Ubuntu - trouble securing *.mydomain.com and *.sub.mydomain.com using different certs - apache

I just added a subdomain to my site and am trying to get SSL working. Previously I had SSL working on example.net and www.example.net using a cert from namespace.com.
With the subdomain, things are not quite working.
Here is what I have in DNS entries:
CNAME: www.sub.example.net is an alias of example.net
A: sub.example.net directs to IP
CNAME: www.example.net is an alias of example.net
A: example.net directs to IP
Here is my example.net conf file:
<VirtualHost *:80>
ServerName example.net
Redirect permanent / https://example.net/
</VirtualHost>
<VirtualHost *:443>
ServerName example.net
DocumentRoot "/var/www/example/public"
<Directory "/var/www/example/public">
AllowOverride all
</Directory>
SSLEngine on
SSLCertificateKeyFile /root/example.net.key
SSLCertificateFile /root/example.net.crt
SSLCertificateChainFile /root/example.net.ca-bundle
</VirtualHost>
And my sub.example conf file:
<VirtualHost *:80>
ServerName sub.example.net
ServerAlias www.sub.example.net
DocumentRoot /var/www/sub.example
Redirect permanent / https://sub.example.net/
</VirtualHost>
<VirtualHost *:443>
ServerName sub.example.net
ServerAlias www.sub.example.net
DocumentRoot /var/www/sub.example
SSLCertificateFile /etc/letsencrypt/live/sub.example.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub.example.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
If I go to sub.example.net and www.sub.example.net then all is well.
If I go to example.net all is well.
However, when I go to www.example.net I get error about the cert only being valid for sub.example.net and *.sub.example.net.
So for some reason the www in front of example.net is having apache not look at the namespace.com wildcard cert that I have for example.net.
Now, I created the subdoamin certs via
sudo certbot certonly --manual -d *.sub.example.net -d sub.example.net --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
I have a feeling I have some weird combo of apache conf settings and DNS entries that are causing this behavior. Any idea what I did wrong?
thanks,
Brian

So for some reason the www in front of example.net is having apache not look at the namespace.com wildcard cert that I have for example.net.
You don't have a ServerAlias defined for www.example.net which means it will not be able to find an exact match for the domain name. In this case it uses the first of your virtual hosts in the configuration, whichever this is in your case.

Related

Apache2 VirtualHost SSL config issues

Debian 10 / Apache2 -
GOAL: redirect all web traffic to VPS server to SSL. I have 2 sites hosted: bjmurrey.com and nextcloud.bjmurrey.com. I have 1 IP address.
PROBLEM: I can't for the life of me find a way to make this work. I have tried 1000 suggestions posted here and elsewhere with no success. The closest I get is everything redirects to https://bjmurrey.com when typing in nextcloud.bjmurrey.com. I am also a novice at this so please be kind.
I have a default.conf that looks like this:
<VirtualHost *:80>
ServerName www.bjmurrey.com
ServerAlias bjmurrey.com
DocumentRoot /var/www/blog
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Redirect permanent / https://bjmurrey.com/
</VirtualHost>
<VirtualHost *:80>
ServerName nextcloud.bjmurrey.com
DocumentRoot /var/www/nextcloud
ServerAlias nextcloud.bjmurrey.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Redirect permanent / https://nextcloud.bjmurrey.com/
</VirtualHost>
I have a default-ssl.conf that looks like this:
<VirtualHost bjmurrey.com:443>
ServerName bjmurrey.com
ServerAlias www.bjmurrey.com
DocumentRoot /var/www/blog
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/bjmurrey.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bjmurrey.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
<VirtualHost nextcloud.bjmurrey.com:443>
ServerName nextcloud.bjmurrey.com
DocumentRoot /var/www/nextcloud
ServerAlias nextcloud.bjmurrey.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/nextcloud.bjmurrey.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.bjmurrey.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
bjmurrey.com is in var/www/blog and nextcloud.bjmurrey.com in the var/www/nextcloud directories.
I have my DNS records www and nextcloud both pointed to same IP. I only have 1 IP available. This is a very low traffic site.
I have done all kinds of things like just have the default virtual host redirect to only nextcloud and removed all mention of the www site and it still redirects to bjmurrey.com, or redirects with an SSL error saying that nextcloud can't be loaded because the ssl is for bjmurrey.com only. As you can see I have made certs with letsencrypt for both bjmurrey.com and nextcloud.bjmurrey.com.
I'm about to yank all my hair out in frustration, so I know I've tapped out all my knowledge here. Help!
I have retested with http and is working for me.
Both addresses mydomain.myhost.example.com and myhost.example.com resolve to the same IP.
This is my configuration file
ServerName example.com
<VirtualHost *:80>
ServerName mydomain.myhost.example.com
DocumentRoot /var/www/mydomain
</VirtualHost>
<VirtualHost *:80>
ServerName myhost.example.com
DocumentRoot /var/www/myhost
</VirtualHost>
Tested in Ubuntu 20.04.1, Apache 2.4

