403 Apache
HowTo: Set Up Multiple SSL Certificates on One IP with Apache
As the Apache Web server grows and matures, new features are added and old bugs are fixed. Perhaps one of the most important new features added to recent Apache versions (2.2.12, to be specific) is the long-awaited support for multiple SSL sites on a single IP address.
prerequisites,
- The server, obviously, must use Apache 2.2.12 or higher.
- It must also use OpenSSL 0.9.8f or later and must be built with the TLS extensions option.
- Apache must be built against this version of OpenSSL as it will enable SNI support if it detects the right version of OpenSSL — the version of OpenSSL that includes TLS extension support.( Default installation contains all these things)
Note:
SNI can only be used for serving multiple SSL sites from your web server and is not likely to work at all on other daemons, such as mail servers, etc. There are also a small percentage of older web browsers that may still give certificate errors. Wikipedia has an updated list of software that does and does not support this TLS extension.
Here am using wild card SSL for hosting two sub-domain in single server, similearly we can also use different ssl for different domain with the same IP.
Follow the basic installation of apache
Redhat :
[root@ip-10-132-82-251 ~]# yum install httpd openssl openssl-devel mod_ssl
Ubuntu:
apt-get install apache2 openssl mod_ssl
Get the the certificate from the authority or use self singed SSL, Verify you have enabled SSL module in the existing apache installation
[root@ip-10-132-82-251 ~]# httpd -M |grep ssl
Add the following lines in the apace main configuration file httpd.conf
[root@ip-10-132-82-251 ~]# vi /etc/httpd/conf/httpd.conf ###FOR SSL NameVirtualHost *:443 <IfModule mod_ssl.c> # If you add NameVirtualHost *:443 here, you will also have to change # the VirtualHost statement in /etc/apache2/sites-available/default-ssl # to # Server Name Indication for SSL named virtual hosts is currently not # supported by MSIE on Windows XP. Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule>
Create the Virtual Hosts
Once you downloaded all required files for SSL, proceed to creating Vhost.
Here is the Vhost entry that I used
[root@ip-10-132-82-251 ~]# vi /etc/httpd/conf.d/domain1-ssl.conf <IfModule mod_ssl.c> <VirtualHost *:443> ServerName domain1.mydomain.com DocumentRoot "/opt/web-home/domain1/public_html" <Directory /> Options FollowSymLinks AllowOverride all </Directory> <Directory /opt/web-home/domain1/public_html> Options Indexes FollowSymLinks MultiViews AllowOverride all Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /opt/web-home/domain1/public_html/cgi-bin/ <Directory "/opt/web-home/domain1/public_html/cgi-bin/"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/ssl/certs/planetcure.in.crt SSLCertificateKeyFile /etc/ssl/certs/planetcure.in.key SSLCertificateChainFile /etc/ssl/certs/planetcure.in.csr SSLCACertificateFile /etc/ssl/certs/planetcure.in.ca SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfModule> SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin
You can also create more Vhost files using this entry. By changing the domain name and the SSL path.
Now restart the apache
[root@ip-10-132-82-251 ~]# service httpd restart
To verify the list of enabled vhost, use the below command
[root@ip-10-132-82-251 ~]# apachectl -S VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: *:443 is a NameVirtualHost default server domain1.planetcure.in (/etc/httpd/conf.d/domain1-ssl.conf:2) port 443 namevhost domain1.planetcure.in (/etc/httpd/conf.d/domain1-ssl.conf:2) port 443 namevhost domain2.planetcure.in (/etc/httpd/conf.d/domain2-ssl.conf:2) Syntax OK
Phew, these domains having their own SSL with single IP 🙂
Error: [403] pcfg_openfile: unable to check htaccess file, ensure it is readable
Iam getting ERROR 403 while accessing my website, I have checked error log and I found .htacess file missing or unable to read, form the below error have to know that a file missing from the given location and also noticed one thing apache will still searching file outside to the public_html directory. This indicates that the webserver unable to reach into the hosting location. Cpanel say’s that problem with frontpage extension, reinstall it to fix the issue.
In the error log /var/log/httpd/domains/domain.com.error.log
[crit] [client 1.2.3.4] (13)Permission denied: /home/username/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
In this case the error because of miss-permission on public_html, Here we have a script to solve permission based issues this will help you to reset users permission as their own. set_permission.sh
Also their has a manual method to solve this by changing the folder permissions with a chmod 755 (a+rx, u+w). On the otherhand have to change the group (chgrp www-data …) or maybe add Apache2 to a new group (see useradd(1) or just edit /etc/group), then restart Apache2. This may work on all systems.
root@server19 [~]# sh set_permissions.sh *********************************************** Tue Nov 20 22:19:07 IST 2012 : set_permissions.sh DirectAdmin File Permission/Ownership script Usage: set_permissions.sh all set_permissions.sh da_files set_permissions.sh user_homes set_permissions.sh mysql set_permissions.sh email set_permissions.sh logs set_permissions.sh etc_configs internal: set_permissions.sh maildir <user> <path/Maildir> set_permissions.sh set_user_home <user>
Thankyou 🙂