# apache2 vhost ssl: You configured HTTP(80) on HTTPS(443)

## jeffk

I'm having trouble with Apache2 an IP-based virtual host over SSL (aren't we all). I have a fairly stock apache setup, the objective is a mod_python web application (trac) and subversion over https, the http configuration of each work just fine.

Apache and OpenSSL

apache has been emerged after the most recent openssl emerge:

```
Sun Oct  1 22:55:37 2006 >>> dev-libs/openssl-0.9.8d

Mon Dec 11 20:47:00 2006 >>> net-www/apache-2.0.59-r2
```

apache has been emerged with USE=ssl:

```
# emerge openssl apache -pv

[ebuild   R   ] dev-libs/openssl-0.9.8d  USE="emacs zlib -bindist -sse2 -test" 0 kB 

[ebuild   R   ] net-www/apache-2.0.59-r2  USE="apache2 ldap ssl -debug -doc -mpm-itk -mpm-leader -mpm-peruser -mpm-prefork -mpm-threadpool -mpm-worker (-selinux) -static-modules -threads" 0 kB 
```

Apache OPTS

APACHE2_OPTS has SSL SSL_DEFAULT_VHOST, plus the subversion and mod_python options I need for trac and subversion:

```
# grep OPTS= /etc/conf.d/apache2 

APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D SSL_DEFAULT_VHOST -D PROXY -D INFO -D MIME -D DAV -D DAV_FS -D SVN -D SVN_AUTHZ -D PYTHON"
```

Apache is listening on ports 80 and 443

```
# netstat -tlnp | grep apache2

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3508/apache2        

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3508/apache2
```

Certificate

A self-signed certifcate has been created per http://gentoo-wiki.com/Apache_Modules_mod_ssl. Skipping the first step (a passphrase version of the key):

```
# openssl genrsa -out server.key 1024

Generating RSA private key, 1024 bit long modulus

....................++++++

.....++++++

e is 65537 (0x10001)

athlon1 ssl # openssl rsa -in server.key -out server.pem

writing RSA key

athlon1 ssl # openssl req -new -key server.pem -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:.

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Company

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

# openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt

Signature ok

subject=/C=US/O=ACME Company

Getting Private key
```

(Question: I notice that nowehere in this process is the virtual host domain name entered. Is that something I need?)

The certificates are read-write by root only (does apache:apache need to be the owner?):

```
# ls -l /etc/apache2/ssl/

total 16

-rw------- 1 root root 676 Dec 18 15:55 server.crt

-rw------- 1 root root 562 Dec 18 15:55 server.csr

-rw------- 1 root root 891 Dec 18 15:54 server.key

-rw------- 1 root root 891 Dec 18 15:54 server.pem
```

The only change to default-vhost.conf is to reference server.pem, as per http://gentoo-wiki.com/Apache_Modules_mod_ssl:

```
# grep -R SSLCertificateKeyFile /etc/apache2/

/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf:#SSLCertificateKeyFile conf/ssl/server.key

/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf:SSLCertificateKeyFile conf/ssl/server.pem
```

