Fedora 4, Apache 2.2.0, tomcat 5.5.7, openssl 0.9.7f, SSL certificates, domain names and IP addresses
I recently became the new admin of a old system that everybody approaches with the "don't touch it or it might break" mentality. Now I am being told to "touch it, and don't break it!"
Task:
What I am supposed to do: Remove a domain name www.domain1.com from the server and replace it with www.domain2.com.
Background:
www.domain1.com uses a SSL Certificate to host a SOAP and a protected data retrieval site.
The server is long out of date. It is a Fedora 4 server with Apache 2.2.0, tomcat 5.5.7 and openssl 0.9.7f.
I am trying to:
Set up www.domain2.com on the server with an SSL certificate to allow our Business relations to access the SOAP from www.domain2.com/SOAP. We will move our other websites over then as well.
Path One:
I was looking to set up the two domains on the same IP address(1.1.1.1). To make it easy. However that doesn't look so easy or safe(see References at bottom). I found out that I don't have new enough versions of Apache or openssl to do this.
Path Two:
I decided to see what I would have to do to update them, this led to finding out that yum and apt-get are no longer have mirrors for FC4. I found versions online that I could install manually. I don't want to go that route because I doubt I could reverse the changes. I don't like putting my hopes in a silver bullet that could also kill me if I miss.
I have:
- I have an SSL certificate for www.domain2.com.
- www.domain2.com is pointed at the same IP as www.domain1.com (1.1.1.1).
- I have three more IP addresses assigned to my server that I can use (1.1.1.2, 1.1.1.3 and 1.1.1.4).
Since the path I was heading down doesn't look feasible, I was thinking I could set up the www.domain2.com on 1.1.1.2. With a new install of Apache that then could also link to tomcat to give access to the SOAP.
Questions:
- Can I set up domain2 on the current version of Apache with IP 1.1.1.2 with its certificate or do I need to install another version of Apache to run side by side?
- How would I configure the httpd-ssl.conf file if it is in the same Apache?
The current httpd-ssl.conf (Comments removed):
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/usr/local/apache-2.2.0/logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache-2.2.0/logs/ssl_mutex
##
## SSL Virtual Host Context
##
ServerName domain1.com
ServerAdmin webmaster@www.domain1.com
DocumentRoot /www/www.domain.com
ErrorLog logs/sslerror_log
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
TransferLog logs/ssltransfer_log
JkMount /domain1app1/* ajp13
JkMount /domain1app2/* ajp13
JkMount /SOAPdomain1app3/* ajp13
JkMount /InformationRetrevaldoamin1app4/* ajp13
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache-2.2.0/conf/domain1.crt
SSLCertificateKeyFile /usr/local/apache-2.2.0/conf/domain1.key
SSLCertificateChainFile /usr/local/apache-2.2.0/conf/intermediate.crt
SSLOptions +StdEnvVars
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Does anybody have any suggestions as to how to proceed? I am looking for the littlest change that is "undo able" in case I mess it up. My tool box is pretty small when it comes to these types of things. Any help would be greatly appreciated! If you have a way to go about this that I haven't thought of, please let me know. :) Oh and my boss would like me to get the ssl certificate in on Saturday during a 4 hour maintenance window. If it isn't possible I can delay till the next one.
Thanks in Advance!
Edited for readability.
References:
Multiple SSL domains on the same IP address and same port?
SSL site not using the correct IP in Apache and Ubuntu
can't install ssl certificate on apache
Answer
You shouldn't install a new Apache. Apache probably installed from RPM packages anyway, so a second Apache could only be installed by hand. In my opinion, it is better to avoid these kinds of fuss.
However, you have other options.
Option 1: You can configure your Apache to handle both sites. To do this, you need to:
- Use the explicit IP address with the VirtualHost directive
- and supply a NameVirtualHost directive to each of them
This is really a copy-paste from the current configuration with a few changes. Is should look like the config down here. This way www.domain1.com and www.domain2.com serves the same content, since the JkMount directives remained the same.
You should copy the current httpd-ssl.conf file before editing, so in the case I screwed up something in the config, you can copy back the original, and restart the server.
Option 2: If you need to change the domain name only, you really don't have to touch a thing. The registration of a new domain doesn't have anything to do with Apache. Once the registration is complete, the DNS servers will resolve www.domain2.com to 1.1.1.1 (what used to be www.domain1.com). Once this is done, and domain1.com is deleted, you only need to replace the ServerName directive and the certificates.
If you must have the two domains coexist, no matter how long, then goto 1.
Option 3: If you simply add a
ServerAlias www.domain2.com
line to your existing config, inside the VirtualHost definition, Apache will still serve both domains (on the same IP address). In this case, however, you can't have different certificates for the two domains.
--
Here is the modified config for Option 1:
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/usr/local/apache-2.2.0/logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache-2.2.0/logs/ssl_mutex
NameVirtualHost 1.1.1.1:443
NameVirtualHost 1.1.1.2:443
##
## SSL Virtual Host Context
##
ServerName domain1.com
ServerAdmin webmaster@www.domain1.com
DocumentRoot /www/www.domain.com
ErrorLog logs/sslerror_domain1_log
CustomLog logs/ssl_request_domain1_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
TransferLog logs/ssltransfer_domain2_log
JkMount /domain1app1/* ajp13
JkMount /domain1app2/* ajp13
JkMount /SOAPdomain1app3/* ajp13
JkMount /InformationRetrevaldoamin1app4/* ajp13
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache-2.2.0/conf/domain1.crt
SSLCertificateKeyFile /usr/local/apache-2.2.0/conf/domain1.key
SSLCertificateChainFile /usr/local/apache-2.2.0/conf/intermediate_for_domain1.crt
SSLOptions +StdEnvVars
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
ServerName domain2.com
ServerAdmin webmaster@www.domain2.com
DocumentRoot /www/www.domain.com
ErrorLog logs/sslerror_domain2_log
CustomLog logs/ssl_request_domain2_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
TransferLog logs/ssltransfer_domain2_log
JkMount /domain1app1/* ajp13
JkMount /domain1app2/* ajp13
JkMount /SOAPdomain1app3/* ajp13
JkMount /InformationRetrevaldoamin1app4/* ajp13
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache-2.2.0/conf/domain2.crt
SSLCertificateKeyFile /usr/local/apache-2.2.0/conf/domain2.key
SSLCertificateChainFile /usr/local/apache-2.2.0/conf/intermediate_for_domain2.crt
SSLOptions +StdEnvVars
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Comments
Post a Comment