Apache VirtualHost multiple domain multiple SSL

Hi I have the following use case, I have an application (let's call it foobar) on a remote server /var/www/foobar and I have the following Apache VirtualHost conf
<VirtualHost *:80>
DocumentRoot /var/www
# This is to redirect http traffic to https
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/example.com.bundle.crt
ServerName example.com:443
DocumentRoot /var/www/foobar
</VirtualHost>
And its working all fine. Now suppose I have another domain example2.com and I want it to point to the same foobar application. My current thinking is create another VirtualHost below, something like this
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/ssl/certs/example2.com.crt
SSLCertificateKeyFile /etc/ssl/private/example2.com.key
SSLCertificateChainFile /etc/ssl/certs/example2.com.bundle.crt
ServerName example2.com:443
DocumentRoot /var/www/foobar
</VirtualHost>
But I was wondering is this the correct way of doing stuff like this? I need both domains to be "independent" so I didn't make a permanent redirect from example2.com to example.com
You can do something like below,You can use the server alias for this, Also I don't see anything wrong in having 2 virtual hosts as well.
<VirtualHost *:443>
ServerName example1.com
ServerAlias example2.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/testlink
</VirtualHost>
If you are getting unable to get a certificate error, you can create a certificate with a wildcard CN. e.g : *.comthis will match both example1.com and example2.com.

Running SSL and non-SSL sites simultaneously with MAMP (4.0.6)

To enable SSL, I've uncommented this line in httpd.conf:
# Secure (SSL/TLS) connections
Include /Applications/MAMP/conf/apache/extra/httpd-ssl.conf
The httpd-ssl.conf file itself I've left untouched, and created .crt and .key files for a self-signed SSL certificate in the places it's expecting to see them by default:
SSLCertificateFile "/Applications/MAMP/conf/apache/server.crt"
SSLCertificateKeyFile "/Applications/MAMP/conf/apache/server.key"
Back in the main httpd.conf, I've created a VirtualHost for a site I want to use SSL, and configured like this to eventually get it working:
NameVirtualHost *
<VirtualHost *>
DocumentRoot "/Users/jonnott/Documents/sslsite1.dev"
ServerName sslsite1.dev:443
ServerAlias www.sslsite1.dev
SSLEngine on
SSLCertificateFile "/Applications/MAMP/conf/apache/server.crt"
SSLCertificateKeyFile "/Applications/MAMP/conf/apache/server.key"
</VirtualHost>
This SSL site now works fine.
However, the problem I have is that now whenever I try to visit any local non-SSL hosts, I get this error:
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
These other non-SSL sites are configured in httpd.conf like this:
<VirtualHost *>
DocumentRoot "/Users/jonnott/Documents/site2.dev"
ServerName site2.dev
ServerAlias www.site2.dev
</VirtualHost>
What am I missing / doing wrong?
I think I've pretty much figured it out after reading this:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2
I needed BOTH of these in my httpd.conf before the start of my VirtualHost directives:
NameVirtualHost *:80
NameVirtualHost *:443
..and then each VirtualHost needed to be port-specific:
<VirtualHost *:80>
DocumentRoot "/Users/jonnott/Documents/Projects/site1"
ServerName site1.dev:80
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "/Users/jonnott/Documents/Projects/site1"
ServerName site1.dev:443
SSLEngine on
SSLCertificateFile "/Applications/MAMP/conf/apache/server.crt"
SSLCertificateKeyFile "/Applications/MAMP/conf/apache/server.key"
</VirtualHost>