The vhost which I am trying to enable SSL is defined as follows. Please forgive the duplication, once I get SSL working I'm going to enable a rewrite to force HTTPS. I have a number of non-SSL vhosts that share IPs, but this one has it's own IP. If I'm supposed to do something different than NameVirtualHost, please correct me.

```
# cat /etc/apache2/vhosts.d/dev.acmecorp.com.conf 

NameVirtualHost 1.2.3.4:80

NameVirtualHost 1.2.3.4:443

<VirtualHost 1.2.3.4:80>

  ServerAdmin webmaster@acmecorp.com

  ServerName dev.acmecorp.com

  ErrorLog /var/www/dev.acmecorp.com/logs/error_log

  TransferLog /var/www/dev.acmecorp.com/logs/access_log

  <Location /trac>

    SetHandler mod_python

    PythonHandler trac.web.modpython_frontend 

    PythonOption TracEnv /var/lib/trac/myproject

    PythonOption TracUriRoot /trac

  </Location>

  <Location /trac/login>

    AuthType Basic

    AuthName trac

    AuthUserFile /var/lib/svn/myproject/conf/svnusers

    Require valid-user

  </Location>

  <Location /svn>

    DAV svn

    SVNPath /var/lib/svn/myproject

    AuthzSVNAccessFile /var/lib/svn/myproject/conf/authz

    AuthType Basic

    AuthName svn

    AuthUserFile /var/lib/svn/myproject/conf/svnusers

    Require valid-user

  </Location>

</VirtualHost>

<VirtualHost 1.2.3.4:443>

  ServerAdmin webmaster@acmecorp.com

  ServerName dev.acmecorp.com:443

  ErrorLog /var/www/dev.acmecorp.com/logs/error_log

  TransferLog /var/www/dev.acmecorp.com/logs/access_log

  <Location /trac>

    SetHandler mod_python

    PythonHandler trac.web.modpython_frontend 

    PythonOption TracEnv /var/lib/trac/myproject

    PythonOption TracUriRoot /trac

  </Location>

  <Location /trac/login>

    AuthType Basic

    AuthName trac

    AuthUserFile /var/lib/svn/myproject/conf/svnusers

    Require valid-user

  </Location>

  <Location /svn>

    DAV svn

    SVNPath /var/lib/svn/myproject

    AuthzSVNAccessFile /var/lib/svn/myproject/conf/authz

    AuthType Basic

    AuthName svn

    AuthUserFile /var/lib/svn/myproject/conf/svnusers

    Require valid-user

  </Location>

</VirtualHost>
```

The IP address is used only for this virtual host:

```
# grep -R 1.2.3.4 /etc/apache2/*

vhosts.d/dev.acmecorp.com.conf:NameVirtualHost 1.2.3.4:80

vhosts.d/dev.acmecorp.com.conf:NameVirtualHost 1.2.3.4:443

vhosts.d/dev.acmecorp.com.conf:<VirtualHost 1.2.3.4:80>

vhosts.d/dev.acmecorp.com.conf:<VirtualHost 1.2.3.4:443>
```

Missing SSLEngine, etc.

Note the absence of SSLEngine On and other SSL commands from the above vhost .conf.  When I add SSLEngine On to the :443 VirtualHost section, apache fails to start. I don't know why, exactly. The (one) modifcation to 41_mod_ssl.default-vhost.conf would have created appropriate default values for CertificateKeyFile, I thought. Is this this the case?

The Errors and Log Information

Apache starts with the above configuration, but a telling twice-repeated error line appears in error_log

```
#tail /var/log/apache2/error_log

[warn] Init: (dev.acmecorp.com:443) You configured HTTP(80) on the standard HTTPS(443) port!

[warn] Init: (dev.acmecorp.com:443) You configured HTTP(80) on the standard HTTPS(443) port!

[notice] Apache configured -- resuming normal operations
```

Testing the running configuration with openssl s_client:

```
# openssl s_client -connect dev.acmecorp.com:443 -state -debug

CONNECTED(00000003)

SSL_connect:before/connect initialization

write to 0x80beee0 [0x80bef28] (124 bytes => 124 (0x7C))

0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00   .z....Q... ..9..

0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............

0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   ..3..2../.......

0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00   ................

0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08   ......@.........

0050 - 00 00 06 04 00 80 00 00-03 02 00 80 2b aa e6 b1   ............+...

0060 - 93 ba 08 f0 10 40 af 23-18 83 69 21 89 df 6f 3a   .....@.#..i!..o:

0070 - a8 43 8f d4 44 99 af a4-5b fa 87 6e               .C..D...[..n

SSL_connect:SSLv2/v3 write client hello A

read from 0x80beee0 [0x80c4488] (7 bytes => 7 (0x7))

0000 - 3c 21 44 4f 43 54 59                              <!DOCTY

SSL_connect:error in SSLv2/v3 read server hello A

4664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:
```

Curl gives a similar error condition:

```
# curl https://dev.acmecorp.com/

curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
```

And that's about all I can think of to quote here for a start. I'm happy to check anything else someone thinks might be the matter. Thanks for any help, SSL debugging is a relatively new experience here.

mod_python PythonHandler Error (unrelated?)

