Some clarification needed for SSL certificates on DA

S

simisimis

Verified User
Joined
Mar 26, 2012
Messages
31
Location
Amsterdam
Ok, this is not a standard ssl setup here, however if someone could help me understand I would be very grateful.
Probably first it's worth mentioning the problem.
I have a server with four domain pools, four shared IP's for all of the pools, four different resellers to create specific domain from specific pool with a specific shared IP address. I have four different trusted certificates.
Summarizing what I've mentioned it looks like this:
pool1.domain.com IP:10.0.0.11 trusted crt with CN=*.pool1.domain.com
pool2.domain.com IP:10.0.0.12 trusted crt with CN=*.pool2.domain.com
pool3.domain.com IP:10.0.0.13 trusted crt with CN=*.pool3.domain.com
pool4.domain.com IP:10.0.0.14 trusted crt with CN=*.pool4.domain.com

what I did, I made some custom scripts under template dir that while creating user in pool1, ssl part of httpd.conf in /usr/local/directadmin/data/users/user/httpd.conf would look like this
----
<VirtualHost 10.0.0.11:443>

SSLEngine on

SSLCertificateFile /etc/httpd/conf/pool1/cert-pool1.pem
SSLCertificateKeyFile /etc/httpd/conf/pool1/key.pool1.key
SSLCertificateChainFile /etc/httpd/conf/pool1/chain-pool1.pem
----
I also made changes in custom script in /usr/local/directadmin/data/templates/custom/ips_virtual_host.conf
<..>
|*if IP="10.0.0.11"|
<VirtualHost 10.0.0.11:|PORT_443|>
SSLEngine on
SSLCertificateFile /etc/httpd/conf/pool1/cert-pool1.pem
SSLCertificateKeyFile /etc/httpd/conf/pool1/key.pool1.key
SSLCertificateChainFile /etc/httpd/conf/pool1/chain-pool1.pem
|*endif|
|*if IP="10.0.0.12"|
<VirtualHost 10.0.0.12:|PORT_443|>
SSLEngine on
SSLCertificateFile /etc/httpd/conf/pool2/cert-pool2.pem
SSLCertificateKeyFile /etc/httpd/conf/pool2/key.pool2.key
SSLCertificateChainFile /etc/httpd/conf/pool2/chain-pool2.pem
|*endif|
<..>

so my /etc/httpd/conf/ips.conf has
NameVirtualHost 10.0.0.11:80
NameVirtualHost 10.0.0.11:443
NameVirtualHost 10.0.0.12:80
NameVirtualHost 10.0.0.12:443
<..>
<VirtualHost 10.0.0.11:443>
SSLEngine on
SSLCertificateFile /etc/httpd/conf/pool1/cert-pool1.pem
SSLCertificateKeyFile /etc/httpd/conf/pool1/key.pool1.key
SSLCertificateChainFile /etc/httpd/conf/pool1/chain-pool1.pem


ServerName shared.domain
ScriptAliasMatch ^/~([^/]+)/+cgi-bin/+(.*) /home/$1/public_html/cgi-bin/$2
AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
DocumentRoot /home/reseller1/domains/sharedip

SuexecUserGroup reseller1 reseller1

CustomLog /var/log/httpd/homedir.log homedir
</VirtualHost>

<VirtualHost 10.0.0.12:443>
SSLEngine on
SSLCertificateFile /etc/httpd/conf/pool2/cert-pool2.pem
SSLCertificateKeyFile /etc/httpd/conf/pool2/key.pool2.key
SSLCertificateChainFile /etc/httpd/conf/pool2/chain-pool2.pem
<..>
<VirtualHost 10.0.0.13:443>
SSLEngine on
SSLCertificateFile /etc/httpd/conf/pool3/cert-pool3.pem
SSLCertificateKeyFile /etc/httpd/conf/pool3/key.pool3.key
SSLCertificateChainFile /etc/httpd/conf/pool3/chain-pool3.pem
<..>
and so on

