Skip to main content

Fedora 4, Apache 2.2.0, tomcat 5.5.7, openssl 0.9.7f, SSL certificates, domain names and IP addresses

itemprop="text">


I recently became the new
admin of a old system that everybody approaches with the "don't touch it or it might
break" mentality. Now I am being told to "touch it, and don't break
it!"



Task:
What I am supposed to do:
Remove a domain name www.domain1.com from the server and replace it with
www.domain2.com.



Background:

www.domain1.com uses a SSL Certificate to host a SOAP and a protected data
retrieval site.
The server is long out of date. It is a Fedora 4 server with
Apache 2.2.0, tomcat 5.5.7 and openssl 0.9.7f.



I
am trying to:
Set up www.domain2.com on the server with an SSL certificate to
allow our Business relations to access the SOAP from www.domain2.com/SOAP. We will move
our other websites over then as
well.




Path One:
I was
looking to set up the two domains on the same IP address(1.1.1.1). To make it easy.
However that doesn't look so easy or safe(see References at bottom). I found out that I
don't have new enough versions of Apache or openssl to do
this.



Path Two:
I decided to see what
I would have to do to update them, this led to finding out that yum and apt-get are no
longer have mirrors for FC4. I found versions online that I could install manually. I
don't want to go that route because I doubt I could reverse the changes. I don't like
putting my hopes in a silver bullet that could also kill me if I miss.



I
have:





  • I have an
    SSL certificate for www.domain2.com.

  • www.domain2.com is
    pointed at the same IP as www.domain1.com (1.1.1.1).

  • I
    have three more IP addresses assigned to my server that I can use (1.1.1.2, 1.1.1.3 and
    1.1.1.4).



Since the path
I was heading down doesn't look feasible, I was thinking I could set up the
www.domain2.com on 1.1.1.2. With a new install of Apache that then could also link to
tomcat to give access to the
SOAP.



Questions:





  • Can
    I set up domain2 on the current version of Apache with IP 1.1.1.2 with its certificate
    or do I need to install another version of Apache to run side by
    side?

  • How would I configure the httpd-ssl.conf file if it
    is in the same
    Apache?



The current
httpd-ssl.conf (Comments
removed):



 Listen
            443

 AddType application/x-x509-ca-cert .crt
 AddType
            application/x-pkcs7-crl .crl


 SSLPassPhraseDialog
            builtin


 SSLSessionCache
            shmcb:/usr/local/apache-2.2.0/logs/ssl_scache(512000)
 SSLSessionCacheTimeout
            300

 SSLMutex
            file:/usr/local/apache-2.2.0/logs/ssl_mutex


            ##

 ## SSL Virtual Host Context
 ##


            
 ServerName domain1.com
 ServerAdmin
            webmaster@www.domain1.com
 DocumentRoot /www/www.domain.com

            ErrorLog logs/sslerror_log
 CustomLog logs/ssl_request_log \
 "%t %h
            %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

 TransferLog
            logs/ssltransfer_log
 JkMount /domain1app1/* ajp13
 JkMount
            /domain1app2/* ajp13
 JkMount /SOAPdomain1app3/* ajp13
 JkMount
            /InformationRetrevaldoamin1app4/* ajp13

 SSLEngine
            on

 SSLCipherSuite
            ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL



            SSLCertificateFile /usr/local/apache-2.2.0/conf/domain1.crt


            SSLCertificateKeyFile /usr/local/apache-2.2.0/conf/domain1.key


            SSLCertificateChainFile
            /usr/local/apache-2.2.0/conf/intermediate.crt

             "\.(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars

            


 BrowserMatch ".*MSIE.*"
            \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0
            force-response-1.0


Does anybody have any
suggestions as to how to proceed? I am looking for the littlest change that is "undo
able" in case I mess it up. My tool box is pretty small when it comes to these types of
things. Any help would be greatly appreciated! If you have a way to go about this that I
haven't thought of, please let me know. :) Oh and my boss would like me to get the ssl
certificate in on Saturday during a 4 hour maintenance window. If it isn't possible I
can delay till the next one.



Thanks in
Advance!




Edited for
readability.