BTW, There is an unrelated error in the mod_python PythonHandler command, if anyone knows the answer to that.

```
# /usr/sbin/apache2 -S

Syntax error on line 11 of /etc/apache2/vhosts.d/dev.acmecorp.com.conf:

Invalid command 'PythonHandler', perhaps mis-spelled or defined by a module not included in the server configuration
```

----------

## bunkacid

When making the certificate, the "Common Name" is the Fully Qualified Domain Name of the vhost.

In my configuration, the certificates do not need to be readable by the apache user, or group.

In fact, the file permissions for the ssl related files, should be; read only.

```
chmod 400 sslcertfile
```

I do not use the 42_mod_ssl.default-vhost.conf for much outside of the basic mod_ssl configuration.

Using the Default Vhost file for your hosting will bring any undefined host to this vhost.  So I like to keep the default, blank.  Using a new vhost for new hosts.

I keep the host based information in the vhost configuration for each host, within each VirtualHost directive.

/etc/apache2/vhosts.d/02_virtual.hostname.here.conf

Each one of these is for a single host.  Inside, is the VirtualHost directives for the port 80, 81, and port 443 (SSL) enabled vhosts.

I also wrap my SSL enabled VirtualHost with IfDefine SSL within each host file.  There is probably a better way to do this, but it works for me.

```
<IfDefine SSL>

<IfModule mod_ssl.c>

##

## SSL Virtual Host Context

##

<VirtualHost *:443>

# blah 

</VirtualHost>

</IfModule>

</IfDefine>

```

Another tool you should be using for configuration of your vhosts, is;

```
apache2ctl -t -D DUMP_VHOSTS
```

It's your best friend.

and as for the python help, I'm not to sure.

make sure your /etc/conf.d/apache2 contains something similar to this.

```
APACHE2_OPTS="-D USERDIR -D PHP5 -D SSL -D DAV -D DAV_FS -D PYTHON"
```

Also read the comments in there for more help.

hope this helps.

----------

## jeffk

 *jeffk wrote:*   

> Apache OPTS
> 
> APACHE2_OPTS has SSL SSL_DEFAULT_VHOST, plus the subversion and mod_python options I need for trac and subversion:
> 
> ```
> ...

 

I agree that explicitly defined SSL vhosts are the best strategy, at least while I'm starting out. Do you recommend removing the -D SSL_DEFAULT_VHOST from OPTS, then? The docs say include it unless I know what I'm doing.

Also note from the original post that I only make the one change to the stock 41_mod_ssl.default-vhost.conf (on my system, "42" is 42_mod_proxy.conf:

```
# grep -R SSLCertificateKeyFile /etc/apache2/

/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf:#SSLCertificateKeyFile conf/ssl/server.key

/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf:SSLCertificateKeyFile conf/ssl/server.pem
```

----------

## bunkacid

 *jeffk wrote:*   

> 
> 
> I agree that explicitly defined SSL vhosts are the best strategy, at least while I'm starting out. Do you recommend removing the -D SSL_DEFAULT_VHOST from OPTS, then? The docs say include it unless I know what I'm doing.
> 
> 

 

Well, by not providing a default SSL VHOST, whatever is the first VHOST on that port will by default become the default VHOST.  example if https://joesburgershack.com.fake.tld pointed to the same IP as your your real site would pickup that traffic.  So unless you want that, keep the blank default vhost in place to pickup the junk.

 *jeffk wrote:*   

> 
> 
> Also note from the original post that I only make the one change to the stock 41_mod_ssl.default-vhost.conf (on my system, "42" is 42_mod_proxy.conf:
> 
> ```
> ...

 

42? sorry I wrote that by hand instead of cut and paste.

For the default vhost, since the file already exists you can use 41_mod_ssl.default-vhost.conf use it to configure the default vhost.  Or put that information in the same file as 00_default_vhost.conf 

I personally just like to keep each defined SSL virtualhost even the defaults, within the same file as the the non ssl hostname.  to me this makes it easier to manage.  You could put them in a seperate files if you choose though.

