SSL redirect and mismatch

[Earendil]

We're running into the following problem. We've enabled SSL for all DA servers yesterday including the redirect in case clients connect to plain http. Some of our clients report getting an error as much as 3 out of 5 times when connecting to http://servername.domain.tld:2222 but when refreshing it works fine. When they go directly to https://servername.domain.tld:2222 everything works as expected.

So the problem is only when the ssl_redirect_host parameter in directadmin.conf is 'executed'. The directadmin error.log is filled with this error:

2010:12:09-11:58:46: -> A failure in the SSL library occurred, usually a protocol error.
2010:12:09-11:58:46: -> error:00000001:lib(0):func(0):reason(1)
2010:12:09-11:59:33: Can't connect to ssl!

What gives? The same is happening across all our DA servers.

 

[Remco00]

Just enabled SSL the same way as written by Earendil. Now we have exactly the same error messages in directadmin/errorlog. I think it occurs when a user is using url http://domain.com:2222 and is redirected to https://s01.server.com:2222. We do not have users complaining yet but the error messages in the log are bugging me.

 

[scsi]

http://help.directadmin.com/item.php?id=15
http://www.directadmin.com/features.php?id=801

 

[Remco00]

Thanks for replying scsi. I did exactly as mentioned in the link you posted. My guess is that the error occurs because I use a wlidcard cert. That is why the http/errorlog is showing:

[warn] RSA server certificate wildcard CommonName (CN) `*.domainname.com' does NOT match server name!?

Before the change it showed:

[warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?

PS: domainname.com is not the real domainname

 

[explosive]

I have that same problem. Everybody write that same but nobody write solution. How to fix this?

 

[Richard G]

From the second link of scsi:

The directadmin.conf option will be:
ssl_redirect_host=host.name.com

If you want to get rid of the errors and don't have a real certificate (only the standard thing which is installed by apache), you can try do change these to get rid of the warnings in the logs:

1.) In /etc/http/conf/ips.conf change share.domain to the hostname you set up in directadmin.conf
2.) Do the same in /etc/http/conf/extra/http-ssl.conf (change localhost to the hostname you set in directadmin.conf)
3.) Restart apache

Probably your warning in the logs are gone then.

 

[explosive]

I have:
- ssl_redirect_host
- real wildcard SSL certificate

1. /etc/httpd/conf/ips.conf is empty (only logFormat) (btw: "Modifying this file is not recommended") (yes, I have 5 IP in DA IP Management)

2. I have: ServerName myhostname.com:443

3. Restarted.

Nothing change, still

2013:04:27-17:01:48: Can't connect to ssl!
2013:04:27-17:01:48: -> A failure in the SSL library occurred, usually a protocol error.
2013:04:27-17:01:48: -> error:00000001:lib(0):func(0):reason(1)

but DA works.