Solved

Setting up SSL Virtual Hosts on Apache2 with individual IPs

Posted on 2010-08-23
18
1,332 Views
Last Modified: 2013-11-30
Hi Folks

I am trying to set up virtual hosts on my Centos 5.5 server with SSL. I've been setting up Apache with "normal" virtual hosts for ages so I know how to do that but have never attempted to set up one or more of them with their own SSL certificates, each on a separate IP address.

I've set up the first site with normal VirtualHost on *:80 and now I want to give the site the ability to be accessed on port 443. I've so far done the following:

In the http.conf file:
01. Added Listen 1.2.3.4:443 below the Listen 1.2.3.4:80
02. Added NameVirtualHost *:443 under the NameVirtualHost *:80
03. Added a dummy :443 default vhost entry hear the top of the httpd.conf file
04. Added the following to the httpd.conf file
<VirtualHost 210.45.150.141:443>
SSLEngine on
SSLCertificateFile /etc/ssl_files/customer/customer.crt
SSLCertificateKeyFile /etc/ssl_files/customer/customer.key
<Directory /var/www/html/customer>
AllowOverride All
</Directory>
DocumentRoot /var/www/html/customer
ServerName www.customer.co.uk
</VirtualHost>

When I restart Apache I get a socket error as follows:
(98)Address already in use: make_sock: could not bind to address [::]:443
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down

I have a feeling that it has something to do with the fact that I haven't yet added the IP for SSL certificate to the Network config on the server but to be honest I'm not sure how to do that or even that I need to? I know when I set up certs on our Windows servers I need to add the new IP and gateway to the network setup but not sure whether it's the same for CentOS.

Any help greatly appreciated

Cheers
Chris

0
Comment
Question by:kenwardc
18 Comments
 

Author Comment

by:kenwardc
Comment Utility
As a point for clarity, the IP 210.45.150.141 I've put in the question above is false but represents the statis IP we have allocated to the specific SSL certificate which we already have installed on the server.
0
 
LVL 7

Expert Comment

by:Dk_guru
Comment Utility
Is the port already in use?
0
 

Author Comment

by:kenwardc
Comment Utility
Not as far as I am aware. There are no other certificates installed on the server.
0
 

Author Comment

by:kenwardc
Comment Utility
Just a leetle bump - surely someone knows how to do this? I'm getting pretty desperate for a solution to this issue - have a customer nagging for his SSL certificate to be active.

Anyone?
0
 

Author Comment

by:kenwardc
Comment Utility
Update - September 01

When I tried earlier to retstart APACHE after adding the "Listen *:443" etc to the config file, I got errors. I've got to where I think I needed to add a virtual network interface to my eth0 and have done that, as well as created the same thing under "activate at boot time" using Webmin. So I can ping the new IP from outside and traceroute to it as well as to the main server IP. However, when I go back to the httpd.conf file which has the new additions for SSL in it, I still get the error:

(98)Address already in use: make_sock: could not bind to address [::]:443
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down

Any ideas? Cannot understand the "0.0.0.0:443" above - surely if the website is listed in the httpd.conf file, along with the correct ip as in xx.xx.xx.xx:443 - it should work now?

<groan>
0
 

Author Comment

by:kenwardc
Comment Utility
Another update:

I have removed the "Listen *:443" from the conf file and no longer get the socket errors.

I'm now at the stage where I have the site coming up using the "https://www.site.com" URL. I have put the IP address in the conf file and into the firewall and all looks to be OK. However, the site will not come up using the standard "http://www.site.com" anymore, even though I have two entries in the conf file for the same site. One of them is the entry for :80 and the other for :443

Hope someone can help here! I'm running out of ideas and have a customer who is getting more antsy by the hour because his site is not working properly.

Cheers
Chris
0
 
LVL 8

Expert Comment

by:allen-davis
Comment Utility
This is just a first try to organize what youre trying to do to VirtualHost without any Named virtual hosts.
Try using VirtualHost instead of NameVirtualHost since you are using specific IPs. These are now IP based virtual hosts (required for SSL) instead of name based virtual hosts.  
try taking this out --> 01. Added Listen 1.2.3.4:443 below the Listen 1.2.3.4:80
try taking this out --> 02. Added NameVirtualHost *:443 under the NameVirtualHost *:80
try taking this out --> 03. Added a dummy :443 default vhost entry hear the top of the httpd.conf file
Try reformatting this to something like below --> 04. Added the following to the httpd.conf file
Listen 210.45.150.141:443
<VirtualHost 210.45.150.141:443>
   ServerName www.customer.co.uk
   DocumentRoot /var/www/html/customer
   <Directory /var/www/html/customer>
      AllowOverride All
   </Directory>
</VirtualHost>
If that doens't work, I'll do a quick setup on one of my apache instances to test out a working config.
 