----------

## bunkacid

I totally forgot about this.

While port 80 is able to host a rather unlimited number of virtualhosts correctly.

In order for SSL enabled virtualhosts to work properly each must live on a separate IP/port combination.

Although you can have more than 1 virtualhost per SSL enabled port, the certificate file used will be from the first SSL configuration directive.  When this happens the browser will throw an error about mismatched, or possibly malicious host, when you attempt to access the non-default virtualhost for that port.

Why can't I use SSL with name-based/non-IP-based virtual hosts?

Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?

----------

## jeffk

 *bunkacid wrote:*   

> I totally forgot about this.
> 
> While port 80 is able to host a rather unlimited number of virtualhosts correctly.
> 
> In order for SSL enabled virtualhosts to work properly each must live on a separate IP/port combination.
> ...

 

Per my original posted configuration, I am only using this static IP for this vhost. I think I'm avoiding the issue you're referring to.

 *jeffk wrote:*   

> The IP address is used only for this virtual host:
> 
> ```
> # grep -R 1.2.3.4 /etc/apache2/*
> 
> ...

 

And just to confirm that the IP isn't used again elsewhere in /etc:

```
/etc # egrep -R '1.2.3.4|dev.acmecorp.com' *

apache2/vhosts.d/dev.acmecorp.com.conf:NameVirtualHost 1.2.3.4:80

apache2/vhosts.d/dev.acmecorp.com.conf:NameVirtualHost 1.2.3.4:443

apache2/vhosts.d/dev.acmecorp.com.conf:<VirtualHost 1.2.3.4:80>

apache2/vhosts.d/dev.acmecorp.com.conf:  ServerName dev.acmecorp.com

apache2/vhosts.d/dev.acmecorp.com.conf:  ErrorLog /var/www/dev.acmecorp.com/logs/error_log

apache2/vhosts.d/dev.acmecorp.com.conf:  TransferLog /var/www/dev.acmecorp.com/logs/access_log

apache2/vhosts.d/dev.acmecorp.com.conf:<VirtualHost 1.2.3.4:443>

apache2/vhosts.d/dev.acmecorp.com.conf:  ServerName dev.acmecorp.com:443

apache2/vhosts.d/dev.acmecorp.com.conf:  ErrorLog /var/www/dev.acmecorp.com/logs/error_log

apache2/vhosts.d/dev.acmecorp.com.conf:  TransferLog /var/www/dev.acmecorp.com/logs/access_log

conf.d/net:        "1.2.3.4 netmask 255.255.255.192 broadcast 1.2.3.255"
```

Any other ideas on what this issue could be? Thanks.

----------

## bunkacid

ok, it's been a while...

so if the address is only for 1 vhost

have you tried accessing the site by IP?

https://1.2.3.4/

Also what does the logs and ssl logs say?

----------

## jeffk

 *bunkacid wrote:*   

> have you tried accessing the site by IP? Also what does the logs and ssl logs say?

 

