Chris Kenward
asked on
Setting up SSL Virtual Hosts on Apache2 with individual IPs
Hi Folks
I am trying to set up virtual hosts on my Centos 5.5 server with SSL. I've been setting up Apache with "normal" virtual hosts for ages so I know how to do that but have never attempted to set up one or more of them with their own SSL certificates, each on a separate IP address.
I've set up the first site with normal VirtualHost on *:80 and now I want to give the site the ability to be accessed on port 443. I've so far done the following:
In the http.conf file:
01. Added Listen 1.2.3.4:443 below the Listen 1.2.3.4:80
02. Added NameVirtualHost *:443 under the NameVirtualHost *:80
03. Added a dummy :443 default vhost entry hear the top of the httpd.conf file
04. Added the following to the httpd.conf file
<VirtualHost 210.45.150.141:443>
SSLEngine on
SSLCertificateFile /etc/ssl_files/customer/cu stomer.crt
SSLCertificateKeyFile /etc/ssl_files/customer/cu stomer.key
<Directory /var/www/html/customer>
AllowOverride All
</Directory>
DocumentRoot /var/www/html/customer
ServerName www.customer.co.uk
</VirtualHost>
When I restart Apache I get a socket error as follows:
(98)Address already in use: make_sock: could not bind to address [::]:443
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
I have a feeling that it has something to do with the fact that I haven't yet added the IP for SSL certificate to the Network config on the server but to be honest I'm not sure how to do that or even that I need to? I know when I set up certs on our Windows servers I need to add the new IP and gateway to the network setup but not sure whether it's the same for CentOS.
Any help greatly appreciated
Cheers
Chris
I am trying to set up virtual hosts on my Centos 5.5 server with SSL. I've been setting up Apache with "normal" virtual hosts for ages so I know how to do that but have never attempted to set up one or more of them with their own SSL certificates, each on a separate IP address.
I've set up the first site with normal VirtualHost on *:80 and now I want to give the site the ability to be accessed on port 443. I've so far done the following:
In the http.conf file:
01. Added Listen 1.2.3.4:443 below the Listen 1.2.3.4:80
02. Added NameVirtualHost *:443 under the NameVirtualHost *:80
03. Added a dummy :443 default vhost entry hear the top of the httpd.conf file
04. Added the following to the httpd.conf file
<VirtualHost 210.45.150.141:443>
SSLEngine on
SSLCertificateFile /etc/ssl_files/customer/cu
SSLCertificateKeyFile /etc/ssl_files/customer/cu
<Directory /var/www/html/customer>
AllowOverride All
</Directory>
DocumentRoot /var/www/html/customer
ServerName www.customer.co.uk
</VirtualHost>
When I restart Apache I get a socket error as follows:
(98)Address already in use: make_sock: could not bind to address [::]:443
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
I have a feeling that it has something to do with the fact that I haven't yet added the IP for SSL certificate to the Network config on the server but to be honest I'm not sure how to do that or even that I need to? I know when I set up certs on our Windows servers I need to add the new IP and gateway to the network setup but not sure whether it's the same for CentOS.
Any help greatly appreciated
Cheers
Chris
Is the port already in use?
ASKER
Not as far as I am aware. There are no other certificates installed on the server.
ASKER
Just a leetle bump - surely someone knows how to do this? I'm getting pretty desperate for a solution to this issue - have a customer nagging for his SSL certificate to be active.
Anyone?
Anyone?
ASKER
Update - September 01
When I tried earlier to retstart APACHE after adding the "Listen *:443" etc to the config file, I got errors. I've got to where I think I needed to add a virtual network interface to my eth0 and have done that, as well as created the same thing under "activate at boot time" using Webmin. So I can ping the new IP from outside and traceroute to it as well as to the main server IP. However, when I go back to the httpd.conf file which has the new additions for SSL in it, I still get the error:
(98)Address already in use: make_sock: could not bind to address [::]:443
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Any ideas? Cannot understand the "0.0.0.0:443" above - surely if the website is listed in the httpd.conf file, along with the correct ip as in xx.xx.xx.xx:443 - it should work now?
<groan>
When I tried earlier to retstart APACHE after adding the "Listen *:443" etc to the config file, I got errors. I've got to where I think I needed to add a virtual network interface to my eth0 and have done that, as well as created the same thing under "activate at boot time" using Webmin. So I can ping the new IP from outside and traceroute to it as well as to the main server IP. However, when I go back to the httpd.conf file which has the new additions for SSL in it, I still get the error:
(98)Address already in use: make_sock: could not bind to address [::]:443
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Any ideas? Cannot understand the "0.0.0.0:443" above - surely if the website is listed in the httpd.conf file, along with the correct ip as in xx.xx.xx.xx:443 - it should work now?