well I am trying to cut as much of config file as I can.
So, the problem. until I edited ips_virtual_host.conf, ssl was not working at all, but after, two of domain pools started to work.
if I create or check existing domain like something.pool1.domain.com or smth.pool2.domain.com with a ssl checking site like: http://www.digicert.com/help/
I get an answer from that site that everything is ok, for site smth.pool2.domain.com
ssl - OK, for site smth.pool2.domain.com CN = *.pool2.domain.com matches, perfect, thats what I wanted, the same happens with pool1.
I get "all correct" type of page. but if I try something from pool3 or pool4, I get warning that my certificate CN=*.pool2.domain.com does not match smth.pool3.domain.com
and ofcourse if I try to get into ssl site of pool3 or pool4 I have to through ssl security warnings in web browsers... nothing surprising since cn does not match the domain name.

Sooo... finally the question :)
does anyone know which part of server is responsible for that and on which config files I should concentrate more to have this thing solved
I mean when I request information on the digicert.com webpage I linked above and it displays the warning that smth.pool3.domain.com is using crt with CN=*.pool2.domain.com
what gives that information to it? I assume it should be httpd.conf, but the conf file is correct, so maybe some other httpd.conf overrides it?
if there's any additional details needed, let me know
thank you in advance for your help.

Simas
 
I changed the title of your thread to Some clarification needed for SSL Certificates on DA, since clarification is a better word for what you need than is clearance. I hope this will get your post more exposure.

About all the rest I can do is answer part of your question: apache is responsible for matching the common name of the Certificate with the fully qualified domain name; to do so it uses libraries supplied by OpenSSL (if I recall correctly).

Someone please correct me if I'm wrong.

Now I know that's not really helping, and I don't have an answer except to say search through your apache logs as you make connections, to see where your request is being routed.

One point I don't see in your post (I may have missed it) is whether or not you end up in the right location even though you get a Certificate mismatch error. Do you?

Jeff
 
nobaloney said:
I changed the title of your thread to Some clarification needed for SSL Certificates on DA, since clarification is a better word for what you need than is clearance. I hope this will get your post more exposure.
Click to expand...

of course, no problem, sorry for my English. I made wrong assumption about the meaning of a word.


nobaloney said:
One point I don't see in your post (I may have missed it) is whether or not you end up in the right location even though you get a Certificate mismatch error. Do you?
Click to expand...

Yes I forgot to mention, it does direct to the right place. After I add exception in security warning window.

I still have a suspicion about /etc/httpd/conf/ips.conf... anyway I will try to do some log investigation, I tried that already, but log level probably was too low.
I will comment what I found out.
Thank you for the tips,

Simas
 
Hello again,
finally I found the problem, as I suspected it was with /etc/httpd/conf/ips.conf
when I changed order of <VirtualHost pool[1234].domain.com:443> e.g. pool2 virtual host declaration I pasted after pool3 and pool3 started to work instead of pool2, so what I did, I edited a line >

"ServerName shared.domain" changed to "ServerName 10.0.0.[11-14]" in /etc/httpd/conf/ips.conf accordingly

<..>
<VirtualHost 10.0.0.12:443>
SSLEngine on
SSLCertificateFile /etc/httpd/conf/pool1/cert-pool2.pem
SSLCertificateKeyFile /etc/httpd/conf/pool1/key.pool2.key
SSLCertificateChainFile /etc/httpd/conf/pool1/chain-pool2.pem


ServerName 10.0.0.12
ScriptAliasMatch ^/~([^/]+)/+cgi-bin/+(.*) /home/$1/public_html/cgi-bin/$2
AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
DocumentRoot /home/reseller2/domains/sharedip

SuexecUserGroup reseller2 reseller2

CustomLog /var/log/httpd/homedir.log homedir
</VirtualHost>
<..>

the only thing left to do is with a help of some conditional statements in /usr/local/directadmin/data/templates/custom/ips_virtual_host.conf to make sure that config file won't get overwritten, or will get correctly overwritten by DA.

Thank you for staying with me on this and for some tips you pointed out.
Regards,

Simas
 
You must log in or register to reply here.
Back
Top