 
0
 

Author Comment

by:kenwardc
Comment Utility
Sounds good, however, before I make the change, could I just make sure you know this server has about 50 other websites, all Named Virtual Hosts, and all listening on port 80. This is the first SSL site I'm putting on this server. There is already a site for this customer listening on 80 but he wants to secure parts of the site for members with the certificate.

So - a question - is it OK to leave all the other sites on the server as they are, i.e. all on the server IP address and all Named and listening on port 80? If I take out the "Listen" commands in the httpd.conf file as suggested, will all the other sites still work?

This is the best looking solution by far, so hoping feverishly that you're going to say YES - DO IT! <grin>

All the best and thanks for the reply.
Chris
0
 
LVL 8

Expert Comment

by:allen-davis
Comment Utility
I was only recommending taking out the listen commands associated with the :443 entries and replacing them with explicit IP:PORT designations.  Don't change anything listening on port 80.  Do you  have a test environment where you can give this a go?

I would leave everything else EXACTLY the way it is in the HTTPD conf file, back it up (then back it up again to be sure!), add the entries about 443 to the bottom and then do a "configtest" instead of a stop/ start.  that will make sure the syntax is OK.  If that comes back OK, then you are probably safe to proceed.

don't do anything to the other listen entries.  Just add the :443 entries at the bottom of the whole file if you have it all as one long httpd.conf.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:kenwardc
Comment Utility
Hi there, Allen

I did exactly as you suggested above and then did the test via Apache. All looks fine. No errors from the conf file. However when I restart the httpd service after adding the entry I get the same or similar error I've been getting, i.e.

(98)Address already in use: make_sock: could not bind to address 210.45.150.141:443
no listening sockets available, shutting down
Unable to open logs

This is beginning to appear to me as though there may be a problem with the way I've entered the IP address for the SSL cert into the networking on the server. Also, there is the issue with the log files - when I set this up originally I used the same logfile for the SSL as for the site. Is this a problem? Could you go through with me how to set up the additional IP so that the server is aware of it's own IP as well as the new IP for the cert and the new gateway etc.?

Cheers
Chris
0
 
LVL 8

Expert Comment

by:allen-davis
Comment Utility
as a root user, do netstat -anlp | grep ":443" and see if anything is already listening on port 443.  From there, we'll go back through the configs and see what we can discover.
0
 

Author Comment

by:kenwardc
Comment Utility
Hi there

Here is the result of the test:

tcp   0      0 :::443                      :::*                        LISTEN      378/httpd          
unix  2      [ ACC ]     STREAM     LISTENING     11539  3443/mapping-daemon /tmp/mapping-root
unix  3      [ ]         STREAM     CONNECTED     11558  3443/mapping-daemon /tmp/mapping-root

I hope it makes sense - looks like Greek to me! ;)

Cheers
Chris
0
 
LVL 26

Accepted Solution

by:
arober11 earned 250 total points
Comment Utility
So an Apache process is already bound to socket 443, so you need to find out if it's the same Apache process as you have listening on port 80, so again as root: run the following:

netstat -plant | egrep ":(443|80) " | grep LISTEN

If the numbers (PIDs) in the  "####/httpd" output differ it's a different process, else it's the same.

Next find out where the httpd.conf(s) lurk for the Apache process(s) by plugging the pid(s) (#### numbers) from above into a:

ps -ef | grep 378

You should see a file name after a -f parameter e.g.

... -f /etc/apache2/httpd.conf -DSSL

Plug the httpd.conf directory name(s) into the following command:

find /etc/apache2/ -type f -name "*.conf" -exec egrep "Listen|443" {} \;

Now you have the details you can start to play.

If you have separate / multiple httpd.conf files / instances, and / or IP's bound to the server, but a generic:

  Listen 443

your first action should be to go through the Listen statement(s) and explicitly add the IP(s) you interested in e.g.

Listen  210.45.150.141:443
Listen  22.33.44.55:443

Next you'll probably want a few more options in you Virtual host, such as a Certificate Authority, and a few options to keep older versions on IE happy, and a few tweaks for dynamically generated content e.g.

<VirtualHost 11.22.33.44:443>
   ServerName www.customer.co.uk
   DocumentRoot /var/www/html/customer
   <Directory       /var/www/html/customer>
      AllowOverride All
    </Directory>

   #SSL stuff
   SSLEngine on
   SSLCertificateFile       /etc/ssl_files/customer/customer.crt
   SSLCertificateKeyFile  /etc/ssl_files/customer/customer.key
   SSLCACertificatePath  /etc/ssl_files/CA/ssl.crt
   SSLCARevocationPath /etc/ssl_files/CA/ssl.crl

        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
        </Files>
        <Directory "/var/www/cgi-bin">
            SSLOptions +StdEnvVars
        </Directory>

        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0
</VirtualHost>

Note: You'll need a separate VirtualHost and SSL certificate per IP (Hostname), if you are to avoid certificate errors in your browser.

