I just upgraded our Linux machine to Apache 1.3.19 and Mod_SSL 2.8.2. The upgrade went smoothly and everything seems to be working very well.

We have two customers on the server who want their own SSL certificates for their websites. They both have their own IP addresses so setting up Virtual SSL domains "should" not be a problem.

I have tried setting up virtual hosts for SSL like this:

<VirtualHost 206.30.168.162:443>
ServerName www.domain.com
DocumentRoot /home/account/public_html/
CustomLog /home/account/logs/access_log combined
ErrorLog "/home/account/logs/error_log"
TransferLog "/home/account/logs/transfer_log"

SSLCertificateFile /usr/local/apache/conf/certificates/www.domain.com.crt
SSLCertificateKeyFile /usr/local/apache/conf/certificates/www.domain.com.key

User nobody
Group nobody
</VirtualHost>

However, when I run apachectl config test, the following is returned:

"Syntax error on line 2986 of /usr/local/apache_1.3.19/conf/httpd.conf:
Invalid command 'SSLCertificateFile', perhaps mis-spelled or defined by a module not included in the server configuration."

I know that Mod_SSL is working correctly since the global SSL information works without problems. Does anyone know how I can make SSL work with virtual hosts with seperate IP addresses?

Best regards,
Frank Rietta

Originally posted by AtlantaWebhost.com
I just upgraded our Linux machine to Apache 1.3.19 and Mod_SSL 2.8.2. The upgrade went smoothly and everything seems to be working very well.

We have two customers on the server who want their own SSL certificates for their websites. They both have their own IP addresses so setting up Virtual SSL domains "should" not be a problem.

I have tried setting up virtual hosts for SSL like this:

<VirtualHost 206.30.168.162:443>
ServerName www.domain.com
DocumentRoot /home/account/public_html/
CustomLog /home/account/logs/access_log combined
ErrorLog "/home/account/logs/error_log"
TransferLog "/home/account/logs/transfer_log"

SSLCertificateFile /usr/local/apache/conf/certificates/www.domain.com.crt
SSLCertificateKeyFile /usr/local/apache/conf/certificates/www.domain.com.key

User nobody
Group nobody
</VirtualHost>

However, when I run apachectl config test, the following is returned:

"Syntax error on line 2986 of /usr/local/apache_1.3.19/conf/httpd.conf:
Invalid command 'SSLCertificateFile', perhaps mis-spelled or defined by a module not included in the server configuration."

I know that Mod_SSL is working correctly since the global SSL information works without problems. Does anyone know how I can make SSL work with virtual hosts with seperate IP addresses?

Best regards,
Frank Rietta

Firstly, mod_ssl doesn't need a unique IP to use it on a VHost, but it doesn't hurt.

You need to enable it, for starters, with SSLEnable:

<VirtualHost 206.30.168.162:443>
ServerName www.domain.com
DocumentRoot /home/account/public_html/
CustomLog /home/account/logs/access_log combined
ErrorLog /home/account/logs/error_log
TransferLog /home/account/logs/transfer_log
SSLEnable
SSLVerifyClient none
SSLCertificateFile /usr/local/apache/conf/certificates/www.domain.com.crt
SSLCertificateKeyFile /usr/local/apache/conf/certificates/www.domain.com.key
</VirtualHost>

Also, you don't need to specify the User and/or Group directives, since Apache will run their processes as the web server's global user anyway.. you only want to specify the User and Group for a CGI wrapper so things can run under that user's UID, not the web server's global user.

So, remove:
User nobody
Group nobody

Since it's not needed.

That's a rough idea anyway, you should check Apache's documentation and probably their web site for more information for it to best suit your needs.

And, remember, you might need to start Apache with startssl in place of just start, depending on how you set it up.

Tim,

Thanks for the info, but that is not the problem. It seams that all SSL commands inside a virtual host statement are somehow out of scope. The error I get now is:

Invalid command 'SSLEnable', perhaps mis-spelled or defined by a module not included in the server configuration.

However, the SSL commands work fine outside of virtual host statements - that is what is so perplexing about this.

Best regards,
Frank Rietta

Originally posted by AtlantaWebhost.com
Tim,

Thanks for the info, but that is not the problem. It seams that all SSL commands inside a virtual host statement are somehow out of scope. The error I get now is:

Invalid command 'SSLEnable', perhaps mis-spelled or defined by a module not included in the server configuration.

However, the SSL commands work fine outside of virtual host statements - that is what is so perplexing about this.

Best regards,
Frank Rietta

This sounds like how your web server is configured. Can you paste the relevant portions here, or maybe send me an email with it, and I'll help you out when I have some time today.

Tim,

Thanks for the help. I did some more tweaking and finally got it to work.

Best regards,
Frank Rietta

Originally posted by AtlantaWebhost.com
Tim,

Thanks for the help. I did some more tweaking and finally got it to work.

Best regards,
Frank Rietta

That great, Frank! :-) Could you post what it was, in case other's read that post and have the same problem?

Basically I had to copy the virtual host block from the "sample" that was already in the config file under the "SSL Global" section as:

<VirtualHost _default_:443>
...
...
</VirtualHost>

I had to create the following block with the data for the secure site I was creating:

<IfDefine SSL>
<VirtualHost 206.30.168.162:443>
DocumentRoot "/home/shared_ssl/docroot/"
ServerAdmin root@gamma.atlantawebhost.com
ErrorLog /home/shared_ssl/logs/error_log
TransferLog /home/shared_ssl/logs/access_log

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /path/secure.rietta.com.crt
SSLCertificateKeyFile /path/secure.rietta.com.key

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

</VirtualHost>
</IfDefine>

Once that was added, I commented out everything in the sample block and used apachectl to stop the server and restart it with ssl support.

Best regards,
Frank Rietta

Oh, I see... The <IfDefine SSL> should have been global. I think it might be commented out further in the top part of the web server's configuration.

hello,

I am a bit of an amateur and I have been having the same error mesage but I don't understand what the solution you found means really?! I have generated the certificate using openssl to test the facility but am getting the same "Invalid command 'SSLEnable'" error.

Can you point me in the right direction? I have been working on this for hours now.