Using Multiple SSL Certificates in Apache with One IP Address

Found Using Multiple SSL Certificates in Apache with One IP Address today. Basically:

<NameVirtualHost *:443>

<VirtualHost *:443>
 ServerName www.yoursite.com
 DocumentRoot /var/www/site
 SSLEngine on
 SSLCertificateFile /path/to/www_yoursite_com.crt
 SSLCertificateKeyFile /path/to/www_yoursite_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt
</Virtual Host>

<VirtualHost *:443>
 ServerName www.yoursite2.com
 DocumentRoot /var/www/site2
 SSLEngine on
 SSLCertificateFile /path/to/www_yoursite2_com.crt
 SSLCertificateKeyFile /path/to/www_yoursite2_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt
</Virtual Host>

gnutls_handshake failed using git

Today I ran into this error:

jj5@mercy:~/public-git$ git push origin master
error: gnutls_handshake() failed: A TLS warning alert has been received. while accessing https://demo@demo.personalserver.com/public/git/info/refs 

The solution, of all things, was to add a ServerName spec into my Apache configuration file /etc/apache2/sites-enabled/default-ssl.conf, e.g.:

ServerName demo.personalserver.com

Bug fixed!!

Namecheap SSL CSR and CA Bundle for PostiveSSL certs

CSR generation for PositiveSSL and PositiveSSL WildCard with Apache2/OpenSSL see: CSR Generation: Using OpenSSL (Apache w/mod_ssl, NGINX, OS X):

 openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

To generate the CA bundle see this article:

 cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > your_domain.ca-bundle

New Apache SSL configuration

Today Apache complained about SSLCertificateChainFile being deprecated and it told me to use SSLCertificateFile instead.

SSLCertificateFile was already in use with the .crt file. I had to create a new 'SSLCertificateFile' by concatenating the .crt file with the ca-bundle, and that fixed the problem:

# cat trust.jj5.net.crt trust.jj5.net.ca-bundle.pem > trust.jj5.net.pem

Running Apache as ME!

On my development machine I want Apache to run under my user id so I can automatically generate files (and have permission to write them).

I configured Apache like this:

root@mercy:/etc/apache2# grep -R www-data .
./envvars:export APACHE_RUN_USER=www-data
./envvars:export APACHE_RUN_GROUP=www-data

root@mercy:/etc/apache2# vim envvars 

export APACHE_RUN_USER=jj5
export APACHE_RUN_GROUP=jj5

root@mercy:/etc/apache2# apache2ctl graceful
/var/lock/apache2 already exists but is not a directory owned by jj5.
Please fix manually. Aborting.

root@mercy:/etc/apache2# chown jj5:jj5 /var/lock/apache2

root@mercy:/etc/apache2# apache2ctl graceful

Easy-peasy!

Wait... that didn't work. The problem was apache2ctl graceful didn't pick up the new envvars file, this fixed it:

root@mercy:/etc/apache2# /etc/init.d/apache2 restart

PDO Persistent Connection in PHP left broken if connected to dropped database

So you use PDO and specify PDO::ATTR_PERSISTENT => true. Then you drop your database. Then you open a new persistent connection and bang! Not working. The trick is to not use persistent connections to databases that may be dropped. And probably an 'apache2ctl graceful' after you drop a database being used by Apache...

Failed to verify krb5 credentials: Server not found in Kerberos database

I was getting "Failed to verify krb5 credentials: Server not found in Kerberos database" errors when trying to use Kerberos authentication in Apache2. The problem was in my /etc/hosts file. I needed to change this:

10.183.97.44    charity.progclub.org charity
67.207.128.184  charity-public

To this:

10.183.97.44    charity.progclub.org charity
67.207.128.184  charity.progclub.org charity-public