<groan>
ASKER
Another update:
I have removed the "Listen *:443" from the conf file and no longer get the socket errors.
I'm now at the stage where I have the site coming up using the "https://www.site.com" URL. I have put the IP address in the conf file and into the firewall and all looks to be OK. However, the site will not come up using the standard "http://www.site.com" anymore, even though I have two entries in the conf file for the same site. One of them is the entry for :80 and the other for :443
Hope someone can help here! I'm running out of ideas and have a customer who is getting more antsy by the hour because his site is not working properly.
Cheers
Chris
I have removed the "Listen *:443" from the conf file and no longer get the socket errors.
I'm now at the stage where I have the site coming up using the "https://www.site.com" URL. I have put the IP address in the conf file and into the firewall and all looks to be OK. However, the site will not come up using the standard "http://www.site.com" anymore, even though I have two entries in the conf file for the same site. One of them is the entry for :80 and the other for :443
Hope someone can help here! I'm running out of ideas and have a customer who is getting more antsy by the hour because his site is not working properly.
Cheers
Chris
This is just a first try to organize what youre trying to do to VirtualHost without any Named virtual hosts.
Try using VirtualHost instead of NameVirtualHost since you are using specific IPs. These are now IP based virtual hosts (required for SSL) instead of name based virtual hosts.
try taking this out --> 01. Added Listen 1.2.3.4:443 below the Listen 1.2.3.4:80
try taking this out --> 02. Added NameVirtualHost *:443 under the NameVirtualHost *:80
try taking this out --> 03. Added a dummy :443 default vhost entry hear the top of the httpd.conf file
Try reformatting this to something like below --> 04. Added the following to the httpd.conf file
Listen 210.45.150.141:443
<VirtualHost 210.45.150.141:443>
ServerName www.customer.co.uk
DocumentRoot /var/www/html/customer
<Directory /var/www/html/customer>
AllowOverride All
</Directory>
</VirtualHost>
If that doens't work, I'll do a quick setup on one of my apache instances to test out a working config.
Try using VirtualHost instead of NameVirtualHost since you are using specific IPs. These are now IP based virtual hosts (required for SSL) instead of name based virtual hosts.
try taking this out --> 01. Added Listen 1.2.3.4:443 below the Listen 1.2.3.4:80
try taking this out --> 02. Added NameVirtualHost *:443 under the NameVirtualHost *:80
try taking this out --> 03. Added a dummy :443 default vhost entry hear the top of the httpd.conf file
Try reformatting this to something like below --> 04. Added the following to the httpd.conf file
Listen 210.45.150.141:443
<VirtualHost 210.45.150.141:443>
ServerName www.customer.co.uk
DocumentRoot /var/www/html/customer
<Directory /var/www/html/customer>
AllowOverride All
</Directory>
</VirtualHost>
If that doens't work, I'll do a quick setup on one of my apache instances to test out a working config.
ASKER
Sounds good, however, before I make the change, could I just make sure you know this server has about 50 other websites, all Named Virtual Hosts, and all listening on port 80. This is the first SSL site I'm putting on this server. There is already a site for this customer listening on 80 but he wants to secure parts of the site for members with the certificate.
So - a question - is it OK to leave all the other sites on the server as they are, i.e. all on the server IP address and all Named and listening on port 80? If I take out the "Listen" commands in the httpd.conf file as suggested, will all the other sites still work?
This is the best looking solution by far, so hoping feverishly that you're going to say YES - DO IT! <grin>
All the best and thanks for the reply.
Chris
So - a question - is it OK to leave all the other sites on the server as they are, i.e. all on the server IP address and all Named and listening on port 80? If I take out the "Listen" commands in the httpd.conf file as suggested, will all the other sites still work?
This is the best looking solution by far, so hoping feverishly that you're going to say YES - DO IT! <grin>
All the best and thanks for the reply.
Chris
I was only recommending taking out the listen commands associated with the :443 entries and replacing them with explicit IP:PORT designations. Don't change anything listening on port 80. Do you have a test environment where you can give this a go?
I would leave everything else EXACTLY the way it is in the HTTPD conf file, back it up (then back it up again to be sure!), add the entries about 443 to the bottom and then do a "configtest" instead of a stop/ start. that will make sure the syntax is OK. If that comes back OK, then you are probably safe to proceed.
don't do anything to the other listen entries. Just add the :443 entries at the bottom of the whole file if you have it all as one long httpd.conf.
