SSL server IP/port conflict

[pichlo]

Hey Guys,

I've found several threads regarding my problem. But it seems that theres still no solution. So I try it again: Everytime I restart my apache I get the following in /var/log/apache2/error.log:

[Tue Feb 28 12:58:23 2012] [warn] Init: SSL server IP/port conflict: default-<my_address>:443 (/opt/psa/admin/conf/generated/13304302880.12388000_server.include:105) vs. lists:443 (/opt/psa/admin/conf/generated/13304302880.12388000_server.include:206)
[Tue Feb 28 12:58:23 2012] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!

To get this "small" list of warnings I've deactivated SSL for all my domains and subdomains. But everytime someone creates a new subdomain the list of conflicts grows up. So here are my questions:

- Are these warnings quite normal? Or is this a miss configuration on my server?
- How can I deactivate SSL for all of my customer domains and subdomains? Everytime I create a new subdomain plesk switchs SSL on this subdomain.
- How can I deactivate SSL for lists (=mailman) and the default-<ip> entry? I've found no solution. Even removing mailman didn't changed anything.

Thanks, Martin

PS: I've checked the following threads without finding a solution:
- How do I turn off SSL for every domain: http://forum.parallels.com/showthread.php?t=106128&highlight=SSL+server+IP/port+conflict
- Apache sometimes fails to restart: http://forum.parallels.com/showthread.php?t=106005&page=5&highlight=SSL+server+IP/port+conflict
- SSL Init: SSL server IP/port conflict:http://forum.parallels.com/showthread.php?t=106075&highlight=SSL+server+IP/port+conflict

 

[pichlo]

Hey Guys,

no ideas? I've another conflict, when activating horde as webmail.

Is there any solution?

Regards, Martin

 

[HostaHost]

Those errors are normal, and more and more of them will occur as sites are added. It will occur for each site on a shared IP address.

 

[pichlo]

Thank you for your answer. Is there realy no way to deactivate SSL for the default ip or lists? This would avoid this messages..

More over I've the supicion, that this error creates the following errors:

error.log.1:[Mon Feb 27 08:52:08 2012] [emerg] (43)Identifier removed: couldn't grab the accept mutex
error.log.1:[Mon Feb 27 08:52:10 2012] [emerg] (22)Invalid argument: couldn't grab the accept mutex

 

[pichlo]

No further ideas?

 

[Dave.E]

first of all - these warnings are nothing to worry about too much.

SSL is a connection based secure solution for http.

The browser sends a request to the server on port 443 and the server responds with a certificate.
It will respond with the first certificate it finds.
And here is the problem - up to that moment the server does not know about the hostname, that you entered in the browsers address-bar. The browser jusk "asks" for an IP-address as no other data should be transferred without being secured. This is due to the "old" SSL protocol from 1995, where no one could imagine that we were running out of IP-addresses and "virtual Host" was a foreign word.

As the SSL-certificate must match the hostname in the browser, apache sends a warning to the log.
There will be a solution called SNI, but not all OSes nor all browsers are capable of that right now.

Look at: http://en.wikipedia.org/wiki/Secure_Socket_Layer
and: http://en.wikipedia.org/wiki/Server_Name_Indication
for more details.


Now the solution:
If you do not use SSL at all for your webs and other stuff, just switch it off:
Goto /etc/httpd/conf.d/ssl.conf (on RedHat) (or find "LISTEN 443" in your apache config files)
and just comment out that line.
#LISTEN 443
restart apache
[~] service httpd restart
(or whatever the command is on your system)

Now apache will not listen to 443 any longer and therefore no more warnings will be left in the system log.