[Mod_nss-list] Separate NSS databases for separate vhosts

Ian Pilcher arequipeno at gmail.com
Mon Aug 24 19:34:10 UTC 2015 

Is $SUBJECT possible?

I've got an existing IPA installation (IPA 3.0.0 on CentOS 6), and I'm
trying to add a separate "virtual host" on a different port.  The new
virtual host should use a completely different server certificate (and
CA chain), so I've created a separate database in a separate directory.

nss.conf (set up by IPA) contains the following:

   NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
   <VirtualHost _default_:443>
     NSSNickname Server-Cert
     NSSCertificateDatabase /etc/httpd/alias
   </VirtualHost>

The database in /etc/httpd/alias does contain the "Server-Cert"
certificate:

   # certutil -d /etc/httpd/alias -L

   Certificate Nickname                                         Trust Att
                                                                SSL,S/MIM

   Server-Cert                                                  u,u,u
   ipaCert                                                      u,u,u
   FOO.COM IPA CA                                               CT,C,C
   Signing-Cert                                                 u,u,u

ZZZZ-foo.conf contains:

   Listen 44798
   <VirtualHost *:44798>
     NSSPassPhraseDialog "file:/etc/httpd/foo/password.conf"
     NSSNickname "foo.com - StartCom Ltd."
     NSSCertificateDatabase /etc/httpd/foo
   </VirtualHost>

And the database in /etc/httpd/foo does contain the "foo.com - StartCom
Ltd." certificate:

   # certutil -d /etc/httpd/foo -L

   Certificate Nickname                                         Trust Att
                                                                SSL,S/MIM

   StartCom Class 1 Primary Intermediate Server CA - StartCom Ltd. ,,
   foo.com - StartCom Ltd.                                      u,u,u
   StartCom Certification Authority - StartCom Ltd.             ,,

When I try to start Apache with this configuration, I get the following
error:

   [error] Certificate not found: 'foo.com - StartCom Ltd.'

If I change NSSNickname in ZZZZ-foo.conf to "Server-Cert", Apache
starts, but the vhost on port 44798 uses the IPA certificate (from
/etc/httpd/alias).

So it seems pretty definitive that the NSSPassPhraseDialog and
NSSCertificateDatabase options for the new vhost are both being ignored.

Is this expected?  And if so, is there any way to use two completely
separate NSS databases for 2 different virtual hosts?

Thanks!

-- 
========================================================================
Ian Pilcher                                         arequipeno at gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

More information about the Mod_nss-list mailing list