The Planet Forums > SSL Cert install

The Planet Forums > Control Panels > cPanel/WHM

mickalo

Jul 5 2003, 07:08 PM

Hello,

For some reason, all of sudden, all of our SSL certs stop working correctly today.... not sure why yet. But when I attempt to restart the Apache we get these warnings and none of the SSL protocols seem to be working. They were all installed through the WHM

CODE

[Sat Jul 5 20:05:25 2003] [warn] VirtualHost [url]www.tradingexpert.com:443[/url] overlaps with VirtualHost optionpro.com:443, the first has precedence, perhaps you need a NameVirtualHost directive

[Sat Jul 5 20:05:25 2003] [warn] VirtualHost tradingpro.com:443 overlaps with VirtualHost [url]www.tradingexpert.com:443,[/url] the first has precedence, perhaps you need a NameVirtualHost directive

[Sat Jul 5 20:05:25 2003] [warn] VirtualHost justlightening.net:443 overlaps with VirtualHost tradingpro.com:443, the first has precedence, perhaps you need a NameVirtualHost directive

they were all working fine early today, but now they are having problems.

Any help would be much appreciated.

eth00

Jul 5 2003, 08:06 PM

Have you been manually editing the httpd.conf ?

mickalo

Jul 5 2003, 08:13 PM

Actually no. Everything was working fine early today. We just set up on a new Dell server this past weekend. We have about 45 hosting accounts. The SSL certs where all working fine, until a couple of hours ago.

I did update our kernel via the up2date earlier today, but I don't think that caused any problems. After the reboot everything seemed fine. But now all of sudden all our SSL certs started having problems.

This one has me stumped ??

eth00

Jul 5 2003, 08:17 PM

The error you posted is just the virutal host lines having conflicts because they are set to the same document root, its nothign critical. Perhaps there is some other problem that could be causing this? I have had that before and it does not really harm anything.

mickalo

Jul 5 2003, 08:32 PM

No everything is working fine, except all the hosting accounts with SSL certs setup are all pointing back to one particaul SSL domain, instead of the domain with the SSL cert that's being called. IE. We have one with the SSL https://optionpro.com that was working fine earlier, but now it's going to https://justlightening.net, along with all the other SSL domains... they all keep going back to the https://justlightening.net domain.

But the problem maybe with the DNS.. for some reason, all of sudden, some of the domains are point back to our old DNS settings instead of the new DNS setting. I did a check (whois) for this domains, and they are still going back to our old DNS settings... again.. this was all updated earlier today, but now all of sudden the DNS from the whois is point back to our old DNS

eth00

Jul 5 2003, 08:36 PM

Perhaps check that each SSL site is using its own ip, sounds like that could be causing a problem.

mickalo

Jul 5 2003, 08:53 PM

we don't have IP assigned domains with our current setup. All domains are using the same primary IP address(64.246.58.87). Our old server had assigned IP addresses to each domain, but with RackShack, they do not assign IPs.

As I say, everything was working fine earlier today... all the SSL certs where fine and working properly on our new server.

But for some reason, the DNS has changed since earlier today... so that could be the problem... why I don't know how how that happened yet!

This is really a strange one

Angel78

Jul 6 2003, 08:40 AM

All domains are using the same primary IP address(64.246.58.87)

You need one IP per SSL.

mickalo

Jul 6 2003, 08:53 AM

QUOTE

Originally posted by Angel78
All domains are using the same primary IP address(64.246.58.87)

You need one IP per SSL.

Hi,

Yes. all the regular domains are assigned the same IP adddress, a shared IP, our primary DNS IP for the nameserver.

So I can leave all the regular domain IP's as they are and not change them, but each SSL needs to have it's own unique IP assigned to it within the VirtualHost directive ??

thx's

eth00

Jul 6 2003, 08:54 AM

Does each site have its own ssl cert or are you working off of a shared ssl certificate? If it is shared then they all need to be on one ip.

mickalo

Jul 6 2003, 08:56 AM

QUOTE

Originally posted by eth00
Does each site have its own ssl cert or are you working off of a shared ssl certificate? If it is shared then they all need to be on one ip.

Yes, each domain has it's OWN SSL cert, not a shared SSL cert.

eth00

Jul 6 2003, 08:59 AM

Then they would all have to be ip based sites with different ips, I thought you had it setup for shared.

