Using multiple certificates
This condition is common when you are trying to configure your SP into level-2 and using
AusCert? cert on the back-end that is different with your front-end cert.
The symptoms seem to be:
- front-end seems to be configured properly
- back-end seems to be configured properly
- apache port 443 and 8443 being used (i.e. acting as SP and IdP?)
- from time to time apache returns 1st cert or the 2nd in kind a randomized pattern
Checking:
openssl s_client -debug -connect https://MY_DNS
openssl s_client -debug -connect https://MY_DNS:8443
Solution:
- edit your 443 vhost
<VirtualHost MY_IP:443>
SSLEngine on
ServerName MY_DNS:443
UseCanonicalName On
SSLVerifyDepth 10
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLOptions +StdEnvVars +ExportCertData
SSLCertificateFile /etc/certs/mycert.pem
SSLCertificateKeyFile /etc/certs/mykey.pem
CustomLog /var/log/apache2/ssl_request_log\
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
- edit your 8443 vhost
<VirtualHost MY_IP:8443>
SSLEngine on
ServerName MY_DNS:8443
SSLVerifyDepth 10
UseCanonicalName On
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLVerifyClient optional_no_ca
SSLOptions +StdEnvVars +ExportCertData
SSLCertificateFile /etc/certs/mycert-backend.pem
SSLCertificateKeyFile /etc/certs/mykey.pem
CustomLog /var/log/apache2/ssl_request_log_aa\
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
- make sure
- they use correct certificate
- vhost has combination of IP address and port
- ServerName has a full DNS plus matching correct port
- UseCanonicalName is turned on
to top