I would leave everything else EXACTLY the way it is in the HTTPD conf file, back it up (then back it up again to be sure!), add the entries about 443 to the bottom and then do a "configtest" instead of a stop/ start. that will make sure the syntax is OK. If that comes back OK, then you are probably safe to proceed.
don't do anything to the other listen entries. Just add the :443 entries at the bottom of the whole file if you have it all as one long httpd.conf.
ASKER
Hi there, Allen
I did exactly as you suggested above and then did the test via Apache. All looks fine. No errors from the conf file. However when I restart the httpd service after adding the entry I get the same or similar error I've been getting, i.e.
(98)Address already in use: make_sock: could not bind to address 210.45.150.141:443
no listening sockets available, shutting down
Unable to open logs
This is beginning to appear to me as though there may be a problem with the way I've entered the IP address for the SSL cert into the networking on the server. Also, there is the issue with the log files - when I set this up originally I used the same logfile for the SSL as for the site. Is this a problem? Could you go through with me how to set up the additional IP so that the server is aware of it's own IP as well as the new IP for the cert and the new gateway etc.?
Cheers
Chris
I did exactly as you suggested above and then did the test via Apache. All looks fine. No errors from the conf file. However when I restart the httpd service after adding the entry I get the same or similar error I've been getting, i.e.
(98)Address already in use: make_sock: could not bind to address 210.45.150.141:443
no listening sockets available, shutting down
Unable to open logs
This is beginning to appear to me as though there may be a problem with the way I've entered the IP address for the SSL cert into the networking on the server. Also, there is the issue with the log files - when I set this up originally I used the same logfile for the SSL as for the site. Is this a problem? Could you go through with me how to set up the additional IP so that the server is aware of it's own IP as well as the new IP for the cert and the new gateway etc.?
Cheers
Chris
as a root user, do netstat -anlp | grep ":443" and see if anything is already listening on port 443. From there, we'll go back through the configs and see what we can discover.
ASKER
Hi there
Here is the result of the test:
tcp 0 0 :::443 :::* LISTEN 378/httpd
unix 2 [ ACC ] STREAM LISTENING 11539 3443/mapping-daemon /tmp/mapping-root
unix 3 [ ] STREAM CONNECTED 11558 3443/mapping-daemon /tmp/mapping-root
I hope it makes sense - looks like Greek to me! ;)
Cheers
Chris
Here is the result of the test:
tcp 0 0 :::443 :::* LISTEN 378/httpd
unix 2 [ ACC ] STREAM LISTENING 11539 3443/mapping-daemon /tmp/mapping-root
unix 3 [ ] STREAM CONNECTED 11558 3443/mapping-daemon /tmp/mapping-root
I hope it makes sense - looks like Greek to me! ;)
Cheers
Chris
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi arobert11
Thanks so much for coming back to me. The situation now is as follows:
We have sorted out the "Listen" issue - in the ssl.conf file under there was an instance of "Listen *.443". I removed that and the socket error went away.
We still cannot get the site to respond on the following:
http://www.customer.co.uk on port 80 AND
http://customer.co.uk on port 80
AS WELL AS
https://www.customer.co.uk on port 443
Only one or the other works but not both together. We need both the www on port 80 AND the www on port 443 to respond.
In DNS we can either point the www record at the server IP (which means the server will listen on port 80 as it does for all other sites on the same server, i.e. *:80 in the conf file) or we can point the DNS to the certificate IP specifically using xx.xx.xx.xx:443 as you and Allen have suggested, but if we do the latter, the site will not respond on port 80. How would we get around this issue? So easy on a Windows server where the server simply listens for the Named Virtual Host on both ports??
Am I being dumb here? ;)
Cheers
Chris
Thanks so much for coming back to me. The situation now is as follows:
We have sorted out the "Listen" issue - in the ssl.conf file under there was an instance of "Listen *.443". I removed that and the socket error went away.
We still cannot get the site to respond on the following:
http://www.customer.co.uk on port 80 AND
http://customer.co.uk on port 80
AS WELL AS
https://www.customer.co.uk on port 443
Only one or the other works but not both together. We need both the www on port 80 AND the www on port 443 to respond.
In DNS we can either point the www record at the server IP (which means the server will listen on port 80 as it does for all other sites on the same server, i.e. *:80 in the conf file) or we can point the DNS to the certificate IP specifically using xx.xx.xx.xx:443 as you and Allen have suggested, but if we do the latter, the site will not respond on port 80. How would we get around this issue? So easy on a Windows server where the server simply listens for the Named Virtual Host on both ports??
Am I being dumb here? ;)
Cheers
Chris
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi allen-davis
I've tried this but it doesn't work. The HTTP doesn't work at all but the HTTPS works fine for both www.customer.co.uk and customer.co.uk
Here is what the DNS looks like:
customer.co.uk. IN A 210.45.150.141
www IN CNAME customer.co.uk.
