[rt-users] LDAP Authentication, Redux

Matt Disney matthew.disney at fedex.com
Tue Dec 3 17:11:58 EST 2002


Wildcard certificates sound good to me.

If that doesn't work for you, you could probably NAT it. For example,
on a linux box you could use iptables to translate the virtual hostname
back to the real server. The NAT box and webserver need not be the same
machine, though they very well could be.  You would need to adjust the
webserver config and DNS records accordingly, as well. My group isn't
currently serving RT over SSL so we aren't actually using NAT for that,
though we do translate other things due to this exact SSLcert/vhost
issue.

Matt

bill at daze.net writes:
>> And the only problem with SSL is that you can't use it with
>> multiple named vhosts on the same IP address.  I like to give
>> every web service its own hostname because this makes it easy
>> to move around as machines are changed or upgraded without
>> affecting anything else and it is a lot easier to do this with
>> CNAMES than IP addresses.  When you run these over ssl the browser
>> always pops up a warning that the hostname on the certificate
>> doesn't match the requested host - but it does work as long as the
>> user clicks the OK button.  Is there any way to avoid this that
>> doesn't tie the name to an IP address as a side effect?
>
>Yes, get a wildcard certificate, i.e. *.example.com.  Then you can use
>name based virtual hosts site1.example.com, site2.example.com, etc.
>without receiving a certificate mismatch warning.
>
>We've been using them for years.  Thawte used to be the only game in town,
>but now you can get them from other Certificate Authorities.  Our current
>wildcard certificate is from Geotrust/Equifax.
>
>-Bill
>
>
>_______________________________________________
>rt-users mailing list
>rt-users at lists.fsck.com
>http://lists.fsck.com/mailman/listinfo/rt-users
>
>Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
>



More information about the rt-users mailing list