Bug 39192 - Wildcard certificate with multiple name-based vhosts - not found
Summary: Wildcard certificate with multiple name-based vhosts - not found
Status: RESOLVED DUPLICATE of bug 31709
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.2.0
Hardware: PC FreeBSD
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-04 01:01 UTC by Jacek Chmielewski
Modified: 2011-02-11 08:18 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jacek Chmielewski 2006-04-04 01:01:44 UTC
There is a problem with running HTTPS for name based virtual hosts. I
know that 'SSL wont work for name-based virtual hosts'
[http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47]. But it is known
that for name based virtual hosts Apache will always read the certificate set
for the fist vhost and this is ok for me, since I have just one
wildcard certificate [*.mydomain.com] and I use it for all vhosts.

It seems to work properly with 5-7 virtual hosts. But when I try to
add another vhost with the same certificate Apache throws an error:

[error] Oops, no RSA or DSA server certificate found for
'vhost8.mydomain.com:0'?!

I have no idea why there is a problem. All vhosts differ only with
ServerName and DocumentRoot. The rest of the configuration is the same
and all vhosts have the same certificate. So why Apache tells me that
it cannot find the certificate file when it already read it for the
previous seven vhosts?

OS: FreeBSD 6
Apache: 2.2.0_7 (I got the same error with Apache 2.0)

Sample vhost config:

<VirtualHost *:443>
  ServerName vhost8.mydomain.com
  DocumentRoot /home/www/vhost8
  DirectoryIndex index.php index.html

  SSLEngine on
  SSLCertificateFile          /usr/local/etc/apache22/crt/server.crt
  SSLCertificateKeyFile       /usr/local/etc/apache22/crt/server.key
  SSLCACertificateFile        /usr/local/etc/apache22/crt/ca.crt
</VirtualHost>
Comment 1 Joe Orton 2006-06-21 12:18:55 UTC
The configuration should use "ServerName vhost8.mydomain.com:443" at least; not
sure otherwise why this should actually fail.  Can you attach the complete
error_log produced at startup with "LogLevel debug" configured?
Comment 2 Nick Kew 2008-12-26 11:31:07 UTC
No response from OP.
Comment 3 vincent.mcintyre 2009-11-15 13:37:41 UTC
I just saw this and happened upon this bug report.
platform: debian etch i386
version: apache-2.2.3-4+etch10

In my case this appears to occur only when:
 * you add a new ssl'd vhost to the config
 * you run /etc/init.d/apache2 reload

If you instead run:
 /etc/init.d/apache2 stop
 /etc/init.d/apache2 start

You get the familiar warning:
  [warn] RSA server certificate CommonName (CN) `*.mydom.com' does NOT match server name
but the server starts fine and works as expected.

I noticed that the error message indicates apache thinks the vhost is listening on port 0, not port 80 or 443:
   Oops, no RSA or DSA server certificate found for 'site.mydom.com:0'?!
Perhaps this will help tracking this down.

I did not have to resort to adding the port number to the ServerName directive.
Comment 4 Joe Orton 2011-02-11 08:18:23 UTC

*** This bug has been marked as a duplicate of bug 31709 ***