Is it possible for Apache (2.0) to serve up two SSL certificates when Mongrel and Rails are involved?
Here's the situation... I've got a server with two sites on it: foo.com and bar.com. Both have self-signed SSL certificates (from GoDaddy) and both have their own IP address. Here's the relevant Apache config settings:
<VirtualHost 192.168.100.17:443> ServerName secure.foo.com DocumentRoot /var/www/client/foo/current ProxyPass / http://127.0.0.1:3002/ ProxyPassReverse / http://127.0.0.1:3002/ ProxyPreserveHost on RequestHeader set X_FORWARDED_PROTO 'https' SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.foo.com.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.foo.com.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP ErrorLog /var/www/client/foo/current/log/ssl_error_log TransferLog /var/www/client/foo/current/log/ssl_access_log LogLevel warn <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> RewriteEngine On SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> <VirtualHost 192.168.100.16:443> ServerName secure.bar.com DocumentRoot /var/www/sites/bar/secure ProxyPass / http://127.0.0.1:3003/ ProxyPassReverse / http://127.0.0.1:3003/ ProxyPreserveHost on RequestHeader set X_FORWARDED_PROTO 'https' SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.bar.com.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.bar.com.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd_intermediate_bundle.crt SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP ErrorLog /var/log/httpd/bar.com/ssl_error_log TransferLog /var/log/httpd/bar.com/ssl_access_log LogLevel warn <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> If I go to a page on secure.foo.com that should be secure (e.g. https://secure.foo.com/login), I get a warning that the certificate is for secure.BAR.com. But if I view the certificate it's for secure.FOO.com.
This is only happening in Firefox. No warnings in MSIE.
My theory is that Apache is serving up the correct certificate (for secure.foo.com) but then somehow the certificate for secure.bar.com is also sent. (I'm assuming MSIE doesn't throw an error because it simply ignores the second one.)
I'd like to blame the situation on Mongrel, but Mongrel doesn't "do" SSL. I'd also like to blame it on Rails, but all Rails does is check to see if a page is supposed to be encrypted and if it isn't, just redirect it to a secure connection.
Has anyone seen anything like this before? Any ideas what the problem could be?
UPDATE: Commenting out the following lines in the Apache config takes down the site, of course, but results in a correct SSL "handshake":
ProxyPass / http://127.0.0.1:3002/ ProxyPassReverse / http://127.0.0.1:3002/ ProxyPreserveHost on