Open Radar

 
Summary:
The version of Apache present in OS X Server 10.7 (Apache v2.2.22) through 10.8.5 (Apache v2.2.24) exhibits a bug when using name-based SSL virtual hosts and when multiple virtual hosts draw on the same password-protected wildcard SSL certificate.

This bug manifests in OS X Server 10.7 and 10.8 as an unusable "Web Server" configuration when adding multiple SSL virtual hosts on the same IP where all web hosts share a single wildcard SSL certificate.

The bug is known to the Apache developers, and has been fixed in post-2.2.x release, and also backported to 2.2.22. See: https://issues.apache.org/bugzilla/show_bug.cgi?id=31709

Steps to Reproduce:

Set up a vanilla OS X 10.7/10.8 server. Obtain a wildcard SSL certificate, e.g. *.example.com. Create a virtual host bound to a specific IP address and using the wildcard SSL certificate, e.g. host1.example.com. Enable web service and verify functionality. Now add a second virtual host using the same wildcard SSL cert, e.g. "host2.example.com".

Expected Results:
Virtual hosts are separately accessible.

Actual Results:
Web server crashes on launch with error in log:
error] Oops, no RSA or DSA server certificate found 
for 'host2.example.com:0'?!
Server then repeatedly attempts to restart. Web service is effectively lost.

Regression:
The fact that no virtual host is (or indeed can be) bound to port 0 as displayed in the error message makes the error distinctive. The bug is in Apache's handling of password-protected SSL certs, as can be verified by removing the password on the wildcard cert.

A fragile workaround is to disable ALL SSL certs on the server, add the required virtual hosts, then in the "Machine" portion of Server.app, manually select a certificate for each site, leaving the default virtual hosts SSL off. However, this workaround breaks under a number of circumstances, including any change in web config, and sometimes even after a reboot.