1

I am attempting to run multiple SSL connections off a single IP server running RHEL6. I have successfully configured one domain on SSL, however when I attempt to add a second, Apache fails to restart. Commenting out the first domain, so that only the new one is running does not resolve the problem.

My config is as follows:

NameVirtualHost *:80
NameVirtualHost 192.168.0.10:443

# Domain 1 Works fine
<VirtualHost 192.168.0.10:443>
 ServerName domain1.org.uk
 DocumentRoot /home/domain1/public_html
 <Directory "/home/domain1/public_html">
     allow from all
     Options FollowSymLinks
 </Directory>
 SSLEngine on
 SSLCertificateFile /home/domain1/certs/domain1.org.uk.crt
 SSLCertificateKeyFile /home/domain1/certs/domain1.org.uk.key
 SSLCertificateChainFile /home/domain1/certs/gs_intermediate_ca.crt
</VirtualHost>

# Domain 2 kills apache
<VirtualHost 192.168.0.10:443>
 ServerName domain2.org.uk
 DocumentRoot /home/domain2/public_html
 <Directory "/home/domain2/public_html">
     allow from all
     Options FollowSymLinks
 </Directory>
 SSLEngine on
 SSLCertificateFile /home/domain2/certs/domain2.org.uk.crt
 SSLCertificateKeyFile /home/domain2/certs/domain2.org.uk.key
 SSLCertificateChainFile /home/domain2/certs/gs_intermediate_ca.crt
</VirtualHost>

When looking at the /var/log/httpd/error_log I get this when I restart apache when turning on SSL for domain 2

[notice] caught SIGTERM, shutting down]
[notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

When looking at /var/log/httpd/ssl_error_log

[error] Failed to configure CA certificate chain

If I change the line for the chain certificate from SSLCertificateChainFile to SSLCACertificateFile apache restarts without incident, but when I visit domain2 in any browser I get an SSL connection error.

Any help would be much appreciated.

Edit

Ok two things:

1.) Have enabled second network card and HTTPS listens on 192.168.0.11 and http on 192.168.0.10

2.) Have ran:

openssl verify -verbose -purpose sslserver -CAfile gs_intermediate_ca.crt domain2.org.uk.crt

unable to load certificate

and I now get 

unable to load certificate
140685974771528:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:802:
amburnside
  • 131
  • 5
  • 2
    have you tried to manually certify your chain with the `openssl verify` command? Take a look here http://mikeberggren.com/post/28429473721/chain-check – r_3 Jan 15 '15 at 15:03

1 Answers1

0

Are you absolutely certain that your domain2 gs_intermediate_ca.crt is correct? The Apache error log line makes it look like that's where your problem lies.

The SSLCACertificateFile directive is used to indicate which client certs you deal with. As such, it probably isn't validating that file as strongly as with SSLCertificateChainFile. So the errors don't stop Apache from starting, but do result in SSL errors. All the more reason to assume the problem is with that chain file.

Odds are good that the chainfile is either A) not correctly formatted or B) isn't valid for that specific cert. (eg: Perhaps a chain for the other domain) You can try using openssl s_client -connect domain2.org.uk:443 to list the certs that are handed out during the SSL exchange.

Christopher Karel
  • 6,582
  • 1
  • 28
  • 34
  • will i be able to run openssl s_client -connect domain2.org.uk:443 if apache can't start? – amburnside Jan 15 '15 at 15:18
  • 1
    Heh, unfortunately not. But you can use it to troubleshoot when you get certificate errors. I'd recommend using the command that r_3 suggested in the comment to your question to verify the certificates offline. – Christopher Karel Jan 15 '15 at 21:04