Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8e DAV/2 PHP/5.2.3


Not sure if this belongs here or in another mailing list (apache). I
like to know how I can setup subdomains with a wildcard certificate?

1)
Originally I had a couple of websites with ssl (https), each site with
its own ip-address and its own certificate. In an attempt to save on
IP-addresses, I thought that subdomains and a wildcard certificate would
allow me to use one ip-address (and therefore name-based virtual
hosting).
Is this the correct assumption? If it's correct, please read on. If this
is not correct, what to do to get it working?

2)
I've created a self-signed wildcard certificate. When I (re)start
apache, the following warnings occur:

[Wed Nov 14 07:34:33 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:33 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:33 2007] [warn] Init: SSL server IP/port conflict:
cc.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:52) vs.
tac.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:79)
[Wed Nov 14 07:34:33 2007] [warn] Init: You should not use name-based
virtual hosts in conjunction with SSL!!
[Wed Nov 14 07:34:33 2007] [notice] Digest: generating secret for digest
authentication ...
[Wed Nov 14 07:34:33 2007] [notice] Digest: done
[Wed Nov 14 07:34:34 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:34 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:34 2007] [warn] Init: SSL server IP/port conflict:
cc.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:52) vs.
tac.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:79)


How do I get rid of the first 2 warnings (and the repeats later on for
different subdomains)? Something I did wrong while creating the
certificate?
I do understand the cause of the third warning (and its repeats). This
would imply that wildcard certificates and subdomains using name-based
virtual hosting are not possible. Any way that I can work around this?


This is (part of) my /etc/httpd/extra-httpd-ssl.conf

NameVirtualHost *:443

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/run/httpd/ssl_scache(512000)
SSLSessionCacheTimeout 300

SSLMutex file: /var/run/httpd/ssl_mutex #no space between colon and
first /

# command centre
#


DocumentRoot "/home/cc/www/ils/web"
ServerName cc.lbtd-techweb01
#ServerAlias cc.lbtd-techweb01
ServerAdmin wsturkenboom@multichoice.co.za
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/certificates/lbtd-techweb01.crt
SSLCertificateKeyFile /etc/httpd/certificates/lbtd-techweb01.key

BrowserMatch ".*MSIE.*" \
=20 nokeepalive ssl-unclean-shutdown \
=20 downgrade-1.0 force-response-1.0

=20
=20 Order allow,deny
=20 Allow from all
=20





Wim Sturkenboom
__________________________________________________ _______________________=
________________________________________

Information contained in any e-mail or attachment from Multichoice Africa=
=20(Pty) Ltd (=93MCA=94) is confidential and may also be
privileged or protected by other legal rules or law. You should not disse=
minate, distribute or copy this e-mail. Any views
or opinions presented in this email are solely those of the author and do=
=20not necessarily represent those of MCA. Employees=20
of MCA are expressly required not to make defamatory statements and not t=
o infringe or authorise any infringement of=20
copyright or any other legal right by email communications. Any such comm=
unication is contrary to MCA=92s policy and outside
the scope of the employment of the individual concerned. MCA will not acc=
ept any liability in respect of such
communication, and the employee responsible will be personally liable for=
=20any damages or other liability arising from such
communication.
__________________________________________________ _______________________=
________________________________________
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org