General
Showing results for 
Search instead for 
Do you mean 

Setup virtual host with apache and ssl

SOLVED
Go to Solution
Highlighted
Frequent Advisor

Setup virtual host with apache and ssl

I am attempting to establish a number of virtual web hosts using ssl and apache. I can't seem to get ssl to work on any but the "main" host.
I am using:
HP-UX 11i v1, and the HP apache depot for version 2.0.55. The system has two network cards with one of them with two ip addresses 139.x.y.z1 and 139.x.y.z2

I can start the web server in ssl mode using ../bin/apachectl startssl.

All but the main web can only be contacted with a url like http://139.x.y.z1:443. Using a url like https:/139.x.y.z1 gives an empty page and no apparent error message. The main web service can be contacted through the other network card with something like https://139.x.y1.z3. I was also trying to trap any other access and not give any access.

I have included what I think are the relevant parts of the httpd.conf file. Any assistance greatly appreciated.

#----------------------
# httpd.conf bits
Listen 139.x.y.z1:443
Listen 139.x.y.z2:443
# .....


#------------------
#

DocumentRoot /opt/hpws/apache/htdocs
ErrorLog logs/default_error_log
TransferLog logs/default_access_log

Options none
Order deny,allow
Deny from all


#---

DocumentRoot /opt/hpws/apache/htdocs
ServerName 139.x.y.z1
ServerAlias hp4
ErrorLog logs/hp4_error_log
TransferLog logs/hp4_access_log

#---

# ServerAdmin root@hp4.usq.edu.au
DocumentRoot /opt/hpws/apache/hpweb4
ServerName 139.x.y.z2
ServerAlias hpweb4
ErrorLog logs/hpweb4_error_log
TransferLog logs/hpweb4_access_log

Options Indexes FollowSymLinks
Order allow,deny
Allow from all


#------------------
1 ACCEPTED SOLUTIONS
Honored Contributor Honored Contributor

Re: Setup virtual host with apache and ssl

"apachectl startssl" only _allows_ you to use SSL, it does not _make_ the Apache servers use SSL. For that, you need some more configuration.

Apache can handle having several SSL and non-SSL virtual hosts inside one Apache instance. You need to add the directive "SSLEngine on" for each SSL virtual host. You also need to specify a SSL certificate for them: the directive is "SSLCertificateFile /some/where/certificate.pem". You also need the private key for each certificate, which can be attached to the certificate or it can be a separate .pem file.

With the OpenSSL tools, you can create a certificate for free, but it will be "untrusted" unless the browser is explicitly configured to trust that certificate. To get a certificate that will be trusted by any Web browser, you need to buy one from a Certification Authority like VeriSign.

Currently, what you have is a simple set of HTTP virtual hosts in a non-standard port (i.e. 443).

If you try an URL like https://139.x.y.z1, the browser tries to start up a SSL negotiation, which looks like a bunch of gibberish from a HTTP server viewpoint. The browser, on the other hand, sees the server's plain-HTTP error message as "some data that is not a valid SSL session". Because the SSL session did not get established, the only possible error message is going to be the browser's "could not establish a SSL connection", when the browser finally gives up on trying.

In case you are trying name-based virtual hosting (several virtual hosts in the same IP address and TCP port), it does not work at all with HTTPS.
Basically, you have a chicken-and-egg problem: you need to know which virtual host the client wants to be able to offer the correct certificate, but that knowledge is in the SSL-secured HTTPS request, which won't even get sent before the SSL encryption session is established.
MK
3 REPLIES
Honored Contributor Honored Contributor

Re: Setup virtual host with apache and ssl

"apachectl startssl" only _allows_ you to use SSL, it does not _make_ the Apache servers use SSL. For that, you need some more configuration.

Apache can handle having several SSL and non-SSL virtual hosts inside one Apache instance. You need to add the directive "SSLEngine on" for each SSL virtual host. You also need to specify a SSL certificate for them: the directive is "SSLCertificateFile /some/where/certificate.pem". You also need the private key for each certificate, which can be attached to the certificate or it can be a separate .pem file.

With the OpenSSL tools, you can create a certificate for free, but it will be "untrusted" unless the browser is explicitly configured to trust that certificate. To get a certificate that will be trusted by any Web browser, you need to buy one from a Certification Authority like VeriSign.

Currently, what you have is a simple set of HTTP virtual hosts in a non-standard port (i.e. 443).

If you try an URL like https://139.x.y.z1, the browser tries to start up a SSL negotiation, which looks like a bunch of gibberish from a HTTP server viewpoint. The browser, on the other hand, sees the server's plain-HTTP error message as "some data that is not a valid SSL session". Because the SSL session did not get established, the only possible error message is going to be the browser's "could not establish a SSL connection", when the browser finally gives up on trying.

In case you are trying name-based virtual hosting (several virtual hosts in the same IP address and TCP port), it does not work at all with HTTPS.
Basically, you have a chicken-and-egg problem: you need to know which virtual host the client wants to be able to offer the correct certificate, but that knowledge is in the SSL-secured HTTPS request, which won't even get sent before the SSL encryption session is established.
MK
Frequent Advisor

Re: Setup virtual host with apache and ssl

Hi Matti,
Thanks for the info. Just what I needed. It is all so straight forward with the right key.
I have simply taken bits from ../conf/ssl./conf and included them with each virtual host and all work great.
Thankyou for your quick response.
David
Frequent Advisor

Re: Setup virtual host with apache and ssl

Reply indicated the correct solution to the problem.