Bug 31709 - Raises an error on SSL name based virtualhosts (wildcard cert) on some conditions.
Summary: Raises an error on SSL name based virtualhosts (wildcard cert) on some condit...
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.0.52
Hardware: PC Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: MassUpdate
: 39192 41164 (view as bug list)
Depends on:
Reported: 2004-10-13 21:02 UTC by Vincent Deffontaines
Modified: 2018-11-07 21:09 UTC (History)
2 users (show)

File 1 included in the config as described inline (1.14 KB, text/plain)
2004-10-13 21:05 UTC, Vincent Deffontaines
File 2 included in the config as described inline (857 bytes, text/plain)
2004-10-13 21:06 UTC, Vincent Deffontaines
File 3 included in the config as described inline (2.02 KB, text/plain)
2004-10-13 21:06 UTC, Vincent Deffontaines
The error log obtained on the error condition. (5.53 KB, text/plain)
2004-10-13 21:33 UTC, Vincent Deffontaines
probable fix (5.78 KB, patch)
2011-02-11 08:16 UTC, Joe Orton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Vincent Deffontaines 2004-10-13 21:02:27 UTC

This is tested against 2.0.52, not appearing in the version list.
My config hosts multiple name based virtualhosts, both HTTP and HTTPS. I have no
3rd party module running, apart from mod_security.

This is on Debian Sarge, using Debian official packages for 2.0.52, in case it

The problem seems to be about SSL vhosts (name based, with wildcard
certificate). If I attempt to load them in a certain order, Apache raises an
error "[error] Oops, no RSA or DSA server certificate found?!" at startup.

I have found out that changing the loading order of virtualhosts solves the
problem and gets the server to start fine.

Very strangely, the initial config has worked fine for months, and has started
raising the error when I updated certificates and keys. (The former certificate
was self-signed, and hence, the "SSLCACertificateFile" options were not present
in the original, working config).

I have attached and numbered config files below (this is a debian-like splitted

The order that leads to the mentionned error is when loading extract configs in
the order : 1 - 2 - 3.

The order that leads to server starting fins is 1 - 3 - 2.

For the story, and in case it matters, this is a reverse proxy installation,
with several IP addresses. You will notice in attached files that the
<VirtualHost> argument is not the same from one file to another. I tend to
believe that is the source of the problem, and grouping similar IPs together
sort of solves the problem.

Changing the ServerName of the 2nd VirtualHost block of the file "3" also
"solves" the problem, but is not acceptable to my setup.

I am, of course, available for providing more details about this matter if this
description is incomplete or unclear.


Vincent Deffontaines
Comment 1 Vincent Deffontaines 2004-10-13 21:05:56 UTC
Created attachment 13082 [details]
File 1 included in the config as described inline
Comment 2 Vincent Deffontaines 2004-10-13 21:06:14 UTC
Created attachment 13083 [details]
File 2 included in the config as described inline
Comment 3 Vincent Deffontaines 2004-10-13 21:06:32 UTC
Created attachment 13084 [details]
File 3 included in the config as described inline
Comment 4 Joe Orton 2004-10-13 21:08:41 UTC
Can you put "LogLevel debug" in each vhost and then attach the complete
error_log output for the failure case?
Comment 5 Vincent Deffontaines 2004-10-13 21:32:44 UTC
OK, good that you asked, cause your question has caused me to find more details.
Trying to get back in reproducing the bug, I found out changing the order of
vhosts is not a solution.

I just found out the problem seems to come from the passphrase from the key.

If the key has a passphrase, I get the error : "Oops, no RSA or DSA server
certificate found?!". If I run "openssl rsa -in cert.key -out cert.key" on the
key to remove the passphrase, apache loads just fine, no matter the order of the
vhosts. You may want to close this bug, and have me open a new one for more
clarity? Sorry for the confusion, I'm getting tired, performed the two changes
[remove passphrase + change vhost order] at the same stage, which screwed my

Attached is the debug error log you asked for anyway.

Comment 6 Vincent Deffontaines 2004-10-13 21:33:21 UTC
Created attachment 13086 [details]
The error log obtained on the error condition.
Comment 7 Joe Orton 2005-09-01 14:19:16 UTC
Is this still reproducible in 2.0.54?  It could be one of the random problems
which are caused by not clearing the OpenSSL error stack enough.
Comment 8 Aron Ujvari 2006-07-10 11:26:28 UTC
Dear Joe,

Exactly the same error happened with apache httpd-2.2.2, and as the original
post proposed, the grouping of VirtualHosts helped. Setting loglevel to debug
just prints the next three lines into the error log of the errorneous virtualhost:

[Mon Jul 10 12:13:18 2006] [debug] ssl_engine_init.c(405): Creating new SSL
context (protocols: SSLv2, SSLv3, TLSv1)
[Mon Jul 10 12:13:18 2006] [debug] ssl_engine_init.c(601): Configuring permitted
[Mon Jul 10 12:13:18 2006] [error] Oops, no RSA or DSA server certificate found
for 'my.hostname.hu:0'?!

Aron Ujvari
Comment 9 Joe Orton 2006-07-10 13:09:59 UTC
What version of OpenSSL? 

Can you narrow this down to an exact reproduction case: a single config file
using self-signed certs?  Also try using a vanilla httpd build rather than
Debian's too.
Comment 10 javier 2010-06-24 10:42:14 UTC
I have the same problem in Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 DAV/2
Comment 11 Joe Orton 2011-02-11 08:16:54 UTC
Created attachment 26640 [details]
probable fix

The bug fixed in the trunk r1069765 and r1069772 is probably (but not definitely) the issue being seen here.

Attached backport for 2.2.x.
Comment 12 Joe Orton 2011-02-11 08:17:41 UTC
*** Bug 41164 has been marked as a duplicate of this bug. ***
Comment 13 Joe Orton 2011-02-11 08:18:23 UTC
*** Bug 39192 has been marked as a duplicate of this bug. ***
Comment 14 William A. Rowe Jr. 2018-11-07 21:09:46 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.