[Mod_nss-list] Separate NSS databases for separate vhosts

Rob Crittenden rcritten at redhat.com
Mon Aug 24 19:46:45 UTC 2015 

Ian Pilcher wrote:
> Is $SUBJECT possible?
>
> I've got an existing IPA installation (IPA 3.0.0 on CentOS 6), and I'm
> trying to add a separate "virtual host" on a different port.  The new
> virtual host should use a completely different server certificate (and
> CA chain), so I've created a separate database in a separate directory.

No, the NSS database is global for the httpd process. You'd need to put 
both server certificates into the same database.

rob

>
> nss.conf (set up by IPA) contains the following:
>
>    NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
>    <VirtualHost _default_:443>
>      NSSNickname Server-Cert
>      NSSCertificateDatabase /etc/httpd/alias
>    </VirtualHost>
>
> The database in /etc/httpd/alias does contain the "Server-Cert"
> certificate:
>
>    # certutil -d /etc/httpd/alias -L
>
>    Certificate Nickname                                         Trust Att
>                                                                 SSL,S/MIM
>
>    Server-Cert                                                  u,u,u
>    ipaCert                                                      u,u,u
>    FOO.COM IPA CA                                               CT,C,C
>    Signing-Cert                                                 u,u,u
>
> ZZZZ-foo.conf contains:
>
>    Listen 44798
>    <VirtualHost *:44798>
>      NSSPassPhraseDialog "file:/etc/httpd/foo/password.conf"
>      NSSNickname "foo.com - StartCom Ltd."
>      NSSCertificateDatabase /etc/httpd/foo
>    </VirtualHost>
>
> And the database in /etc/httpd/foo does contain the "foo.com - StartCom
> Ltd." certificate:
>
>    # certutil -d /etc/httpd/foo -L
>
>    Certificate Nickname                                         Trust Att
>                                                                 SSL,S/MIM
>
>    StartCom Class 1 Primary Intermediate Server CA - StartCom Ltd. ,,
>    foo.com - StartCom Ltd.                                      u,u,u
>    StartCom Certification Authority - StartCom Ltd.             ,,
>
> When I try to start Apache with this configuration, I get the following
> error:
>
>    [error] Certificate not found: 'foo.com - StartCom Ltd.'
>
> If I change NSSNickname in ZZZZ-foo.conf to "Server-Cert", Apache
> starts, but the vhost on port 44798 uses the IPA certificate (from
> /etc/httpd/alias).
>
> So it seems pretty definitive that the NSSPassPhraseDialog and
> NSSCertificateDatabase options for the new vhost are both being ignored.
>
> Is this expected?  And if so, is there any way to use two completely
> separate NSS databases for 2 different virtual hosts?
>
> Thanks!
>

More information about the Mod_nss-list mailing list