-1

I want to serve multiple domains on my server. Apache 2.2.3, Openssl 0.98 installed to my server. I create private key, crt files from startssl.com. Now I wrote ssl.conf like this.

NameVirtualHost IpAddr:443

<VirtualHost IpAddr:443>
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4:+HIGH:+MEDIUM
  SSLCertificateFile /etc/httpd/ssl/first.crt
  SSLCertificateKeyFile /etc/httpd/ssl/first.key
  SSLCertificateChainFile /etc/httpd/ssl/1_root_bundle.crt
  ServerName first.loginface.com
  DocumentRoot /var/www/html/first
</VirtualHost>

<VirtualHost IpAddr:443>
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4:+HIGH:+MEDIUM
  SSLCertificateFile /etc/httpd/ssl/second.crt
  SSLCertificateKeyFile /etc/httpd/ssl/second.key
  SSLCertificateChainFile /etc/httpd/ssl/1_root_bundle.crt
  ServerName second.loginface.com
  DocumentRoot /var/www/html/faceanalyser
</VirtualHost>

Now I restarted httpd. first domain works well, but second domain doesn't verified. What's wrong with this? Thanks.

Zuiche
  • 13
  • 3

1 Answers1

3

Upgrade. Stock C5 doesn't support SNI, which is the technology required to serve multiple domains on a single IP under SSL. As you will see from the linked answer (and others) shoehorning it into C5 is painful, and moreover, you've only got about two years of life left on that OS (though in your case, you're way out of patch and unsupported already; 5.1 has been EoLed for many years) so this is as good a reason as any to upgrade.

Community
  • 1
MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • So you mean openssl 0.9.8e-fips-rhel5 01 Jul 2008 doesn't support SNI, right? – Zuiche Jan 08 '16 at 07:57
  • My understanding is that 0.9.8f or better is required, so it does not. I believe you also need a newer version of apache, and since C6 has both, it may be time to upgrade. Even if you don't, it's time you came up-to-patch; [there's no good reason to be running C5.1](http://serverfault.com/a/535615/55514). – MadHatter Jan 08 '16 at 08:09
  • I updated openssl to 1.0.1g, but second domain doesn't verified yet. – Zuiche Jan 08 '16 at 08:16
  • Note comment above about apache versions; and it will be less pain to go to C6 than to maintain separate hand-built versions of *both* apache and openssl. You also don't say **how** you updated to openssl 1.0.1.g, given that you need to make httpd run against that version, so I suspect you may not have done what you think you did. Please note that you're doing exactly what I advised you **not** to do, so there will be a limit to how much handholding I'm likely to provide for that endeavour. – MadHatter Jan 08 '16 at 08:37
  • I build apache 2.2.31 source. But when I get apache version using apachectl -v, my apache version is 2.2.3 yet. How to do it? – Zuiche Jan 08 '16 at 08:43
  • As I said, you are doing exactly what I advised you not to do, so I'm very unlikely to provide assistance. The right thing to do is to plan, test, and execute an update to C6 (or C7). – MadHatter Jan 08 '16 at 08:52
  • Sorry, What is C5 or C6 or C7? How can I check C5? And how to update to C6? – Zuiche Jan 11 '16 at 01:12
  • Do you mean CentOS version? – Zuiche Jan 11 '16 at 02:50
  • Yes, I'm sorry if the abbreviations were confusing, C6=CentOS6, C7=Centos7, and so on. How to upgrade is *way* beyond the scope of an SF article, but there's a fair amount of material out there. Your big problem is that there's no supported upgrade path from C5 to either C6 or C7; blame Red Hat for that, as it essentially means a clean reinstall. That said, there are a number of *un*supported paths available, which google will find for you - but you'll want to test those thoroughly on a clone first. I'm not saying this is easy, but I'm saying you're going to *have* to do it soon anyway. – MadHatter Jan 11 '16 at 07:09