# Some SSL confusion - apache2 SSL/SNI problems w/ trial crt

## stardotstar

Hi all,

just learning how to get https running on my apache server.

I run virtual hosts over http just fine resolving names to the two local IPs.

I have followed the various setup details eg

http://en.gentoo-wiki.com/wiki/Apache2/SSL_and_Name_Based_Virtual_Hosts

and having taken up a trial certificate from instantssl I have looked right through their configuration faqs etc.

Not seeing anything I can think would be causing the error:

```
(Error code: sec_error_reused_issuer_and_serial)

```

Now I know that this error would be common to various circumstances - but being one (and the only one) issued to me and installed I can only think I have a name mismatch or something else that is necessary to ensure that the specific site is identifying itself correctly with respect to the client and certificates/keys etc.

This stuff is far from transparent to me at the moment but I feel that I have grasped the basics.

This is what I have done:

- I want a simple hello world index.html at https://helios.sourcepoint.com.au

This is the url I specified when I applied for the certificate.

I generated a key on the server and called it helios.key, placed it in the /etc/apache2/ssl/key/ directory

I received the zip from COMODO/InstantSSL and unzipped the helios_sourcepoint_com_au.crt and -ca-bundle into the /etc/apache2/ssl/crt/ directory

Then I ensured that apache2 was built with use flags for SSL and SNI (yes and yes)

I ensured that my modules were properly specified in apache conf:

```

APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5"

```

I edited my /etc/apache2/vhosts.d/00_default_ssl_vhost.conf thus:

```
<IfDefine SSL>

<IfDefine SSL_DEFAULT_VHOST>

<IfModule ssl_module>

# see bug #178966 why this is in here

# When we also provide SSL we have to listen to the HTTPS port

# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two

# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"

Listen 443

NameVirtualHost 119.202.63.186:443

<VirtualHost 119.202.63.186:443>

        ServerName helios.sourcepoint.com.au

        Include /etc/apache2/vhosts.d/helios.sourcepoint.com.au_ssl_vhost.include

        SSLEngine on

        ErrorLog /var/log/apache2/ssl_error_log

        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

        SSLCertificateKeyFile /etc/apache2/ssl/key/helios.key

        SSLCertificateFile /etc/apache2/ssl/crt/helios_sourcepoint_com_au.crt

        SSLCertificateChainFile /etc/apache2/ssl/crt/helios_sourcepoint_com_au.ca-bundle

        SSLOptions StrictRequire

        SSLProtocol all -SSLv2

</VirtualHost>

```

I then made an include for the site itself

```

stardotstar@helios ~ $ cat /etc/apache2/vhosts.d/helios.sourcepoint.com.au_ssl_vhost.include

# ServerAdmin: Your address, where problems with the server should be

# e-mailed.  This address appears on some server-generated pages, such

# as error documents.  e.g. admin@your-domain.com

ServerAdmin webmin@sourcepoint.com.au

# DocumentRoot: The directory out of which you will serve your

# documents. By default, all requests are taken from this directory, but

# symbolic links and aliases may be used to point to other locations.

#

# If you change this to something that isn't under /var/www then suexec

# will no longer work.

DocumentRoot "/var/www/sourcepoint/htdocs/secure"

# This should be changed to whatever you set DocumentRoot to.

<Directory "/var/www/sourcepoint/htdocs/secure">

        SSLRequireSSL

        # Possible values for the Options directive are "None", "All",

        # or any combination of:

        #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews

        #

        # Note that "MultiViews" must be named *explicitly* --- "Options All"

        # doesn't give it to you.

        #

        # The Options directive is both complicated and important.  Please see

        # http://httpd.apache.org/docs/2.2/mod/core.html#options

        # for more information.

        Options Indexes FollowSymLinks

        # AllowOverride controls what directives may be placed in .htaccess files.

        # It can be "All", "None", or any combination of the keywords:

        #   Options FileInfo AuthConfig Limit

        AllowOverride All

        # Controls who can get stuff from this server.

        Order allow,deny

        Allow from all

</Directory>

<IfModule alias_module>

        # Redirect: Allows you to tell clients about documents that used to

        # exist in your server's namespace, but do not anymore. The client

        # will make a new request for the document at its new location.

        # Example:

        #   Redirect permanent /foo http://www.example.com/bar

        # Alias: Maps web paths into filesystem paths and is used to

        # access content that does not live under the DocumentRoot.

        # Example:

        #   Alias /webpath /full/filesystem/path

        #

        # If you include a trailing / on /webpath then the server will

        # require it to be present in the URL.  You will also likely

        # need to provide a <Directory> section to allow access to

        # the filesystem path.

        # ScriptAlias: This controls which directories contain server scripts.

        # ScriptAliases are essentially the same as Aliases, except that

        # documents in the target directory are treated as applications and

        # run by the server when requested rather than as documents sent to the

        # client.  The same rules about trailing "/" apply to ScriptAlias

        # directives as to Alias.

        ScriptAlias /cgi-bin/ "/var/www/sourcepoint/cgi-bin/"

</IfModule>

# "/var/www/localhost/cgi-bin" should be changed to whatever your ScriptAliased

# CGI directory exists, if you have that configured.

<Directory "/var/www/sourcepoint/cgi-bin">

        AllowOverride None

        Options None

        Order allow,deny

        Allow from all

</Directory>

# vim: ts=4 filetype=apache

```

I restarted apache2 and after a couple of syntax error issues I got it running cleanly - note that my other sites are running fine.

But when I hit:

https://helios.sourcepoint.com.au

I get the error 

```
Secure Connection Failed

An error occurred during a connection to helios.sourcepoint.com.au.

You have received an invalid certificate.  Please contact the server administrator or email correspondent and give them the following information:

Your certificate contains the same serial number as another certificate issued by the certificate authority.  Please get a new certificate containing a unique serial number.

(Error code: sec_error_reused_issuer_and_serial)

        

The page you are trying to view can not be shown because the authenticity of the received data could not be verified.

    * Please contact the web site owners to inform them of this problem.
```

Can someone who sees straight to the heart of this no doubt simple issue give me a helping hand here?>

Thanks Gentooers

Will

----------

## stardotstar

OK I make some progress- I deleted all my certificates in my browser and follow steps to add an exception for what appears to be a self signed local host certificate.

I thought I had done the necessary steps.

The only other certificate that I know of with this server is my iLO connection - on another IP to the virtual ssl host I am trying to configure.

Once I added the exception I got to "It Works!" so clearly I have missed something with pointing to my new certificate

the certificate I have now that I look at it is:

the localhost

apache HTTP server

Test Certificate 02

and so on...

So...  It is not picking up my configured certificates or is being misdirected for some reason...

----------

## stardotstar

I have taken my virtual host definition out for helios.sourcepoint.com.au and used the existing _default_ one after defining the NameVirtualHost *:443

then pointing it to the same directory as the http definition of the main sourcepoint site.

This works perfectly up until the domain changes from helios.sourcepoint.com.au to somethingelse.sourcepoint.com.au because the name is different - so I guess that I need to get a cert for all of sourcepoint.com.au or do all my secure transactions on vhosts subordinate to helios.sourcepoint.com.au

If anyone has some comments to make about this please do pitch in - otherwise I will continue to stumble around in the dark and hit the apache pages in the morning 

Cheers,

Will

----------