httpd redirects with SSL and subdomains/vhosts

I'm trying to setup http -> https redirected subdomains on my website, which is being served by Apache (Version: 2.2.31). I purchased a wildcard SSL certificate that is installed correctly for my main site (www.domain.com) because I get a green lock next to the address, so that part should be done.
The issue: browsing to subdomain.domain.com redirects to www.domain.com and I can't figure out why. I've been reading and following this page as well as several others with similar content, but I'm missing the key ingredient.
The main site is served from /var/www/html and the subdomain is served from /var/www/vhosts/subdomain. Also, I'm getting this error:
[warn] _default_ VirtualHost overlap on port 443, the first has precedence
Here's the vhost section of /etc/httpd/conf/httpd.conf:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www.domain.com
ServerAlias www.domain.com
#Redirect permanent / https://www.domain.com
Redirect 302 / https://www.domain.com
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain.domain.com
ServerAlias subdomain.domain.com
#Redirect permanent / https://subdomain.domain.com
Redirect 302 / https://subdomain.domain.com
</VirtualHost>
And here's /etc/httpd/conf.d/ssl.conf:
<VirtualHost *:443>
ServerName www.domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/html
...
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /path/to/cert
SSLCertificateKeyFile /path/to/key
SSLCertificateChainFile /path/to/bundle
</VirtualHost>
<VirtualHost *:443>
ServerName subdomain.domain.com
ServerAlias subdomain.domain.com
DocumentRoot /var/www/vhosts/subdomain
...
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /path/to/cert
SSLCertificateKeyFile /path/to/key
SSLCertificateChainFile /path/to/bundle
</VirtualHost>
And here's apachectl -S output (with my domain name redacted/substituted):
Any help would be greatly appreciated.
=======================================================================
Edit: I removed the word permanent, cleared my cache, and the problem persists. It seems like it has to do with the warning, right?
Also, I get a successful response regardless of which subdomain I use even when it doesn't exist. I can literally type whatever I want for subdomain and it goes to the main site. http://<anything>.domain.com and https://<anything>.domain.com both load the main site with https.
The problem was simple, but elusive, at least to me. In /etc/httpd/conf.d/ssl.conf, I needed to add the following line for the VirtualHost configurations to be distinct:
NameVirtualHost *:443
Now everything works as expected.

Wildcard SSL with Multiple Domains

I have a CentOS/Apache+OpenSSL server. I host two domain names with wildcard sub domains (application logic surfaces the correct site), e.g.
https://*.testing1.com
https://*.testing2.com
It works great over HTTP:-
<VirtualHost *:80>
# Admin email, Server Name (domain name) and any aliases
ServerAdmin webmaster#testing1.com
ServerName testing1.com
ServerName testing2.com
ServerAlias *.testing1.com *.testing2.com
# Index file and Document Root (where the public files are located)
DirectoryIndex index.html index.php
DocumentRoot /home/app/public_html/public
</VirtualHost>
I've purchased two Wildcard SSL certificated for both testing1.com and testing2.com, but I'm unsure how to set it up in this structure:-
<VirtualHost *.testing1.com:443>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/*.testing1.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/*.testing1.com.key
SSLCACertificateFile /etc/httpd/ssl/geotrust.cer
ServerAdmin john#testing1.com
ServerName testing1.com
ServerAlias *.testing1.com
DirectoryIndex index.html index.php
DocumentRoot /home/app/public_html/public
</VirtualHost>
<VirtualHost *.testing2.com:443>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/*.testing2.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/*.testing2.com.key
SSLCACertificateFile /etc/httpd/ssl/geotrust.cer
ServerAdmin john#testing2.com
ServerName testing2.com
ServerAlias *.testing2.com
DirectoryIndex index.html index.php
DocumentRoot /home/app/public_html/public
</VirtualHost>
The above for the SSL doesn't work, with the *.testing1.com definition, nor with just testing1.com.
I will also need to repeat this for testing2.com
Name-based virtualhosts and SSL wil only work if all the virtualhosts are within the same domain and you have a wildcard SSL certificate for that domain.
But you have 2 different domains.
In this case it will only work if you give each SSL-enabled virtualhost it's own IPaddress.
So you should use IP-based virtualhosts, not Name-based.
Explanation:
The ServerName which is requested, is contained in the HTTP request headers, but before that the SSL encryption must be already setup. So the ServerName is only available after the encryption has been setup. Therefore Apache can never know which SSL certificate te serve up and wil just use the first one available on that particular IPaddress.
With the single dedicated IP we can configure domain-based wildcard SSL in centos + apache2.2 server.
Hope the configurations below will help you guys!!
NameVirtualHost IP:80
NameVirtualHost IP:443
Domain 1
<VirtualHost IP:80>
ServerName abc.domain1.com
DocumentRoot /var/www/html/domain1
</VirtualHost>
<VirtualHost IP:443>
ServerName *.domain1.com
DocumentRoot /var/www/html/domain1
SSLEngine On
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /var/www/html/domain1/cert/5465456.crt
SSLCertificateKeyFile /var/www/html/domain1/cert/domain1.com.key
SSLCertificateChainFile /var/www/html/domain1/cert/g2-g1.crt
</VirtualHost>
Domain 2
<VirtualHost IP:80>
ServerName abc.domain2.com
DocumentRoot /var/www/html/domain2
</VirtualHost>
<VirtualHost IP:443>
ServerName abc.domain2.com
DocumentRoot /var/www/html/domain2
SSLEngine On
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /var/www/html/domain2/cert/5465456.crt
SSLCertificateKeyFile /var/www/html/domain2/cert/domain1.com.key
SSLCertificateChainFile /var/www/html/domain2/cert/g2-g1.crt
</VirtualHost>