Menu
▾
▴
Re: [IPCop-user] Changing IPCop admin port 445 - ssl_engine_log
|
From: Jeffrey C. <goo...@gm...> - 2004-12-01 02:07:10
|
On Wed, 1 Dec 2004 11:25:01 +1030, Stephen Miller <ip...@3l...> wrote: > I wonder if I have just stumbled onto a clue as why this doesn't work. > Checking the log file /var/log/httpd/ssl_engine_log, I have the following > lines since restarting the httpd service: > > [01/Dec/2004 11:07:38 25678] [info] Server: Apache/1.3.33, Interface: > mod_ssl/2.8.22, Library: OpenSSL/0.9.7e-fips > [01/Dec/2004 11:07:38 25678] [info] Init: 1st startup round (still not > detached) > [01/Dec/2004 11:07:38 25678] [info] Init: Initializing OpenSSL library > [01/Dec/2004 11:07:38 25678] [info] Init: Loading certificate & private key > of SSL-aware server gateway:444 > [01/Dec/2004 11:07:38 25678] [info] Init: Seeding PRNG with 136 bytes of > entropy > [01/Dec/2004 11:07:38 25678] [info] Init: Generating temporary RSA private > keys (512/1024 bits) > [01/Dec/2004 11:07:38 25678] [info] Init: Configuring temporary DH > parameters (512/1024 bits) > [01/Dec/2004 11:07:38 25679] [info] Init: 2nd startup round (already > detached) > [01/Dec/2004 11:07:38 25679] [info] Init: Reinitializing OpenSSL library > [01/Dec/2004 11:07:38 25679] [info] Init: Seeding PRNG with 136 bytes of > entropy > [01/Dec/2004 11:07:38 25679] [info] Init: Configuring temporary RSA private > keys (512/1024 bits) > [01/Dec/2004 11:07:38 25679] [info] Init: Configuring temporary DH > parameters (512/1024 bits) > [01/Dec/2004 11:07:38 25679] [info] Init: Initializing (virtual) servers > for SSL > [01/Dec/2004 11:07:38 25679] [info] Init: Configuring server gateway:444 > for SSL protocol > [01/Dec/2004 11:07:38 25679] [warn] Init: (gateway:444) RSA server > certificate CommonName (CN) `gateway.mydomain.com' does NOT match server > name!? > > I named the firewall 'gateway' during the setup routine and notice that the > last line is rejecting the RSA certificate (In the log entry above, I have > replaced my domain name with 'mydomain.com'). > Hmm, I check my logs and I have the same mismatched domain name error. Like you, I have renamed my ipcop gateway's hostname. > > Well, after I changed my httpd.conf and header.pl, I can get to my > > IPCop web admin by > > > https//myname.dyndns.org:446/ (by DNS name) > > I haven't actually delegated the domain name gateway.mydomain.com to the red > interface of my IPCop firewall so I would expect to be able to access > https://gateway.mydomain.com:444. Is this essential I certainly haven't seen > it documented)? > > > but I can't goto > > > https://xxx.xxx.xxx.xxx:446/ (my public IP) > > > It seems that the SSL virtual host is not responding to requests with > > xxx.xxx.xxx.xxx (my public IP) in the HTTP header. > > > I have dynamic public IP on the RED interface, BTW. > > Are you accessing the web interface using a domain name from the Green zone? > Does this also work remotely? > Hmm, i just checked.. I used to be able to get to it by hostname, but once again the 81->446 redirect doesn't work anymore. Here's my results: Doesn't work: http://myhostname.mysubdomain.dyndns.org:81/ (from internet or from GREEN network) -> http://myhostname.mysubdomain.dyndns.org:81/cgi-bin/index.cgi -> HTTP/1.x 302 Moved https: //xxx.xxx.xxx.xxx:446/ (DNS name resolved to public IP if I'm outside, local IP if I'm browsing from GREEN network) -> blank page, no HTTP reponse https://myhostname:446/ (from GREEN network) -> host not found (the hostname doesn't resolve locally, probably DNS suffix misconfigured on my side). https: //xxx.xxx.xxx.xxx:446/ (from internet) --> blank page, no HTTP reponse Works: https://myhostname.mysubdomain.dyndns.org:446/ (from RED or GREEN) http://xxx.xxx.xxx.xxx:446/ (my GREEN interface IP) Despite the mismatched domain name in the SSL certificate, I still believe that the SSL virtual host in Apache isn't configured to respond to dynamic IP on the RED interace. I wonder if changing https://$ENV{'SERVER_ADDR'}:446/$ENV{'PATH_INFO'}\r\n\r\n"; to.... https://$ENV{'SERVER_NAME'}:446/$ENV{'PATH_INFO'}\r\n\r\n"; would fix it. - Jeff |