Here are the specific exerpts from the httpd.conf file:
First the Listen commands:
Listen *:80
Listen 210.45.150.141:443
Then the Virtual Host entries, starting with the http://
<VirtualHost 210.45.150.141:80>
DocumentRoot "/var/www/html/customer"
ServerName www.customer.co.uk
<Directory "/var/www/html/customer">
allow from all
AllowOverride All
Options +Indexes
</Directory>
ServerAlias customer.co.uk
ErrorLog logs/error_log
LogLevel warn
TransferLog /var/www/html/customer/log /customer_ log
</VirtualHost>
Then the https:// virtual host entry
<VirtualHost 210.45.150.141:443>
DocumentRoot /var/www/html/customer
ServerName www.customer.co.uk
<Directory "/var/www/html/customer">
allow from all
AllowOverride All
Options +Indexes
</Directory>
ErrorLog logs/error_log
LogLevel warn
TransferLog /var/www/html/customer/log /customer_ ssl_log
SSLEngine on
SSLCertificateFile /etc/ssl_files/customer/cu stomer.crt
SSLCertificateKeyFile /etc/ssl_files/customer/cu stomer.key
</VirtualHost>
Set up like this above, the HTTPS works absolutely fine but as soon as you click on a link that points to HTTP or if you simply point the browser at HTTP://www.customer.co.uk or http://customer.co.uk, nothing works. Just an error message saying the browser cannot contact the website.
Cheers
Chris
I've tried this but it doesn't work. The HTTP doesn't work at all but the HTTPS works fine for both www.customer.co.uk and customer.co.uk
Here is what the DNS looks like:
customer.co.uk. IN A 210.45.150.141
www IN CNAME customer.co.uk.
Here are the specific exerpts from the httpd.conf file:
First the Listen commands:
Listen *:80
Listen 210.45.150.141:443
Then the Virtual Host entries, starting with the http://
<VirtualHost 210.45.150.141:80>
DocumentRoot "/var/www/html/customer"
ServerName www.customer.co.uk
<Directory "/var/www/html/customer">
allow from all
AllowOverride All
Options +Indexes
</Directory>
ServerAlias customer.co.uk
ErrorLog logs/error_log
LogLevel warn
TransferLog /var/www/html/customer/log
</VirtualHost>
Then the https:// virtual host entry
<VirtualHost 210.45.150.141:443>
DocumentRoot /var/www/html/customer
ServerName www.customer.co.uk
<Directory "/var/www/html/customer">
allow from all
AllowOverride All
Options +Indexes
</Directory>
ErrorLog logs/error_log
LogLevel warn
TransferLog /var/www/html/customer/log
SSLEngine on
SSLCertificateFile /etc/ssl_files/customer/cu
SSLCertificateKeyFile /etc/ssl_files/customer/cu
</VirtualHost>
Set up like this above, the HTTPS works absolutely fine but as soon as you click on a link that points to HTTP or if you simply point the browser at HTTP://www.customer.co.uk or http://customer.co.uk, nothing works. Just an error message saying the browser cannot contact the website.
Cheers
Chris
ASKER
Hi again, both experts
I think I've resolved the issue, with your help. While waiting for a further response from you, I changed the Apache conf file. I took out the Listen commands as at the top of my last post and placed them just before the entry for each virtual host entry.
Listen 210.45.150.141:80
<VirtuallHost 210.45.150.141:80>
.
.
</VirtualHost>
Listen 210.45.150.141:443>
<VirtuallHost 210.45.150.141:443>
.
.
</VirtualHost>
I set up the DNS as per recommendation by allen-davis and, with the help given by arobert11 was able to identify and kill the socket error I was getting. I'll try some more tomorrow to make sure the site comes up OK and then will let customer know his site is working.
Thanks, both of you, for your perseverance with this one!
Regards
Chris
I think I've resolved the issue, with your help. While waiting for a further response from you, I changed the Apache conf file. I took out the Listen commands as at the top of my last post and placed them just before the entry for each virtual host entry.
Listen 210.45.150.141:80
<VirtuallHost 210.45.150.141:80>
.
.
</VirtualHost>
Listen 210.45.150.141:443>
<VirtuallHost 210.45.150.141:443>
.
.
</VirtualHost>
I set up the DNS as per recommendation by allen-davis and, with the help given by arobert11 was able to identify and kill the socket error I was getting. I'll try some more tomorrow to make sure the site comes up OK and then will let customer know his site is working.
Thanks, both of you, for your perseverance with this one!
Regards
Chris
ASKER
My thanks again to both areobert11 and allen-davis
ASKER