Hello List!

I recently inherited a pound setup running on OpenBSD with carp for
failover.  We've been serving one ssl-enabled site for some time without
a problem, however today I needed to add a second ssl-enabled site, and
am encountering some difficulties.  The certificate for my original site
is being used to authenticate my new site, even though in the config
file I've explicitly defined a different cert.  My config is as follows:

User nobody
Group nogroup

# HTTP definitions
ListenHTTP xxx.xxx.52.45,80
ListenHTTP xxx.xxx.52.54,80
ListenHTTP xxx.xxx.52.60,80
ListenHTTP xxx.xxx.52.61,80
ListenHTTP xxx.xxx.0.48,80
ListenHTTP xxx.xxx.0.49,80
ListenHTTP xxx.xxx.0.47,80
# HTTPS definitions
# Cert files contain (IN ORDER):
#       1: private key
#       2: certificate
#       3: CA Certificate for instantssl       

ListenHTTPS xxx.xxx.0.47,443  /etc/pound/ssl/new_site.crt
ListenHTTPS xxx.xxx.52.45,443 /etc/pound/ssl/new_site.crt
ListenHTTPS xxx.xxx.0.49,443 /etc/pound/ssl/original_site.net.cert
ListenHTTPS xxx.xxx.52.61,443 /etc/pound/ssl/original_site.net.cert


# This file contains the main GTE Root CA cert
CAlist /etc/pound/ssl/GTECyberTrustGlobalRoot.cert 9

# The backend servers
UrlGroup ".*"
BackEnd xxx.xxx.0.50,80,1
BackEnd xxx.xxx.0.51,80,1
Session IP 900
EndGroup

Everything seems to work until I go to new_site, at which point I get a
hostname mismatch on the SSL cert, and when I view the certificate it is
the one for original_site.  I have created and installed  a certificate
for new_site, so I'm not sure what the problem is.  Does anyone have any
ideas?

Thanks


Brian

On Wed, 2006-07-19 at 15:45 -0400, Brian Warshawsky wrote:[...]

May sound silly, but are you sure new_site resolves to the addresses
Pound listens on? I would try connecting to the IP address
https://xxx.xxx.0.47 just to see which
certificate is returned.

The 1.x series has no known issues in this respect, so I am a bit
surprised.[...]