3

I recently became the new admin of a old system that everybody approaches with the "don't touch it or it might break" mentality. Now I am being told to "touch it, and don't break it!"

Task: What I am supposed to do: Remove a domain name www.domain1.com from the server and replace it with www.domain2.com.

Background: www.domain1.com uses a SSL Certificate to host a SOAP and a protected data retrieval site.
The server is long out of date. It is a Fedora 4 server with Apache 2.2.0, tomcat 5.5.7 and openssl 0.9.7f.

I am trying to: Set up www.domain2.com on the server with an SSL certificate to allow our Business relations to access the SOAP from www.domain2.com/SOAP. We will move our other websites over then as well.

Path One: I was looking to set up the two domains on the same IP address(1.1.1.1). To make it easy. However that doesn't look so easy or safe(see References at bottom). I found out that I don't have new enough versions of Apache or openssl to do this.

Path Two: I decided to see what I would have to do to update them, this led to finding out that yum and apt-get are no longer have mirrors for FC4. I found versions online that I could install manually. I don't want to go that route because I doubt I could reverse the changes. I don't like putting my hopes in a silver bullet that could also kill me if I miss.

I have:

  • I have an SSL certificate for www.domain2.com.
  • www.domain2.com is pointed at the same IP as www.domain1.com (1.1.1.1).
  • I have three more IP addresses assigned to my server that I can use (1.1.1.2, 1.1.1.3 and 1.1.1.4).

Since the path I was heading down doesn't look feasible, I was thinking I could set up the www.domain2.com on 1.1.1.2. With a new install of Apache that then could also link to tomcat to give access to the SOAP.

Questions:

  • Can I set up domain2 on the current version of Apache with IP 1.1.1.2 with its certificate or do I need to install another version of Apache to run side by side?
  • How would I configure the httpd-ssl.conf file if it is in the same Apache?

The current httpd-ssl.conf (Comments removed):

   Listen 443

   AddType application/x-x509-ca-cert .crt
   AddType application/x-pkcs7-crl    .crl

   SSLPassPhraseDialog  builtin


   SSLSessionCache        shmcb:/usr/local/apache-2.2.0/logs/ssl_scache(512000)
   SSLSessionCacheTimeout  300

   SSLMutex  file:/usr/local/apache-2.2.0/logs/ssl_mutex

   ##
   ## SSL Virtual Host Context
   ##

   <VirtualHost *:443>
       ServerName domain1.com
       ServerAdmin webmaster@www.domain1.com
       DocumentRoot /www/www.domain.com
       ErrorLog logs/sslerror_log
       CustomLog logs/ssl_request_log \
             "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
       TransferLog logs/ssltransfer_log
       JkMount  /domain1app1/* ajp13
       JkMount /domain1app2/* ajp13
       JkMount /SOAPdomain1app3/* ajp13
       JkMount /InformationRetrevaldoamin1app4/* ajp13

   SSLEngine on

   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

   SSLCertificateFile /usr/local/apache-2.2.0/conf/domain1.crt

   SSLCertificateKeyFile /usr/local/apache-2.2.0/conf/domain1.key

   SSLCertificateChainFile /usr/local/apache-2.2.0/conf/intermediate.crt

   <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
   </FilesMatch>

   BrowserMatch ".*MSIE.*" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
   </VirtualHost>

Does anybody have any suggestions as to how to proceed? I am looking for the littlest change that is "undo able" in case I mess it up. My tool box is pretty small when it comes to these types of things. Any help would be greatly appreciated! If you have a way to go about this that I haven't thought of, please let me know. :) Oh and my boss would like me to get the ssl certificate in on Saturday during a 4 hour maintenance window. If it isn't possible I can delay till the next one.

Thanks in Advance!

Edited for readability.

References:

Multiple SSL domains on the same IP address and same port?

