[CLUE-Tech] apache + ssl + web server cluster + one domain name= nightmare

Mike Staver staver at fimble.com
Mon Nov 26 13:58:15 MST 2001 

I totally agree, I've spend over $3500 on this, and they told me that's
how I had to do it.  I thought there was a way to buy one cert, and have
all 3 servers using it, but they said no.  Obviously, they wanted to
squeeze my company for all we're worth, so ofcourse they would tell me
that.  There *should* be a free system, or cheaper.  Like you said, they
have a monopoly, it's not cool.  Yeah, I've got the round robin working
fine in bind, and the load balancing working great with cold fusion
server 5.0, no problems there.  It's just my apache config that's not
working correctly. However, I DID get it to work by assiging the www2
cert file under the <IfDefine HAVE_SSL> part.  Then, I stuck the generic
www cert virtual host down below.  Don't ask my why this works, and it
didn't work my other way, but I'm just happy it's working now! 

Jeremiah Stanley wrote:
> 
> > Alright, I have a question that I'm hoping somebody out there can
> > answer. I have a certificate for the domain name
> > www.globaltaxnetwork.com.  Unfortunately as verisign works, I also had
> > to buy signed certs for:
> 
> Technically speaking, you should be able to get a certificate that uses
> the glob *.yourdomainhere.com which would allow you to use the cert for
> all of your servers in your domain (not as secure though).
> 
> I believe that Thawte or Verisign (it's been a while) have a solution that
> you would be able to buy a 'generic' cert to run all your boxes off of.
> 
> I could soapbox about how this should be opened up and not let Verisign
> (who owns Thawte BTW) have a monopoly on the SSL certificate market. The
> technology behind this is so trivial (anymore) that it would only take
> getting a CA (certificate of authority) into all browsers shipping (like
> IE, Netscape, Opera, Konqeror and Mozilla) to undermine their market with
> a cheap/free alternative.
> 
> That's the cert side of the problem. I don't know how your load balancer
> is working (too many ways to name) but you might be able to configure it
> to do a DNS round robin and then tell Apache that all four of your servers
> are the same hostname (making your CERTS work). And, round robin load
> balancing is supported in BIND 8.2.3 and 9.1, BTW. Just a though, I hope
> that isn't too confusing.
> 
> JStanley
> --
> Everybody has a right to be stupid, but some people abuse the privilege.
>                 - Joseph Stalin
> 
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech

-- 

                                -Mike Staver
                                 staver at fimble.com
                                 mstaver at globaltaxnetwork.com
                                 http://www.fimble.com/staver

More information about the clue-tech mailing list