OpenSuSE 13.1 server meltdown, complicated environment


#1

I have a somewhat complicated environment as follows:
Multiple DNS names (capers.captools.us, capersqm.dnsalias.net, capersqm1.dnsalias.net, jrlnet.dnsalias.net) all point to the same public IP address, which is dynamic (kept up to date with inadyn). I have two servers (main and backup), and switching is done by port numbers. Normally ports 80 and 443 point to the Apache2 webserver on the main (duplicated with 7801 and 7443), while the backup uses 7800 and 7440. Unfortunately, the main suffered a meltdown, so 80 and 443 were switched to forward to the backup. The SSL certs on the backup work,but I can’t get certs on the main.

There is also a server under construction called capersqm3 (ports 7803 and 7443) but it is turned off while I troubleshoot the cert problem with the main.

The working cert on the backup was generated under the “jrlnet.dnsalias.net” name, with SANS=“capers.captools.us,capersqm.dnsalias.net,capersqm1.dnsalias.net,capersqm3.dnsalias.net”.

Easy question: can I simply copy all the relevant pieces and settings from the backup to the main since all the names match up? (Relevant files and lines in files affected are or are within /etc/sysconfig/apache2, /root/.getssl and /etc/apache2.)

Harder question: how should I craft /root/.getssl/getssl, /root/getssl/jrlnet.dnsalias.net/getssl and/or /usr/local/bin/getssl to achieve the same state of bliss on the main?


#2

Hi @jackrlewis

normally, that should work. A certificate is a combination of a private key and a signed public key with the chain. So you can use it on different places.


#3

Well, nope, doesn’t work with copied files. I have managed to get Apache2 on my main server to settle down and Listen on all appropriate ports, but 80 and 443 are still switched to my backup server, so what I have to work with is port 7801 (http) and port 7441 (https) using getssl.

How do I configure getssl.conf (both in /root/.getssl and in /root/.getssl/capersqm1.dnsalias.net) and possibly /usr/local/bin/getssl (the executable script) for ports 7801 and 7441 respectively, for the server name and SANS shown below?

capersqm1.dnsalias.net (main server name)
SANS=“capers.captools.us,capersqm.dnsalias.net,jrlnet.dnsalias.net,capersqm3.dnsalias.net

Thanks - Jack


#4

Then you made something wrong. You can always use an existing certificate (private and public key) with two different webserver.

But:

https://jrlnet.dnsalias.net:7440/capers_direct.htm

works.

https://jrlnet.dnsalias.net:7441/capers_direct.htm

doesn’t work. SSL_ERROR_RX_RECORD_TOO_LONG, because

http://jrlnet.dnsalias.net:7441/capers_direct.htm

works (sends a 404). So 7441 isn’t a ssl-configuration.

And you don’t need a second certificate, it’s a configuration problem.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.