References:



href="https://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port">Multiple
SSL domains on the same IP address and same port?



href="https://serverfault.com/questions/109766/ssl-site-not-using-the-correct-ip-in-apache-and-ubuntu">SSL
site not using the correct IP in Apache and Ubuntu



href="https://serverfault.com/questions/307845/cant-install-ssl-certificate-on-apache">can't
install ssl certificate on apache


class="post-text" itemprop="text">
class="normal">Answer





You shouldn't install a new Apache. Apache probably installed from RPM packages
anyway, so a second Apache could only be installed by hand. In my opinion, it is better
to avoid these kinds of fuss.
However, you have other
options.



Option 1:
You can configure your Apache to handle both sites. To do this, you need
to:




  • Use the explicit IP
    address with the VirtualHost directive

  • and supply a
    NameVirtualHost directive to each of
    them




This is
really a copy-paste from the current configuration with a few changes. Is should look
like the config down here. This way www.domain1.com and www.domain2.com serves the same
content, since the JkMount directives remained the
same.



You should copy the current httpd-ssl.conf
file before editing, so in the case I screwed up something in the config, you can copy
back the original, and restart the
server.



Option 2:
If you need to change the domain name only, you really don't have to touch a thing. The
registration of a new domain doesn't have anything to do with Apache. Once the
registration is complete, the DNS servers will resolve www.domain2.com to 1.1.1.1 (what
used to be www.domain1.com). Once this is done, and domain1.com is deleted, you only
need to replace the ServerName directive and the
certificates.



If you must have the two domains
coexist, no matter how long, then goto
1.



Option 3: If you
simply add
a




ServerAlias
            www.domain2.com


line
to your existing config, inside the VirtualHost definition, Apache will still serve both
domains (on the same IP address). In this case, however, you can't have different
certificates for the two
domains.



--



Here
is the modified config for Option
1:



Listen
            443


AddType application/x-x509-ca-cert
            .crt
AddType application/x-pkcs7-crl
            .crl

SSLPassPhraseDialog builtin
SSLSessionCache
            shmcb:/usr/local/apache-2.2.0/logs/ssl_scache(512000)
SSLSessionCacheTimeout
            300

SSLMutex
            file:/usr/local/apache-2.2.0/logs/ssl_mutex


NameVirtualHost
            1.1.1.1:443
NameVirtualHost 1.1.1.2:443

##
##
            SSL Virtual Host Context
##

            1.1.1.1:443>
 ServerName domain1.com
 ServerAdmin
            webmaster@www.domain1.com

 DocumentRoot
            /www/www.domain.com
 ErrorLog logs/sslerror_domain1_log
 CustomLog
            logs/ssl_request_domain1_log \
 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\"
            %b"
 TransferLog logs/ssltransfer_domain2_log
 JkMount
            /domain1app1/* ajp13
 JkMount /domain1app2/* ajp13
 JkMount
            /SOAPdomain1app3/* ajp13
 JkMount /InformationRetrevaldoamin1app4/*
            ajp13


 SSLEngine on

 SSLCipherSuite
            ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL


            SSLCertificateFile /usr/local/apache-2.2.0/conf/domain1.crt

            SSLCertificateKeyFile /usr/local/apache-2.2.0/conf/domain1.key

            SSLCertificateChainFile
            /usr/local/apache-2.2.0/conf/intermediate_for_domain1.crt


            
 SSLOptions
            +StdEnvVars

 

 BrowserMatch
            ".*MSIE.*" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0
            force-response-1.0


            1.1.1.2:443>
 ServerName domain2.com
 ServerAdmin
            webmaster@www.domain2.com

 DocumentRoot
            /www/www.domain.com
 ErrorLog logs/sslerror_domain2_log
 CustomLog
            logs/ssl_request_domain2_log \
 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\"
            %b"
 TransferLog logs/ssltransfer_domain2_log

 JkMount
            /domain1app1/* ajp13
 JkMount /domain1app2/* ajp13
 JkMount
            /SOAPdomain1app3/* ajp13
 JkMount /InformationRetrevaldoamin1app4/*
            ajp13


 SSLEngine on 
 SSLCipherSuite
            ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL


            SSLCertificateFile /usr/local/apache-2.2.0/conf/domain2.crt

            SSLCertificateKeyFile /usr/local/apache-2.2.0/conf/domain2.key

            SSLCertificateChainFile
            /usr/local/apache-2.2.0/conf/intermediate_for_domain2.crt


            
 SSLOptions
            +StdEnvVars

 

 BrowserMatch
            ".*MSIE.*" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0
            force-response-1.0



Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more