No change from the initial tests, but here's some more detail:

```
Firefox on the client:

https://1.2.3.164 (response) 1.2.3.4 has sent an unexpected or incorrect message. Error Code: -12263

https://dev.acmecorp.com (response) dev.acmecorp.com has sent an unexpected or incorrect message. Error Code: -12263
```

```
$ openssl s_client -connect dev.acmecorp.com:443 -state -debug

CONNECTED(00000003)

SSL_connect:before/connect initialization

write to 0x80bd738 [0x80be7c0] (124 bytes => 124 (0x7C))

0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00   .z....Q... ..9..

0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............

0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   ..3..2../.......

0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00   ................

0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08   ......@.........

0050 - 00 00 06 04 00 80 00 00-03 02 00 80 a6 9e cf 7a   ...............z

0060 - fd 6c 1a ce 27 ec 13 fa-dd c1 d0 3a d8 be 92 bb   .l..'......:....

0070 - 6b 85 4f 97 d5 52 83 35-6d 8f 37 3b               k.O..R.5m.7;

SSL_connect:SSLv2/v3 write client hello A

read from 0x80bd738 [0x80c3d20] (7 bytes => 7 (0x7))

0000 - 3c 21 44 4f 43 54 59                              <!DOCTY

SSL_connect:error in SSLv2/v3 read server hello A

411:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:

$ openssl s_client -connect 1.2.3.4:443 -state -debug

CONNECTED(00000003)

SSL_connect:before/connect initialization

write to 0x80bd680 [0x80bdd00] (124 bytes => 124 (0x7C))

0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00   .z....Q... ..9..

0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............

0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   ..3..2../.......

0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00   ................

0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08   ......@.........

0050 - 00 00 06 04 00 80 00 00-03 02 00 80 84 16 43 86   ..............C.

0060 - 58 c6 19 0d 0a e5 44 30-a4 0c 19 ac ce 66 d1 44   X.....D0.....f.D

0070 - 10 42 63 59 f3 94 a7 f9-e3 8f 2d 6f               .BcY......-o

SSL_connect:SSLv2/v3 write client hello A

read from 0x80bd680 [0x80c3260] (7 bytes => 7 (0x7))

0000 - 3c 21 44 4f 43 54 59                              <!DOCTY

SSL_connect:error in SSLv2/v3 read server hello A

719:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:

$ openssl s_client -connect 1.2.3.4:443/trac -state -debug

CONNECTED(00000003)

SSL_connect:before/connect initialization

write to 0x80bd680 [0x80bdd00] (124 bytes => 124 (0x7C))

0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00   .z....Q... ..9..

0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............

0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   ..3..2../.......

0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00   ................

0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08   ......@.........

0050 - 00 00 06 04 00 80 00 00-03 02 00 80 75 85 90 e2   ............u...

0060 - 6b 08 c0 ba 4c 63 5d 07-94 8c 4c cb d6 57 a0 3e   k...Lc]...L..W.>

0070 - 8b 45 a3 29 3f 9d 29 66-8f 0f 5d 4b               .E.)?.)f..]K

SSL_connect:SSLv2/v3 write client hello A

read from 0x80bd680 [0x80c3260] (7 bytes => 7 (0x7))

0000 - 3c 21 44 4f 43 54 59                              <!DOCTY

SSL_connect:error in SSLv2/v3 read server hello A

720:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:

$ curl https://dev.acmecorp.com 

curl: (35) gnutls_handshake() failed: -8

$ curl https://dev.acmecorp.com/

curl: (35) gnutls_handshake() failed: -8

$ curl https://1.2.3.4           

curl: (35) gnutls_handshake() failed: -8

$ curl https://1.2.3.4/

curl: (35) gnutls_handshake() failed: -8

$ curl https://1.2.3.4/trac

curl: (35) gnutls_handshake() failed: -8
```

```
# tail /var/www/dev.acmecorp.com/logs/error_log 

[Mon Jan 22 16:01:14 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01

[Mon Jan 22 16:01:42 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01

[Mon Jan 22 16:01:56 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01

[Mon Jan 22 16:09:33 2007] [error] [client 4.3.2.1] Invalid method in request \x80z\x01\x03\x01

[Mon Jan 22 16:10:00 2007] [error] [client 4.3.2.1] Invalid method in request \x80z\x01\x03\x01

[Mon Jan 22 16:10:27 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01

[Mon Jan 22 16:10:29 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01

[Mon Jan 22 16:10:51 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01

[Mon Jan 22 16:10:59 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01

[Mon Jan 22 16:11:02 2007] [error] [client 4.3.2.1] Invalid method in request \x16\x03\x01

# tail /var/www/dev.acmecorp.com/logs/access_log 

4.3.2.1 - - [22/Jan/2007:16:01:14 -0500] "\x16\x03\x01" 501 279

4.3.2.1 - - [22/Jan/2007:16:01:42 -0500] "\x16\x03\x01" 501 279

4.3.2.1 - - [22/Jan/2007:16:01:56 -0500] "\x16\x03\x01" 501 279

4.3.2.1 - - [22/Jan/2007:16:09:33 -0500] "\x80z\x01\x03\x01" 501 281

4.3.2.1 - - [22/Jan/2007:16:10:00 -0500] "\x80z\x01\x03\x01" 501 281

4.3.2.1 - - [22/Jan/2007:16:10:27 -0500] "\x16\x03\x01" 501 279

4.3.2.1 - - [22/Jan/2007:16:10:29 -0500] "\x16\x03\x01" 501 279

4.3.2.1 - - [22/Jan/2007:16:10:51 -0500] "\x16\x03\x01" 501 279

4.3.2.1 - - [22/Jan/2007:16:10:59 -0500] "\x16\x03\x01" 501 279

4.3.2.1 - - [22/Jan/2007:16:11:02 -0500] "\x16\x03\x01" 501 279
```

