document that is referenced above): Code: # Listen for virtual host requests on all IP addresses NameVirtualHost *:443 Don't forget to restart Apache (a reload probably works just as well).
I will add that for servers configured with multiple IP addresses, and with "IPv4-Address" (and/or "IPv6-Address") set to specific IP addresses in the drop-down menu (in Sites -> example.com -> Domain [tab]), the following will appear in the Apache error log: Code: # service apache2 restart * Restarting web server apache2 [Thu Dec 15 09:25:17 2011] [warn] NameVirtualHost *:80 has no VirtualHosts [Thu Dec 15 09:25:17 2011] [warn] NameVirtualHost *:443 has no VirtualHosts This is because when a specific IP address is selected, ISPConfig includes the IP address in the VirtualHost definition (rightfully so), e.g.: Code: <VirtualHost 123.456.789.012:443> </VirtualHost> Selecting the "*" option for each of these domains should work, too, but it increases the number of warnings in the log on Apache (re)start, e.g.: Code: # service apache2 restart * Restarting web server apache2 [Thu Dec 15 09:43:21 2011] [warn] NameVirtualHost 0.0.0.1:80 has no VirtualHosts [Thu Dec 15 09:43:21 2011] [warn] NameVirtualHost 0.0.0.1:443 has no VirtualHosts [Thu Dec 15 09:43:21 2011] [warn] NameVirtualHost 0.0.0.2:80 has no VirtualHosts [Thu Dec 15 09:43:21 2011] [warn] NameVirtualHost 0.0.0.2:443 has no VirtualHosts As a final point of note, don't ignore this statement in the Apache SNI documentation:
