SSL and ISPConfig/Apache issues (Help!)

we're trying to get SSL support working under ISPConfig (and/or Apache) and it's just not working. i'm hoping somebody here might have some suggestions.

it's a SLES10 machine with postfix-2.2.9-10 with courier-imap-4.0.6-15, apache2-2.2.3-16.2, mysql-5.0.18-20.8, i can't find the version number for ISPConfig, but i'm pretty sure it's the latest release,it was only installed last month.

the system is hosting about 20 or so virtual domains, and we want to enable squirrelmail over SSL, but we're having trouble getting apache to work with ssl properly. we don't know if this is an ISPConfig problem or something else in apache, so i'm here asking for help.

uname -a returns Linux <hostname removed> 2.6.16.27-0.9-smp #1 SMP Tue Feb 13 09:35:18 UTC 2007 i686 i686 i386 GNU/Linux

we're using openssl-0.9.8a-18.13, and that appears to be installed correctly. Webmin and postfix/courier are using SSL with no problems at all, webmin in particular runs on https perfectly. i can connect to pop3/pop3s, imap/imaps, all of that stuff works without a hitch.

but, when we try to connect to apache on any port via https, it doesn't work. we can connect to http://domain:80 and http://domain:443, but without ssl. i've tried everything i can think of, followed a number of howtos and advice from quite a few troubleshooting tips and tricks, but to no avail. nothing we try works. we've tried enabling SSL via the ISPConfig control panel, that doesn't seem to help either. what are we doing wrong?

if you need to see the various config files and so on, let me know. anyone with suggestions or questions can e-mail me directly, mac AT triad DOT ath DOT cx. we're kind of under a deadline, i'd like to get this sorted before the server has to go live. we can go live without SSL if we have to, but we'd really prefer to have this working first. thanks in advance for any help.

--Mac

 

yes, SSL and Apache are configured just as that Howto says to do them.

what's happening is, everything indicates that we have to use the line "SSLEngine On" for the virtual host we want to enable SSL with. but if we use that, at startup Apache returns this error:

"[error] Init: Multiple RSA server certificates not allowed"

obviously it's loading another certificate somewhere, or thinks it is. we can't for the life of us see where in the config it's doing that, though, which is what makes me thing maybe it's something in ISPConfig, 'cause we can't find anything in Apache that might be responsible. perhaps we're looking in the wrong place or looking for the wrong thing?

this document
http://groups.google.com/group/alt....s+not+allowed++&rnum=1&hl=en#205512850d44ca97

indicates that this might be a problem with Apache and a statically compiled mod_ssl, and that recompiling Apache with mod_ssl as a DSO worked for him. i'm not sure that's our answer, but i'm running out of ideas, and it seems like an awful lot of folks have had issues getting SSL working under Apache 2.2.x.

any further suggestions before i either try to recompile with mod_ssl as a DSO or uninstall Apache 2.2.3 and revert to Apache 2.0.59?

thanks again
--Mac

 

Single IP address?

 

well, technically it has two IP addresses. the machine has two NICs, configured with one public IP address and one private IP address. it is set up to listen for internet traffic on the public IP and local network traffic on the private IP.

Apache and pretty much most all other services are set up to listen on both interfaces. could this be causing a problem? the current apache config doesn't name any addresses specifically, it uses *:80 and *:443 for pretty much everything.

what i can't figure out is where that error "Multiple RSA server certificates not allowed" is coming from when we load SSLEngine On. we've tried using Listen 443 https in listen.conf but that returns the same error. my guess is, it's calling SSL from somewhere else during apache's initial startup, but buggered if i can see where.

 

Without doing a bit of 'cheating', you can only have one SSL cert per IP address. See here:

http://www.howtoforge.com/forums/showthread.php?t=13215

 

It may be that it is barfing on the *:443 entry. My config only has a :443 when there is an active SSL, and never with a *:443...

 

yes, i understand this. one cert per address. so far as i know, we are only using one cert total. where is it loading the second cert? do we need to disable the second NIC in order to make this work?

what i'm having trouble understanding is how/why/where it's loading the second cert from. the config, as near as i can tell, only calls for the one cert. where are the references to any others?

would the *:443 cause it to respond with that multiple RSA error message? that's what i'd really like to figure out. what's causing that error. if we could at least identify, hopefully eliminate, whatever is referencing SSL and/or RSA before the SSLEngine On statement, that would really help.

