SSL is valid only on 1 IP ?

S

sdp

Verified User
Joined
Mar 30, 2012
Messages
20
hello,

I'm trying to activate SSL for a domain name. The domain name have 2 NS and SSL certificate is only working on 1 ip not both.

Details here:

==================
httpd.conf :

Code: 
(...)
<VirtualHost 67.196.0.130:443 67.196.0.135:443 >

	SSLEngine on
	SSLCertificateFile /usr/local/directadmin/data/users/solarius/domains/solarius.biz.cert
	SSLCertificateKeyFile /usr/local/directadmin/data/users/solarius/domains/solarius.biz.key
	SSLCACertificateFile /usr/local/directadmin/data/users/solarius/domains/solarius.biz.cacert
(...)

HTTPD_CUSTOM for the domain
Code: 
SSLCertificateChainFile /usr/local/directadmin/data/users/solarius/domains/gd_intermediate.crt
===================

SSL checker :
Code: 
solarius.biz resolves to 67.196.0.135
 	
Server Type: Apache/2
 	
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
 	
The certificate was issued by GoDaddy.	
Write review of GoDaddy
 	
The certificate will expire in 256 days.	
Remind me
 	
The hostname (solarius.biz) is correctly listed in the certificate.
	Common name: www.solarius.biz
SANs: www.solarius.biz, solarius.biz
Organization: www.solarius.biz
Valid from May 19, 2012 to February 4, 2013
Serial Number: 279430b1e1bd9d
Signature Algorithm: sha1WithRSAEncryption
Issuer: Go Daddy Secure Certification Authority	
	 
	Common name: Go Daddy Secure Certification Authority
Organization: GoDaddy.com, Inc.
Location: Scottsdale, Arizona, US
Valid from November 15, 2006 to November 15, 2026
Serial Number: 769 (0x301)
Signature Algorithm: sha1WithRSAEncryption
Issuer: The Go Daddy Group, Inc.

Code: 
solarius.biz resolves to 67.196.0.130
 	
Server Type: Apache/2
 	
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
 	
The certificate was issued by GoDaddy.	
Write review of GoDaddy
 	
The certificate will expire in 256 days.	
Remind me
 	
The hostname (solarius.biz) is correctly listed in the certificate.
	Common name: www.solarius.biz
SANs: www.solarius.biz, solarius.biz
Organization: www.solarius.biz
Valid from May 19, 2012 to February 4, 2013
Serial Number: 279430b1e1bd9d
Signature Algorithm: sha1WithRSAEncryption
Issuer: Go Daddy Secure Certification Authority	
	 
	Common name: Go Daddy Secure Certification Authority
Organization: GoDaddy.com, Inc.
Location: Scottsdale, Arizona, US
Valid from November 15, 2006 to November 15, 2026
Serial Number: 769 (0x301)
Signature Algorithm: sha1WithRSAEncryption
Issuer: The Go Daddy Group, Inc.
=====================


The SSL Certificate is issued by GoDaddy.
IP: 67.196.0.130 is a dedicated ip into DA (first NS).
IP: 67.196.0.135 is a shared ip into DA (second NS).
CONF: enable_ssl_sni=1 in directadmin.conf


The SSL is valid only when the domain name pointed to ip 67.196.0.130 not 67.196.0.135 ?

thank you for your help,
 
Do you have lines as follows in your /etc/httpd/conf/ips.conf file?
Code: 
NameVirtualHost 67.196.0.135:80
NameVirtualHost 67.196.0.135:443
If not, add the missing line(s), restart Apache and see if it works.

If it works then you know the problem, but read the warning at the top of the file. You'll probably need to remove the lines from the ips.conf file, and add them to the /etc/httpd/extra/httpd-vhosts.conf file, directly under the line that reads:
Code: 
Include /etc/httpd/conf/ips.conf

Don't forget to restart apache after any changes to these files.
Jeff
 
Hello,

I don't have the /etc/ips.conf file.

Only have this "/etc/httpd/conf/ips.conf"
with
Code: 
[B]NameVirtualHost 67.196.0.135:80
NameVirtualHost 67.196.0.135:443[/B]
<VirtualHost 67.196.0.135:80>
        ServerName shared.domain
        ScriptAliasMatch ^/~([^/]+)/+cgi-bin/+(.*) /home/$1/public_html/cgi-bin/$2
        AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
        DocumentRoot /home/admin/domains/sharedip

        SuexecUserGroup admin admin

        CustomLog /var/log/httpd/homedir.log homedir
</VirtualHost>

<VirtualHost 67.196.0.135:443>
        SSLEngine on
        [I]SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key[/I]
        ServerName shared.domain
        ScriptAliasMatch ^/~([^/]+)/+cgi-bin/+(.*) /home/$1/public_html/cgi-bin/$2
        AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
        DocumentRoot /home/admin/domains/sharedip

        SuexecUserGroup admin admin

        CustomLog /var/log/httpd/homedir.log homedir
</VirtualHost>

However, I see that 67.196.0.135:443 use domain ssl certificate and not the same certificate of 67.196.0.130.