Once everything is in place, test you new configuration, stop all existing Apache instances, and re-start with the new configuration.
0
 

Author Comment

by:kenwardc
Comment Utility
Hi arobert11

Thanks so much for coming back to me. The situation now is as follows:

We have sorted out the "Listen" issue - in the ssl.conf file under there was an instance of "Listen *.443". I removed that and the socket error went away.

We still cannot get the site to respond on the following:

http://www.customer.co.uk on port 80 AND
http://customer.co.uk on port 80

AS WELL AS

https://www.customer.co.uk on port 443

Only one or the other works but not both together. We need both the www on port 80 AND the www on port 443 to respond.

In DNS we can either point the www record at the server IP (which means the server will listen on port 80 as it does for all other sites on the same server, i.e. *:80 in the conf file) or we can point the DNS to the certificate IP specifically using xx.xx.xx.xx:443 as you and Allen have suggested, but if we do the latter, the site will not respond on port 80. How would we get around this issue? So easy on a Windows server where the server simply listens for the Named Virtual Host on both ports??

Am I being dumb here? ;)

Cheers
Chris
0
 
LVL 8

Assisted Solution

by:allen-davis
allen-davis earned 250 total points
Comment Utility
try this, make customer.co.uk be the IP address you want in DNS.  have both the www sites (80 and 443) listen on the IP address.  they can be the same IP address.  Add a DNS alias (CNAME) for www.customer.co.uk to point to customer.co.uk.  I think if you do the DNS alias correctly, you'll solve your problem and have all three sites responding to requests as you've described above.
0
 

Author Comment

by:kenwardc
Comment Utility
Hi allen-davis

I've tried this but it doesn't work. The HTTP doesn't work at all but the HTTPS works fine for both www.customer.co.uk and customer.co.uk

Here is what the DNS looks like:
customer.co.uk.            IN      A       210.45.150.141
www                            IN      CNAME   customer.co.uk.

Here are the specific exerpts from the httpd.conf file:

First the Listen commands:

Listen *:80
Listen 210.45.150.141:443

Then the Virtual Host entries, starting with the http://

<VirtualHost 210.45.150.141:80>
DocumentRoot "/var/www/html/customer"
ServerName www.customer.co.uk
<Directory "/var/www/html/customer">
allow from all
AllowOverride All
Options +Indexes
</Directory>
ServerAlias customer.co.uk
ErrorLog logs/error_log
LogLevel warn
TransferLog /var/www/html/customer/log/customer_log
</VirtualHost>

Then the https:// virtual host entry

<VirtualHost 210.45.150.141:443>
DocumentRoot /var/www/html/customer
ServerName www.customer.co.uk
<Directory "/var/www/html/customer">
allow from all
AllowOverride All
Options +Indexes
</Directory>
ErrorLog logs/error_log
LogLevel warn
TransferLog /var/www/html/customer/log/customer_ssl_log
SSLEngine on
SSLCertificateFile /etc/ssl_files/customer/customer.crt
SSLCertificateKeyFile /etc/ssl_files/customer/customer.key
</VirtualHost>

Set up like this above, the HTTPS works absolutely fine but as soon as you click on a link that points to HTTP or if you simply point the browser at HTTP://www.customer.co.uk or http://customer.co.uk, nothing works. Just an error message saying the browser cannot contact the website.

Cheers
Chris
0
 

Author Comment

by:kenwardc
Comment Utility
Hi again, both experts

I think I've resolved the issue, with your help. While waiting for a further response from you, I changed the Apache conf file. I took out the Listen commands as at the top of my last post and placed them just before the entry for each virtual host entry.

Listen 210.45.150.141:80
<VirtuallHost 210.45.150.141:80>
.
.
</VirtualHost>

Listen 210.45.150.141:443>
<VirtuallHost 210.45.150.141:443>
.
.
</VirtualHost>

I set up the DNS as per recommendation by allen-davis and, with the help given by arobert11 was able to identify and kill the socket error I was getting. I'll try some more tomorrow to make sure the site comes up OK and then will let customer know his site is working.

Thanks, both of you, for your perseverance with this one!

Regards
Chris
0
 

Author Closing Comment

by:kenwardc
Comment Utility
My thanks again to both areobert11 and allen-davis
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now