 

I have a similar config, in that I have multiple domains on a server with 1 IP and only a couple of them need SSL. I have it set up with NO ssl enabled in ispconfig on any of the domains - vhosts has no ref at all to :443, and for any domain that needs ssl I add an entry in apache2.conf, below the line that calls vhosts_ispconfig.conf that is the def for that ssl virtual host:

<IfModule mod_ssl.c>
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerName www.xxxxxxxxx.com:443
ServerAdmin [email protected]
UseCanonicalName On
DocumentRoot /var/www/webxx/web
ServerAlias xxxxxxxxx.com
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
ScriptAlias /cgi-bin/ /var/www/webxx/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
ErrorLog /var/www/webxx/log/error.log
AddType application/x-httpd-php .php .php3 .php4 .php5
php_admin_flag safe_mode Off
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
SSLEngine on
SSLCertificateFile /var/local/ssl/xxxxxxx_server.pem
SSLCertificateKeyFile /var/local/ssl/xxxxxxx_privatekey.pem
Alias /error/ "/var/www/webxx/web/error/"
ErrorDocument 400 /error/invalidSyntax.html
ErrorDocument 401 /error/authorizationRequired.html
ErrorDocument 403 /error/forbidden.html
ErrorDocument 404 /error/fileNotFound.html
ErrorDocument 405 /error/methodNotAllowed.html
ErrorDocument 500 /error/internalServerError.html
ErrorDocument 503 /error/overloaded.html
AliasMatch ^/~([^/]+)(/(.*))? /var/www/webxx/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /var/www/webxx/user/$1/web/$3
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>

i.e. it is an ispconfig ssl server def, moved out of the vhosts file

 

I know Till, it's a copy of the ispconfig created stuff. I only have one IP, a router that will only allow 1 DMZ machine and IP, several domains on that IP that need SSL, and an ISP that wants ridiculous amounts of money per additional IP. So it was easiest to create a subjectAltName certificate, disable the SSL in the ispconfig control panel, and add them manually, duplicating what ispconfig would have done.

 

okay, i'm a little confused. i see what you're referring to, but i'm lost on the apache2.conf thing. ours is SLES10, and we have httpd.conf in /etc/apache2. is apache2.conf in your system the same as httpd.conf in ours?

as for that ispconfig-created SSL entry stuff, when i click the enable SSL checkbox under ispconfig, it does NOT create an entry like that in vhosts. i'm not sure what it *does* do, but what you show is definitely not it.

i can add in manually the SSL stuff that you show, if that will work. that still doesn't help me identify where apache is loading any other SSL or RSA information. in order to make SSL work with a given virtual host, i need that "SSLEnable On" statement in the vhost definition. if i enter that statement, i get the "Multiple RSA server certificates not allowed" error. for me, i think the first order of business is to identify what's causing that if possible. any suggestions?

 

Hey, I'm also working on this particular server. We tried changing the *443 reference to IP:443. Same error.

 

okay, i'm not any closer to solving this than i was.

i can connect to the server on port 443, using regular http, and it delivers the page it's supposed to deliver with SSL. i understand it's not supposed to do that. if i use https, i get this error: "[error] [client xx.xx.xx.xx] Invalid method in request \x80+\x01\x03\x01" and the page won't load.

that's without the statement SSLEngine On in the vhost reference. if i enable the SSLEngine On, i get "[error] Init: Multiple RSA server certificates not allowed".

both of these errors occur whether i have Listen 443 https in listen.conf or just listen 443. i'm very confused about the whole thing now. what are we doing wrong?

 

Just a thought, have you tried to do a grep 443 * in your apache (system httpd) config directory? Also check any includes that are outside of the directory.

 

is apache2.conf in your system the same as httpd.conf in ours?


I would imagine so, I'm a Debian/Ubuntu type, so I'm not used to anything but the apache2.conf.
I think you should check your existing httpd.conf and vhosts_ispconfig.conf for any references to port 443, as well as sites-enabled files particularly ssl (crosses fingers and hopes SLES has a sites-enabled folder) for an SSLEngine On and certificate defines. There is often a default Apache define in there.

 

okay, i think i found an additional problem, i'm not positive, but i thought i'd mention it here and see what you think.

the version of Apache is 2.2.3-16.2, and i *think* it has SSL statically linked in from the original rpm. but at the same time, it looks like it's also calling mod_ssl as a DSO. so. if that's true. how do i fix it?

could this be the source of the multiple RSA error message we get when we try to use SSLEngine On?

 

I'd certainly believe that could do it. An httpd -l should give you a list of the static modules.
If so, would disabling the DSO cause it to work? Might be worth a quick a2dismod mod_ssl to check, before starting any rebuilds/recompiles?
Afraid I'm on Apache 2.0.55, so also not aware of any 2.2.2 vagaries.

 

I've seen this problem by myself with trying to get ServerView management SSL working on my test SLES10 server. Had same errors.

And i couldn't find solution - then installed apache2 cocnfig files from old sles9 and... problem disappeard
So it is something with default ssl/vhost config in SLES10.

Now server is reinstalled with opensuse10.* perfect setup (but with SLES10 SP1) and SSL on my apache2 works without problem.

GreetZ .:JbRaVo:.