On Aug 31, 2009, at 8:50 PM, keith smith wrote:

> Here it is.  Thanks!
>
> Also log shows this about 10 times
>
> [Mon Aug 31 18:30:09 2009] [warn] RSA server certificate CommonName  
> (CN) `newcart.dev' does NOT match server name!?
>
>
>
> <VirtualHost 192.168.20.20:443>
>   DocumentRoot "/work/dev/newcart.dev"
>   ServerName newcart.dev:443
>   ErrorLog logs/ssl_error_log
>   TransferLog logs/ssl_access_log
>   ##LogLevel warn
>
>   LogLevel debug
>
>   ##SSLEngine on
>   ##SSLProtocol all -SSLv2
>   ##SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>   ##SSLCertificateFile /etc/pki/tls/certs/localhost.crt
>   ##SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
>   #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
>   #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
>
>   ##<Files ~ "\.(cgi|shtml|phtml|php3?)$">
>   ##    SSLOptions +StdEnvVars
>   ##</Files>
>   ##<Directory "/var/www/cgi-bin">
>   ##    SSLOptions +StdEnvVars
>   ##</Directory>
>
>   ##SetEnvIf User-Agent ".*MSIE.*" \
>   ##      nokeepalive ssl-unclean-shutdown \
>   ##      downgrade-1.0 force-response-1.0
>
>   ##CustomLog logs/ssl_request_log \
>   ##       "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> </VirtualHost>
>

ok, with all that stuff commented out, the browser sends you an ssl  
request, and you answer in plaintext.  Chaos ensues.  (The server  
doesn't 'know' that its supposed to speak ssl on port 443.  That's a  
common convention, but not a technical requirement.)

The only must-have directives are SSLEngine on, SSLCertificateFile,  
and SSLCertificateKeyFile (that file should only be readable by root,  
btw).  Everything else seems fine at a glance, but you can leave the  
rest commented out while you're debugging.

alex