1

I ran in what seems to see a case with little to no documentation. I'm trying to serve content sitting behind Apache 2.2 via HTTPS. This Apache server is listening on two IP addresses, one static assigned to the node and a second "floating" IP used by the active node of the cluster. The domain A record is pointing to this floating IP, in HTTP it's working fine. The server is setup with NameVirtualHost *:443 and the section covers the cert info and SSL requirement.

But in HTTPS I can only access the server by requesting the IP of the server, not the domain or floating IP. Which of course leads to a certificate domain mismatch and by passes the redundancy of a floating IP.

Any suggestion would be greatly appriciated.

Relevant httpd conf for this:

Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
ServerName XXX
SSLEngine on
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite SSLv3:+HIGH:+MEDIUM
SSLCertificateFile "..."
SSLCertificateKeyFile "..."
SSLCertificateChainFile "..."
</VirtualHost>
Benjamin
  • 21
  • 4
  • It will be helpful to post your apache config. – Khaled Sep 17 '12 at 09:46
  • 2
    When you say you can't access it, what exactly do you mean? What happens - do you get a timeout, do you get "connection refused", or anything else? Does anything appear in the logs - if so, what? – Jenny D Sep 17 '12 at 10:02
  • Why are you using `NameVirtualHost`? – David Schwartz Sep 17 '12 at 10:06
  • I'm getting an "Aborted" when trying https for the domain. – Benjamin Sep 17 '12 at 10:34
  • I cannot use VirtualHost against a static IP since the domain is mapped against a floating IP which might be moved on the fly to another machine. – Benjamin Sep 17 '12 at 10:36
  • It would be helpful to post the actual configuration or at least consistently anonymised versions of it. Currently I can't tell if your ServerName directive contains the hostname, domain, either of the IPs. We also don't know if you have multiple VirtualHost statements or just the one. You don't really compromise security by posting the config, most people can figure out what a basic SSL VirtualHost configuration looks like. – James Yale Sep 17 '12 at 10:54
  • Does your Apache log (error or access) say anything about the connection attempts? – Ansgar Wiechers Sep 17 '12 at 11:39
  • Do you have a firewall? "Aborted" sounds like a TCP RST packet is being sent back to the client. Run a `tcpdump host port 443` on the box in question and do your HTTPS request again. There are several different possible outcomes, we'll deal with whichever one comes back. – Ladadadada Sep 17 '12 at 12:16
  • Did you restart your apaches on failover? Apache can't bind to an IP, if the IP isn't configured on the server (as it would be on the standby host). – Falk Stern Sep 17 '12 at 13:00
  • Try to connect using openssl from the commandline, and post the output. (Hint: `openssl s_client -connect myservername:443` – Jenny D Sep 17 '12 at 13:30
  • @JamesYale, the ServerName is the domain name/url which is different from the host name. – Benjamin Sep 17 '12 at 14:16
  • @Ladadadada, in iptables traffic from my testing machine is enabled for all port and for other IP addresses traffic for port 80, 443 and 8080 is opened on the floating IP – Benjamin Sep 17 '12 at 14:18
  • @JennyD, using openssl gives me a timeout connect: Operation timed out connect:errno=60. Where as doing the same with to the static IP (not floating) outputs the cert' and all details. – Benjamin Sep 17 '12 at 14:20
  • The server has HTTP VirtulHost on 80 and 8080 also using the floating IP and that is working fine. – Benjamin Sep 17 '12 at 14:22
  • @Benjamin Check the tcpdump output anyway - something's not right if no response is being sent to a connection attempt on a bound port. – Shane Madden Sep 18 '12 at 03:23

1 Answers1

1

Well it was fairly obvious once looking down to network: the network guys only opened 8181 (web service over SSL) but not 443. With that taken care of, Apache is working as expected.

Benjamin
  • 21
  • 4