SSL site not using the correct IP in Apache and Ubuntu

can't install ssl certificate on apache

Community
  • 1
jneff
  • 235
  • 1
  • 3
  • 7
  • 2
    `Now I am being "told to touch it, and don't break it!".. What I am supposed to do.` **Step 1** -- Test your backup system, if you don't have one, **setup and test a backup system**. Having a good working backup system will give you a lot of freedom to make mistakes. – Zoredache Feb 15 '12 at 22:32
  • Can you please update your question and make it more readable? Your stream-of-consciousness style of writing is extremely hard to follow. – Zoredache Feb 15 '12 at 22:34
  • Ok, I will attempt to make it more readable. How would you suggest I set up a backup system? (VMware?) The current system is on a dedicated server hosted by a separate company. – jneff Feb 15 '12 at 22:37
  • 1
    Does your hosting company have any methods for making system backups? If not maybe just a simple rsync or tar of the filesystem. – Zoredache Feb 15 '12 at 22:38
  • I will ask the hosting company if they have method for making backups. Also I will look into rsync or tar. – jneff Feb 15 '12 at 22:52

1 Answers1

1

You shouldn't install a new Apache. Apache probably installed from RPM packages anyway, so a second Apache could only be installed by hand. In my opinion, it is better to avoid these kinds of fuss. However, you have other options.

Option 1: You can configure your Apache to handle both sites. To do this, you need to:

  • Use the explicit IP address with the VirtualHost directive
  • and supply a NameVirtualHost directive to each of them

This is really a copy-paste from the current configuration with a few changes. Is should look like the config down here. This way www.domain1.com and www.domain2.com serves the same content, since the JkMount directives remained the same.

You should copy the current httpd-ssl.conf file before editing, so in the case I screwed up something in the config, you can copy back the original, and restart the server.

Option 2: If you need to change the domain name only, you really don't have to touch a thing. The registration of a new domain doesn't have anything to do with Apache. Once the registration is complete, the DNS servers will resolve www.domain2.com to 1.1.1.1 (what used to be www.domain1.com). Once this is done, and domain1.com is deleted, you only need to replace the ServerName directive and the certificates.

If you must have the two domains coexist, no matter how long, then goto 1.

Option 3: If you simply add a

ServerAlias www.domain2.com

line to your existing config, inside the VirtualHost definition, Apache will still serve both domains (on the same IP address). In this case, however, you can't have different certificates for the two domains.

--

Here is the modified config for Option 1:

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin
SSLSessionCache        shmcb:/usr/local/apache-2.2.0/logs/ssl_scache(512000)
SSLSessionCacheTimeout  300

SSLMutex  file:/usr/local/apache-2.2.0/logs/ssl_mutex

NameVirtualHost 1.1.1.1:443
NameVirtualHost 1.1.1.2:443

##
## SSL Virtual Host Context
##

<VirtualHost 1.1.1.1:443>
    ServerName domain1.com
    ServerAdmin webmaster@www.domain1.com
    DocumentRoot /www/www.domain.com
    ErrorLog logs/sslerror_domain1_log
    CustomLog logs/ssl_request_domain1_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    TransferLog logs/ssltransfer_domain2_log
    JkMount  /domain1app1/* ajp13
    JkMount /domain1app2/* ajp13
    JkMount /SOAPdomain1app3/* ajp13
    JkMount /InformationRetrevaldoamin1app4/* ajp13

    SSLEngine on

    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    SSLCertificateFile /usr/local/apache-2.2.0/conf/domain1.crt
    SSLCertificateKeyFile /usr/local/apache-2.2.0/conf/domain1.key
    SSLCertificateChainFile /usr/local/apache-2.2.0/conf/intermediate_for_domain1.crt

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>

    BrowserMatch ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
</VirtualHost>

<VirtualHost 1.1.1.2:443>
    ServerName domain2.com
    ServerAdmin webmaster@www.domain2.com
    DocumentRoot /www/www.domain.com
    ErrorLog logs/sslerror_domain2_log
    CustomLog logs/ssl_request_domain2_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    TransferLog logs/ssltransfer_domain2_log

    JkMount  /domain1app1/* ajp13
    JkMount /domain1app2/* ajp13
    JkMount /SOAPdomain1app3/* ajp13
    JkMount /InformationRetrevaldoamin1app4/* ajp13

    SSLEngine on 
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    SSLCertificateFile /usr/local/apache-2.2.0/conf/domain2.crt
    SSLCertificateKeyFile /usr/local/apache-2.2.0/conf/domain2.key
    SSLCertificateChainFile /usr/local/apache-2.2.0/conf/intermediate_for_domain2.crt

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>

    BrowserMatch ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
</VirtualHost>
Lacek
  • 6,585
  • 22
  • 28
  • Option 1 is the best one for me. I will get everything ready try and update it this weekend. Thank you very much! – jneff Feb 16 '12 at 15:51