Conductor serves many different sites at the University of Notre Dame, however, not all sites in Conductor are under the nd.edu umbrella – www.holycrossusa.org is one of them.
SSL Error in Chrome on www.holycrossusa.org
One problem that arose is that non-administrative users needed to securely access the site. As it was configured, anyone going to https://www.holycrossusa.org/ using the Chrome browser would see the following SSL certificate warning. Other browsers would give even more pessimistic notifications.
What was needed was a separate SSL certificate on the Conductor for www.holycrossusa.org. The big gotcha is that most other documentation I found says to set the NameVirtualHost to the server’s IP address. And that means the internal, or Local-IP address, as provided by the %A custom log format directive of Apache. If you use your server’s Public-IP address, things may not work.
Below is the relevant /etc/httpd.conf entries.
# Configuration for conductor.nd.edu NameVirtualHost [LOCAL-IP-ADDRESS-1]:80 NameVirtualHost [LOCAL-IP-ADDRESS-1]:443 <VirtualHost [LOCAL-IP-ADDRESS-1]:80> ServerName conductor.nd.edu ServerAlias *.conductor.nd.edu Include conf/apps/conductor.common </VirtualHost> <VirtualHost [LOCAL-IP-ADDRESS-1]:443> ServerName conductor.nd.edu ServerAlias *.conductor.nd.edu Include conf/apps/conductor.common RequestHeader set X_ORIGINAL_PROTOCOL https SSLEngine on SSLCertificateFile /path/to/conductor.crt SSLCertificateKeyFile /path/to/conductor.key SSLCACertificateFile /path/to/conductor.intermediate.crt </VirtualHost> # Configuration for www.holycrossusa.org NameVirtualHost [LOCAL-IP-ADDRESS-2]:80 NameVirtualHost [LOCAL-IP-ADDRESS-2]:443 <VirtualHost [LOCAL-IP-ADDRESS-2]:80> ServerName www.holycrossusa.org ServerAlias www.holycrossusa.org Include conf/apps/conductor.common </VirtualHost> <VirtualHost [LOCAL-IP-ADDRESS-2]:443> ServerName www.holycrossusa.org ServerAlias holycrossusa.org Include conf/apps/conductor.common RequestHeader set X_ORIGINAL_PROTOCOL https SSLEngine on SSLCertificateFile /path/to/holycrossusa.org.crt SSLCertificateKeyFile /path/to/www.holycrossusa.org.key SSLCACertificateFile /path/to/holycross.intermediate.crt </VirtualHost>
Thanks for posting this!
I have also experienced a similar setup with Rackspace (which I believe you use). A managed Rackspace server with multiple public IP addresses should have a matching private IP address for each public address. I don’t remember the internal addresses exactly, but I do know that the last octet always matched between the private and public addresses.
We also ran into a problem on one such server where Rackpace hadn’t correctly mapped the addresses, resulting in quite a bit of ineffective debugging and a quick resolution once we finally contacted support.
You may also want to look into SNI (Server Name Indication).
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
http://en.gentoo-wiki.com/wiki/Apache2/SSL_and_Name_Based_Virtual_Hosts