This command's output is munged with search-replace, but I took care not to introduce errors. The IPs are offset from their actual values, 1.2.3.4 is the one of interest to this thread:

```
# apache2ctl -t -D DUMP_VHOSTS

VirtualHost configuration:

1.2.3.0:*        is a NameVirtualHost

         default server www.acmecorp1.com (/etc/apache2/vhosts.d/acmecorp1.com.conf:3)

         port * namevhost www.acmecorp1.com (/etc/apache2/vhosts.d/acmecorp1.com.conf:3)

1.2.3.3:*        is a NameVirtualHost

         default server acmecorp2.acmecorp.com (/etc/apache2/vhosts.d/acmecorp2.acmecorp.com.conf:1)

         port * namevhost acmecorp2.acmecorp.com (/etc/apache2/vhosts.d/acmecorp2.acmecorp.com.conf:1)

         port * namevhost acmecorp3.acmecorp.com (/etc/apache2/vhosts.d/acmecorp3.acmecorp.com.conf:1)

         port * namevhost www.acmecorp4.com (/etc/apache2/vhosts.d/acmecorp4.com.conf:1)

         port * namevhost dev1.acmecorp.com (/etc/apache2/vhosts.d/dev1.acmecorp.com.conf:1)

         port * namevhost www.acmecorp5.com (/etc/apache2/vhosts.d/acmecorp5.com.conf:1)

         port * namevhost www.acmecorp6.net (/etc/apache2/vhosts.d/acmecorp6.com.conf:1)

1.2.3.4:80       is a NameVirtualHost

         default server dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:4)

         port 80 namevhost dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:4)

1.2.3.4:443      is a NameVirtualHost

         default server dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:32)

         port 443 namevhost dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:32)

1.2.3.12:*        is a NameVirtualHost

         default server www.acmecorp7.com (/etc/apache2/vhosts.d/acmecorp7.com.conf:3)

         port * namevhost www.acmecorp7.com (/etc/apache2/vhosts.d/acmecorp7.com.conf:3)

1.2.3.13:*        is a NameVirtualHost

         default server www.acmecorp8.com (/etc/apache2/vhosts.d/acmecorp8.com.conf:1)

         port * namevhost www.acmecorp8.com (/etc/apache2/vhosts.d/acmecorp8.com.conf:1)

1.2.3.14:*        is a NameVirtualHost

         default server www.acmecorp9.com (/etc/apache2/vhosts.d/acmecorp9.com.conf:3)

         port * namevhost www.acmecorp9.com (/etc/apache2/vhosts.d/acmecorp9.com.conf:3)

1.2.3.25:*        is a NameVirtualHost

         default server www.acmecorp10.com (/etc/apache2/vhosts.d/acmecorp10.com.conf:3)

         port * namevhost www.acmecorp10.com (/etc/apache2/vhosts.d/acmecorp10.com.conf:3)

         port * namevhost dev2.acmecorp.com (/etc/apache2/vhosts.d/dev2.acmecorp.com.conf:1)

         port * namevhost www.acmecorp11.com (/etc/apache2/vhosts.d/acmecorp11.com.conf:1)

1.2.3.26:*        is a NameVirtualHost

         default server www.acmecorp12.com (/etc/apache2/vhosts.d/acmecorp12.com.conf:3)

         port * namevhost www.acmecorp12.com (/etc/apache2/vhosts.d/acmecorp12.com.conf:3)

1.2.3.29:*        www.acmecorp13.com (/etc/apache2/vhosts.d/acmecorp13.com.conf:1)

1.2.3.10:*        is a NameVirtualHost

         default server www.acmecorp14.com (/etc/apache2/vhosts.d/acmecorp14.com.conf:3)

         port * namevhost www.acmecorp14.com (/etc/apache2/vhosts.d/acmecorp14.com.conf:3)

         port * namevhost www.acmecorp14.org (/etc/apache2/vhosts.d/acmecorp14.org.conf:3)

1.2.3.11:*        is a NameVirtualHost

         default server www.acmecorp15.com (/etc/apache2/vhosts.d/acmecorp15.com.conf:3)

         port * namevhost www.acmecorp15.com (/etc/apache2/vhosts.d/acmecorp15.com.conf:3)

1.2.3.21:*        is a NameVirtualHost

         default server www.acmecorp16.com (/etc/apache2/vhosts.d/acmecorp16.com.conf:1)

         port * namevhost www.acmecorp16.com (/etc/apache2/vhosts.d/acmecorp16.com.conf:1)

         port * namevhost www.acmecorp17.com (/etc/apache2/vhosts.d/acmecorp17.com.conf:1)

wildcard NameVirtualHosts and _default_ servers:

_default_:443          localhost (/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf:12)

*:80                   is a NameVirtualHost

         default server myhost.acmecorp.com (/etc/apache2/vhosts.d/00_default_vhost.conf:41)

         port 80 namevhost myhost.acmecorp.com (/etc/apache2/vhosts.d/00_default_vhost.conf:41)

Syntax OK
```

