SSL Problems

brucelet · September 11, 2007, 10:12pm

I created a virtual server, put it on its own IP, added a self generated SSL, and cannot connect to it. I keep getting an error saying there is a problem connecting to it. The Apache error log says:

[Tue Sep 11 22:59:18 2007] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Sep 11 22:59:18 2007] [warn] RSA server certificate CommonName (CN) `www.abc.com’ does NOT match server name!?

What could it be?

Post edited by: bruce@creativewebtech.com, at: 2007/09/11 18:22<br><br>Post edited by: brucelet, at: 2008/06/27 07:20

Joe · September 12, 2007, 6:21pm

Hey Bruce,

This looks kinda like the certificate is installed system-wide, rather than for the virtual server. Did you use the "Manage SSL Certificate" form found in the "Server Configuration" menu for the domain in question?

If so, what does the VirtualHost section from the Apache configuration file look like for this domain?

Joe · September 12, 2007, 6:26pm

BTW-A self-signed certificate ought to have been generated automatically for you with all of the correct settings. Was there a reason to replace it? (I’m pulling in a bit of data gleaned from your email to me, that the problem cert is self-signed.)

brucelet · September 12, 2007, 7:11pm

Yes, it was generated originally, but I regenerated it a number of times from the Manage SSL Certificate while under this domain to try and fix the errors. The second error about domain name not matching would go away when I generated it without the www.

We used the Configure Website for SSL section to change the default directory to one that we created.

The directives section under Configure Website for SSL for this domain contains the following:

SuexecUserGroup "#500" "#501"
ServerAlias www.example.com
ServerAlias lists.example.com
ErrorLog /home/example/logs/error_log
CustomLog /home/example/logs/access_log combined
ScriptAlias /cgi-bin/ /home/example/cgi-bin/
ScriptAlias /awstats /home/example/cgi-bin
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/example/public_html>
Options Indexes IncludesNOEXEC FollowSymLinks ExecCGI
allow from all
AllowOverride All
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php5
</Directory>
<Directory /home/example/cgi-bin>
allow from all
</Directory>
RemoveHandler .php
RemoveHandler .php5
Alias /dav /home/example/public_html
<Location /dav>
DAV On
AuthType Basic
AuthName example.com
AuthUserFile /home/example/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
</Location>
RedirectMatch /cgi-bin/mailman/([^/])(.) https://windowblinds-test.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
RedirectMatch /mailman/([^/])(.) https://example.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
SSLEngine on
SSLCertificateFile /home/example/ssl.cert
SSLCertificateKeyFile /home/example/ssl.key
DocumentRoot /home/example/public_html/httpsdocs
ServerName example.com

Joe · September 24, 2007, 10:21pm

To re-animate this moribund thread, I wanted to point out that the solution turned out to be opening the firewall. Virtualmin is supposed to open all ports needed for hosting during install, but fails to open 443. This will be fixed in the next release of virtualmin-base.

ConRadical · September 24, 2007, 10:49pm

Joe…

There’s also a FTP problem in the default setup.

Joe · September 24, 2007, 10:55pm

Right. I’ll see if I can figure out the active/passive/whatever bits needed, and get that fix in as well.

ConRadical · September 24, 2007, 11:37pm

man, you’re on the ball