installed ssl - httpd.conf looks right - getting snakeoil cert

[BlueNoteWeb]

I'm throughly confused on this one. The client in question has two sites which share some common files between them. To make things easier, I set up both sites under one account in DA (so all files have the same ownership) and symlinked the directories that need to be shared.

Now the client wants to add SSL on the second domain. DA can't really handle that, because it requires to IPs on one user account. I found and followed some instructions about making that happen, here:
http://www.directadmin.com/forum/showpost.php?p=90667&postcount=19

The first domain, which has been using SSL for a while now, is working fine. The certificate is installed and working properly. On the second domain, I get the snakeoil.dom certificate.

Here are the relevant sections from /usr/local/directadmin/data/users/<user>/httpd.conf, cut for brevity and censored for privacy:

# Auto generated apache config file by DirectAdmin version 1.28.0
# Modifying this file is not recommended as any changes you make will be
# overwritten when the user makes any changes to his/her website

# Frontpage requires these parameters in every httpd.conf file or else
# it won't work.
Port 80
ServerRoot /etc/httpd

.....cut for brevity......

<VirtualHost x.x.x.221:443>
        SSLEngine on
        SSLCertificateFile /usr/local/directadmin/data/users/<user>/domains/<domain>.com.cert
        SSLCertificateKeyFile /usr/local/directadmin/data/users/<user>/domains/<domain>.com.key
        SSLCACertificateFile /usr/local/directadmin/data/users/<user>/domains/<domain>.com.cacert

.....cut for brevity......

</VirtualHost>

.....cut for brevity......

<VirtualHost x.x.x.220:443>

        SSLEngine on
        SSLCertificateFile /usr/local/directadmin/data/users/<user>/domains/<otherdomain>.com.cert
        SSLCertificateKeyFile /usr/local/directadmin/data/users/<user>/domains/<otherdomain>.com.key
        SSLCACertificateFile /usr/local/directadmin/data/users/<user>/domains/<otherdomain>.com.cacert

.....cut for brevity......

</VirtualHost>

I have checked the certificates from the command line using openssl, they are returning the values I expect. As you see, the .cacert file is installed on both domains. Both domains are set up in DA to use SSL on their own certificate.

When I try to load the problem domain in a browser I still get the snakeoil certificate. I see this error in the file /var/log/httpd/ssl_engine_log:

[14/Feb/2007 05:44:13 18724] [error] SSL handshake failed (server shared.domain:443, client 71.164.246.232) (OpenSSL library error follows)
[14/Feb/2007 05:44:13 18724] [error] OpenSSL: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired

That client IP is definitely my local IP. From that log message, it looks like the problem domain is attempting to use the server shared certificate - since there isn't a shared certificate installed it's coming up with the snakeoil cert.

What's the next thing to check?

 

[floyd]

I assume at one time the domains were using the same ip. So when you needed the second ssl you added the second ip to the httpd.conf file.

Did you also make the changes in dns and reload named?
Are you sure your computer is seeing the second domain on the new ip address?
What does nslookup tell you for the second domain?
Does the ip nslookup returns match the one for that domain in httpd.conf?
What happens if you type in the ip of the second domain using https into the browser?
What cert does it show then?

 

[BlueNoteWeb]

Very good questions.

I assume at one time the domains were using the same ip.

Yes - up until last night.

So when you needed the second ssl you added the second ip to the httpd.conf file.

Correct.

Did you also make the changes in dns and reload named?

Yes, the DNS zone file has been updated and named reloaded.

Are you sure your computer is seeing the second domain on the new ip address?

Yes, if I ping the original domain I get the 220 IP, if I ping the other domain (that was just moved to a different IP) I get the 221 IP.

What does nslookup tell you for the second domain?
Does the ip nslookup returns match the one for that domain in httpd.conf?

Yes, I get the 220 IP on the old domain, the 221 IP on the new domain, as expected.

What happens if you type in the ip of the second domain using https into the browser?
What cert does it show then?

I get the DA page that says:

This IP is being shared among many domains.
To view the domain you are looking for, simply enter the domain name in the location bar of your web browser.

Using https I see the snakeoil certificate. That's probably a clue - because using the original IP I get the site, not the "this ip is shared" page. Any idea where to look to fix that?

 

[BlueNoteWeb]

Thanks for the tip - that got me set up. In the file /etc/httpd/conf/ips.conf there was a virtualhost set up for that IP. I removed those virtualhost lines and restarted httpd, now I get the right cert. Much obliged, floyd!

 

[IT_Architect]

Thanks for the tip - that got me set up. In the file /etc/httpd/conf/ips.conf there was a virtualhost set up for that IP. I removed those virtualhost lines and restarted httpd, now I get the right cert. Much obliged, floyd!

That's exactly what I needed. That essential tidbit isn't in the documentation anywhere. That means that in DA, users cannot actually install their own certs. It certainly appears that they can, and the documentation indicates that they can. In the mean time, the omission of this embarrassing little detail wastes hours of people's time.

 

[BlueNoteWeb]

@IT_Architect -

In most cases it's not an issue. Users certainly can install their own certificates through the DA interface. This was a special case.

The problem comes when you have multiple domains under one user and want to set up a separate certificate for each domain. DA does not have the ability through the GUI to install multiple SSL certificates for a given user's account.

Usually I would work around this problem by setting up two separate accounts in DA, one for each domain that needs a certificate. By having two separate accounts the user can manage his certificates through DA. If you set up one account as a reseller which owns the other account, the person managing the site can do it all through one password.

In this case that wouldn't have worked because we needed to share files between the two domains. Both sites needed read/write access to a particular directory. The easiest way was to set up a single account so that file ownership and rights were not a problem and symlink the directory from one site to the other. This caused problems with DA, hence the thread.

Anyway, that was a really long-winded way to say that it works as advertised, most of the time, until you start doing crazy things that the developers didn't plan for.