SSL only can have one cert bound to the https per ip. You are going to have to change all of those sites over to ip based and give them independent ips. I think when you had it working before all that was really happening is you had a shared ssl cert they all shared.

mickalo

Jul 6 2003, 09:12 AM

QUOTE

Originally posted by eth00
Then they would all have to be ip based sites with different ips, I thought you had it setup for shared.

SSL only can have one cert bound to the https per ip. You are going to have to change all of those sites over to ip based and give them independent ips. I think when you had it working before all that was really happening is you had a shared ssl cert they all shared.

Ok, I just want to clarify whay your saying as this is the way it was on our old server. All the domains had their own unique IP's assigned to them, but when we moved to Rackshack, we where set up with only a few IP's which 3 of them where used for our DNS settings, NS,NS2 and NS3

Below is an example of one of the domains with their own SSL certs

CODE

<VirtualHost IP_ADDR_HERE>

ServerAlias [url]www.kart-a-bag.com[/url] kart-a-bag.com

ServerAdmin [email]webmaster@kart-a-bag.com[/email]

DocumentRoot /home/kart-a-b/public_html

BytesLog domlogs/kart-a-bag.com-bytes_log

ServerName [url]www.kart-a-bag.com[/url]

CustomLog domlogs/kart-a-bag.com combined

ScriptAlias /cgi-bin/ /home/kart-a-b/public_html/cgi-bin/

</VirtualHost>

<IfDefine SSL>

<VirtualHost SAME_IP_ADDR_HERE:443>

ServerAdmin webmaster@[url]www.kart-a-bag.com[/url]

DocumentRoot /home/kart-a-b/public_html

BytesLog domlogs/kart-a-bag.com-bytes_log

ServerName [url]www.kart-a-bag.com[/url]

SSLEnable

SSLCertificateFile /usr/share/ssl/certs/www.kart-a-bag.com.crt

SSLCertificateKeyFile /usr/share/ssl/private/www.kart-a-bag.com.key

SSLLogFile /var/log/www.kart-a-bag.com

</VirtualHost>

</IfDefine>

so the IP_ADDR_HERE has to be the same uniquie IP and assigned to this domain correct for both the SSL and reqular domain, is that correct??

Thx's

eth00

Jul 6 2003, 09:16 AM

Correct unless you do something like https://ssl.domain.com which would point to the correct ssl ip.

What happens when you connect on ssl is that the server just responds with the correct webpage, there are no virutalhost options (at this time) with ssl. Therefore if a user goes to https://domain.com and that ip already had something.com on it then it will goto something.com because it was bound to the ip first.

Though its not really the best you *can* host https sites on the same ip as your NS, no real harm just does not look as good if somebody starts looking at the dns records.

I hope this makes some sense to you.

mickalo

Jul 6 2003, 09:33 AM

QUOTE

Originally posted by eth00
Correct unless you do something like https://ssl.domain.com which would point to the correct ssl ip.

What happens when you connect on ssl is that the server just responds with the correct webpage, there are no virutalhost options (at this time) with ssl. Therefore if a user goes to https://domain.com and that ip already had something.com on it then it will goto something.com because it was bound to the ip first.

Though its not really the best you *can* host https sites on the same ip as your NS, no real harm just does not look as good if somebody starts looking at the dns records.

I hope this makes some sense to you.

well kinda sort of

can you post or send me an example of this setup ;

QUOTE

Correct unless you do something like https://ssl.domain.com which would point to the correct ssl ip.

But I think we'll need to assign them each their own IP address.

mickalo@bellsouth.net

eth00

Jul 6 2003, 09:45 AM

Just assign each its own ip, the setup I said STILL required each site to have its own ip but was just a little work around to keep the non-secure site on the main ip.

Giving its own ip should resolve your problem.

mickalo

Jul 6 2003, 09:51 AM

Thanks so much for your help

Guess these site will be down a bit till their new IPs propogation/change ... that will tend to tick them off

Thx's again

Mickalo

eth00

Jul 6 2003, 10:25 AM

If you host your own dns then the change will be instant and should result in only a few hours of downtime due to ISP dns caching and new people will see it right away atlteast.

mickalo

Jul 6 2003, 10:28 AM

QUOTE

Originally posted by eth00
If you host your own dns then the change will be instant and should result in only a few hours of downtime due to ISP dns caching and new people will see it right away atlteast.

Yes, your right!

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.