So 67.196.0.135 is a shared ip for nameserver # 2.
Does I'm right : I cannot install SSL certificate on shared ip ?
So, does I need 2 dedicated IPs used as nameserver to execute/run SSL on that domain name?

regards,
 
Last edited:
sdp said:
Hello,

I don't have the /etc/ips.conf file.
Click to expand...

I'm sure it was a typo. /etc/httpd/conf/ips.conf is a correct path to the file.

sdp said:
However, I see that 67.196.0.135:443 use domain ssl certificate and not the same certificate of 67.196.0.130.
Click to expand...

Should it be any different?

sdp said:
Does I'm right : I cannot install SSL certificate on shared ip ?
So, does I need 2 dedicated IPs used as nameserver to execute/run SSL on that domain name?
Click to expand...

http://www.directadmin.com/features.php?id=1100
 
Should it be any different?
Click to expand...
Yes, it should be different.

67.196.0.130 = SSL for the domain name.
67.196.0.135 = SSL of server port 2222.


http://www.directadmin.com/features.php?id=1100
Click to expand...
See above, the SNI option is already enabled.


Just to be sure that my DNS are setting up well, someone can validate this result :

HTML: 
dns1.solarius.biz.	A	67.196.0.130	
dns3.solarius.biz.       A	67.196.0.135	
ftp	A	67.196.0.130	
localhost	A	127.0.0.1	
mail	A	67.196.0.130	
pop	A	67.196.0.130	
smtp	A	67.196.0.130	
solarius.biz.	A	67.196.0.130	
www	A	67.196.0.130	
solarius.biz.	NS	dns1.solarius.biz.	
solarius.biz.	NS	dns3.solarius.biz.	
mail	MX	10	
solarius.biz.	TXT	"v=spf1 a mx ip4:67.196.0.129 ip4:67.196.0.130 ip4:67.196.0.135 ip4:209.123.181.89 ~all"	
localhost	AAAA	::1

I thought that DA reacts like it does, I think it's me I don't understand something well.

The problem is when someone get ip 67.196.0.135, it has https error.
when someone get ip 67.196.0.130, everything is fine.

do you need more information?

thanks,
 
Last edited:
Yes, the location of the ips.conf file was a typo; I've corrected it.

On the server I checked I believe that ips.conf includes only the single lines, not the container sections, so I don't know how to help you further without experimenting. You may be able to remove the containers from the ips.conf file and move them to another file, and then make the modification I've already mentioned, but I'm not sure.

Jeff
 
That is correct, ipc.conf contains them all including NameVirtualHost lines and VirtualHost containers.
 
Okay, I'm confused. Here's a snippet from an ip.conf file on a system running Apache 1.3.41 (IP#s changed):
Code: 
# Auto generated apache config file by DirectAdmin version 1.40.3
# Modifying this file is not recommended as any changes you make will be
# overwritten when you add/remove ip's through DirectAdmin.

LogFormat "%b \"%r\"" homedir
NameVirtualHost 1.2.3.68:80
NameVirtualHost 1.2.3.68:443
NameVirtualHost 1.2.3.70:80
NameVirtualHost 1.2.3.70:443

And here's a snippet from another machine, running apache 2.4.1:
Code: 
# Auto generated apache config file by DirectAdmin version 1.40.3
# Modifying this file is not recommended as any changes you make will be
# overwritten when you add/remove ip's through DirectAdmin.

LogFormat "%O \"%r\"" homedir
NameVirtualHost 1.2.3.66:80
NameVirtualHost 1.2.3.66:443
NameVirtualHost 1.2.3.73:80
NameVirtualHost 1.2.3.73:443
Both machines running CentOS (different versions) both running DirectAdmin 1.40.3.

How come mine aren't the same as yours?

Jeff
 
You must be sharing only server IP and the other IPs are privately assigned to your customers.
 
How come mine aren't the same as yours?
Click to expand...
I don't know. i'm using DA 1.40.3 with Apache 2.4.2 (custombuild)

so I think that i'm not using correctly all internal ips from the server.

Currently, i'm designing this domain with 1 dedicated ip only and not 1 dedicated ip with others shared ips.
everything works fine now.

thank you for helping me.
 
You must log in or register to reply here.
Back
Top