Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ssl problem 1

Status
Not open for further replies.
awingnut

awingnut

Programmer
Feb 24, 2003
759
US
I have created a self signed certificate and put it into place as the documentation indicates (Apache 2 on Mandrake 10.2). When I try to start apache (apachectl start) it just hangs. I cannot find anything in any logs. I'm at a loss as to how to debug this. Can someone point me in the right direction? Like suggesting some debug technique of which I am not aware.

Also, I guess there must be some kind of default or test ssl certificate created during the install which I renamed to use my own. When I rename them back it works but I noticed in the ssl_error_log it says the certificate does not match my host name. The error message list the correct host name. Where does/did it get the host name in the first place such that it thinks it doesn't match? Are these 2 things possibly related?

TIA.
 
Sort by date Sort by votes
I've made a little progress on this but still need some help. Maybe this problem will be a little easier to solve and someone will respond.

What is happening is that I am getting an error in ssl_error_log that the CN does not match the server name. Apparently the host name is not the same as the server name being referred to. So the question is: what/where is the server name that Apache is using such that it would be different then what is returned by 'hostname'? TIA.
 
Upvote 0 Downvote
The directive "ServerName" is what is matched from httpd.conf.
If that doesn't exist, it does a reverse lookup of the ip address.

Because of ip binding, multiple interfaces, virtual ips and virtuals hosts, it is generally a good idea to always set the ServerName.

gene
 
Upvote 0 Downvote
I'm afraid I spoke too soon. I was so sure that would fix the problem I did not look close enough to what was happening when I tested it. Unfortunately, I still have the same problem.

Sorry elgrandeperro, I have to revoke your star. :)
 
Upvote 0 Downvote
So the ServerName, the URL you type in, and the CN in the certificate are exact textual matches?
gene
 
Upvote 0 Downvote
Not the URL. That is an IP address rather then a character string. I don't have a static IP or registered domain on that server. I get to it with a dynamically updated redirect page on a public server with the current IP address in it. I was not aware that IP vs string in the URL mattered. The IP reverse lookup resolves to the CN.
 
Upvote 0 Downvote
That could be the problem. The Cert is essentially confirms that the web server you asked for by name is the one you want. So the host part of the URL must match the ServerName and CN listed in the Cert.

Of course, to TEST this from a client you can on most Unixes, add the hostname and ip into /etc/hosts or on a PC (path varies but something like SYSTEMDISK/winnt/system32/drivers/etc/hosts). This should work if you are talking directly to the box that is the web server, but I doubt it will work if you point to the redirector.

gene
 
Upvote 0 Downvote
Hmm! I'm on a Linux box. I'm not worried about the redirector since it is not using SSL. Maybe I need to look at reverse DNS more. I'm not sure reverse DNS uses /etc/hosts or if it does, that I have it set correctly (LAN IP or NATed IP).
 
Upvote 0 Downvote
When I had problems, I changed my /etc/hosts localhost line to include my domain, and had no problems after that. :)

If I remember correctly, my apache would not even start until I did this, but I've installed the system so long ago now... I do remember changing my /etc/hosts fixed it though.

Code: 
127.0.0.1 localhost my.domain.com
 
Upvote 0 Downvote
The redirector (I believe) is not going to work with https unless it is a type of http reverse proxy. I don't think the URL is going to be accepted by the SSL engine.

Why not try DYDNS and map it to your IP?

Here is one I've been playing with:


Unfortunately your servername will need the whacky last part of the url, like yourserver.dnsalias.net as well
as the CN in the certificate. But it is worth a try.

gene
 
Upvote 0 Downvote
I've just learned that. Thanks for the suggestion, I'll check it out.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TSch
  • Locked
  • Question
Problem with NFS automount
Replies
1
Views
158
iggsterman
iggsterman
bhaberman
  • Locked
  • Question
SSL_ERROR_NO_CYPHER_OVERLAP
Replies
2
Views
164
ChrisHirst
ChrisHirst
Agent0007
  • Locked
  • Question
Problem Configuring Kerberos
Replies
0
Views
207
Agent0007
Agent0007
sniper57
  • Locked
  • Question
Mutual SSL with AD authorization
Replies
0
Views
89
sniper57
sniper57
ady2012
  • Locked
  • Question
Roundcubemail-1.1.4-2 problem in Scientific linux 7 /Centos 7
Replies
0
Views
114
ady2012
ady2012

Part and Inventory Search

Sponsor

Back
Top