-1

I have an Centos 5.7 Server running apache 2. The server had ssl configured by default for the default site I have. When I try to add another ssl vhost I can't get httpd to restart. I have been trying every different variation in my ssl.conf with no luck. Here is an example of my ssl.conf file.

ssl.conf

    LoadModule ssl_module modules/mod_ssl.so

Listen 1.1.1.1:443
Listen 1.1.1.2:443
NameVirtualHost 1.1.1.1:443
NameVirtualHost 1.1.1.2:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost 1.1.1.1:443>
ServerName: www.example-1.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost 1.1.1.2:443>
   DocumentRoot /home/path/to/directory
   ServerName www.example-2.com
   SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
   SSLCertificateFile /etc/pki/tls/certs/example.com.crt
   SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
   SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.pem
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>

I tried adding the NameVirtualHost for the ip's. I have made sure all the files exist and are spelled correctly. What am I missing?

codaniel
  • 101
  • 3
  • 1
    What's the error when you attempt to restart? – Shane Madden Feb 20 '12 at 07:01
  • That's the thing i get no error apache just simply won't start. – codaniel Feb 22 '12 at 16:26
  • Ok - but something's telling you that it won't start, even if it's just a "failed" on a service start status (or, "success" would be interesting too). What does it say on the console when you attempt to start the service? Does it put anything at all in the Apache error log? I don't doubt that it's failing to start, but the manner in which it's failing to start is significant information for the troubleshooting process - please provide this information. – Shane Madden Feb 22 '12 at 16:50
  • Sorry that is what I meant its just a "failed". Apache does not give me any other useful info. – codaniel Feb 25 '12 at 03:05
  • Use the httpd -t -D DUMP_VHOSTS command to check the syntax of your configuration files.There is no DocumentRoot for 1.1.1.1:443. You are using IP-based, not name-based, virtual hosts (each vh has its own IP address) so take the NameVirtualHost lines out. – ramruma Feb 25 '12 at 05:18
  • @codaniel If it reports failed, then something should be recorded in the error log. – Shane Madden Feb 25 '12 at 05:54
  • what is the output of `apachectl configtest`? Also remove the NameVirtualHost entries on port 443. You cannot have NameVirtualHost on ssl – phemmer Feb 25 '12 at 07:29

1 Answers1

-1

You need to make sure to tell apache those are virtual hosts

NameVirtualHost 1.1.1.1:443
NameVirtualHost 1.1.1.2:443
Mike
  • 22,310
  • 7
  • 56
  • 79
  • Yes, I did try that as well no luck. – codaniel Feb 22 '12 at 16:26
  • 1
    You cannot have NameVirtualHost on SSL. When apache receives an incoming connection on an SSL port the encryption is started immediately, the client doesnt have a chance to tell the server what site its after. Thus httpd cant know which SSL cert to give it. It has to determine this by the IP:PORT that the connection came in on. – phemmer Feb 25 '12 at 07:32
  • sure you can if it's using a different IP.. wild card certs being one example.. but thanks for the downvote – Mike Feb 25 '12 at 22:40
  • If its on a separate IP, then theres no point of using NameVirtualHost. NameVirtualHost is for when you have multiple virtualhosts on 1 ip. Also in the question the virtualhosts are 2 completely different sites, so a wildcard cert isnt possible even if they were on the same IP. And your'e welcome, thanks for downvoting my completely unrelated questions to get back at me. – phemmer Feb 26 '12 at 07:46