Last edited by jeffk on Tue Jan 23, 2007 1:23 am; edited 1 time in total

----------

## bunkacid

try specifying the ports for each vhost instead? of using

```
1.2.3.4:*        is a NameVirtualHost 
```

```
1.2.3.4:80        is a NameVirtualHost

1.2.3.4:443        is a NameVirtualHost 

 
```

----------

## jeffk

 *bunkacid wrote:*   

> try specifying the ports for each vhost? instead of using
> 
> ```
> 1.2.3.4:*        is a NameVirtualHost 
> ```
> ...

 

Not sure what you meant there. 1.2.3.4 is the static IP of the NameVirtualHost I'm trying to reach via https, and it's the only one set up as you specified, if I'm understanding you correctly:

```
1.2.3.4:80       is a NameVirtualHost

         default server dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:4)

         port 80 namevhost dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:4)

1.2.3.4:443      is a NameVirtualHost

         default server dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:32)

         port 443 namevhost dev.acmecorp.com (/etc/apache2/vhosts.d/dev.acmecorp.com.conf:32) 
```

```
# cat /etc/apache2/vhosts.d/dev.acmecorp.com.conf 

NameVirtualHost 1.2.3.4:80

NameVirtualHost 1.2.3.4:443

<VirtualHost 1.2.3.4:80>

...

</VirtualHost>

<VirtualHost 1.2.3.4:443>

...

</VirtualHost>
```

I'm not trying to reach the other IP/NameVirtualHosts via SSL, because several of them are sharing IPs, which I know I won't be able to do.

----------

## bunkacid

 *jeffk wrote:*   

>  *bunkacid wrote:*   try specifying the ports for each vhost? instead of using
> 
> ```
> 1.2.3.4:*        is a NameVirtualHost 
> ```
> ...

 

They can share the same ip address with SSL, just not the same PORT.

you would have to use TCP/44300 , TCP/44301 for example.  And use mod_rewrite to send clients to the SSL host via the non SSL port 80 vhost.

Also I meant to use a specified port for the vhosts on your box which have * set for the port.

gotta run.

----------

## sundialsvc4

Not quite on-topic but worth mentioning because you will run into it sooner or later ...

"CSS Stylesheets!"

When you are serving-up an SSL-protected page, the stylesheet used in that page must come from an "HTTPS:" URI.

----------

## buzzin

I ran into this issue and found that adding the following in each vhost def resolved it.

```

SSLEngine on

```

----------

