I have one SSL certificate from GoDaddy (Standard UCC SSL Certificate for up to 5 sub/domains) and two virtual hosts configuration on Apache2.
I can install SSL certificate one every of them separately and they works fine until I add second one.
When the second HTTPS config is added (...), then I am getting kind of weird redirects from one.abc.com to two.abc or vice versa.
I am using the same certificate files for both configs, because it the same Multisite SSL certificate.
F.ex.:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.abc.com
DocumentRoot /var/www/htdocs
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName subd2.abc.com
DocumentRoot /var/www/test2
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
What I am doing wrong?
This:
Now - I understand that because SSL wraps around the HTTP request,
there's no way to know which host is being requested until a public
key has been sent to the client first. This essentially breaks the
possibility of SSL virtual hosts using a standard SSL certificate.
from
https://serverfault.com/questions/113076/apache-ssl-virtualhosts-on-a-single-ip-using-ucc-san-certificate
Lead me to idea that problem is simple that in case of abc.com server just do not know which HTTPS server (www.abc.com or subd2.abc.com) config to take and simply take the first one. Tests that approved.
From that comes second question / conclusion - do I have configuration for domain abc.com. And it has not, I just have it defined as ServerAlias in www.abc.com config.
When I removed from ServerAlias and created configuration with for abc.com and with redirect, than all stays in their places.
Related
We have two domains (gis4business.co.uk and gis4business.com) that point to the same website hosted using apache. We are using SSL for the entire site and have a wildcard SSL certificate for *.gis4business.co.uk.
The default apache conf file (000-default.conf) has a single virtual host configured to redirect from http to https as follows:
<VirtualHost *:80>
...
Redirect permanent "/" "https://www.gis4business.co.uk/"
</VirtualHost>
Then we have a default SSL config file (default-ssl.conf) that has single a virtual host configured as follows:
<VirtualHost _default_:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
This configuration is working as expected for the following urls:
http://www.gis4business.co.uk
http://www.gis4business.com
https://www.gis4business.co.uk
However, the url https://www.gis4business.com results in a certificate warning (SSL_ERROR_BAD_CERT_DOMAIN in firefox and ERR_CERT_COMMON_NAME_INVALID in chrome).
Its obviously complaining about the SSL certificate not matching the domain (gis4business.com), so I assume we need an HTTPS redirect from gis4business.com to gis4business.co.uk. We have experimented with various configurations and haven't managed to get a redirect working.
We have tried:
1) Adding another virtual host (*:443) to the top of the 000-default.conf file as follows:
<VirtualHost *:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
Redirect permanent "/" "https://www.gis4business.co.uk/"
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
2) Adding another virtual host (default:443) to the top of the default-ssl.conf file as follows:
<VirtualHost _default_:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
Redirect permanent "/" "https://www.gis4business.co.uk/"
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
If redirection of https from one domain to another is possible without certificate errors, then what is the correct configuration to make it work?
Let's see how the redirect directive works
The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location.
The first request is processed by apache generating a 30x response to automatically redirect browser to the new URL
browser SERVER SSL cert
https://www.gis4business.com --> redirect *.gis4business.co.uk
302-redirect <--
https://www.gis4business.co.uk/ --> process *.gis4business.co.uk
The first request is served from https://www.gis4business.com using a certificate issued to *.gis4business.co.uk, so it is considered invalid consequently
To fix it you need to use a certificate issued to www.gis4business.com or *.gis4business.com. Define a new virtual host or request a new certificate with both hostnames.
FireWall -> LoadBalancer -> Backend
Public IP is bound to firewall -> NAT to private IP farm on LB -> balance to backend on another private subnet.
https://example.com/test-redirect/index.php --> works fine
https://example.com/test-redirect/ --> works fine
https://example.com/test-redirect --> https://example.com:44312/test-redirect/ (Where 44312 is the internal port number apache has the SSL vhost bound to. FAILS)
Apache Config:
<VirtualHost *:80>
ServerAdmin REDACTED
ServerName example.com
ServerAlias *.example.com
DocumentRoot "/var/www/example.com"
Include conf.d/global-http-host-includes.conf
</VirtualHost>
<VirtualHost <internal-ip>:44312>
DocumentRoot "/var/www/example.com"
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile REDACTED.crt
SSLCertificateKeyFile REDACTED.key
Include conf.d/global-ssl-host-includes.conf
</VirtualHost>
The client that this is for handles the redirects to HTTPS from HTTP in his application. We have said numerous times that this behaviour is extremely likely top originate from the application, and it isn't something the stack nor the Apache config is doing.
Has anyone come up against a similar scenario as this? Or might have any ideas as to what is causing the internal Apache port number to be appended to the URL with it redirects?
This turned out to be an issue with not having the ServerName and ServerAlias values wihtin the SSL vHost aswell as the non-SSL vHost. After adding the name and alias in to those, the issue was fixed.
I would say this is perhaps a bug within Apache, but also some amount of misconfiguration.
I have recently moved a website from my old web server with 123-reg.co.uk to a new Linode web server hosted with Linode.
I am running Apache with Debian 8.9.
123-reg provided me with an SSL certificate for my website which, of course, was deactivated when I moved the website to the new server. So I set to work manually reactivating the certificate on my new server.
I was able to get the necessary SSL files (CA Bundle, Key and Certificate) from 123-reg and I followed Linode's instructions to setup the SSL certificate on their servers using the following tutorials:
First tutorial and
second tutorial.
Here is the site's config file:
<VirtualHost *:80>
# All of the files here exist on the server
SSLEngine On
SSLCertificateFile /etc/ssl/certs/zetec-it.com.crt
SSLCertificateKeyFile /etc/ssl/private/zetec-it.com.key
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
The setup seems legit, but when I attempt to access the website via https the browser states that the connection isn't secure.
I'm fairly new to server admin; does anyone have any suggestions or potential solutions?
You need a VirtualHost which is listening on port 443 in order to have working HTTPS. You configured your VirtualHost to listen on Port 80 while having SSLEngine On.
In order to get https working you would only need to change <VirtualHost *:80> to <VirtualHost *:443>.
Once you did that, you would not have a configuration that handles http connections to (there would not be any VirtualHost waiting for connections for ServerName zetec-it.com).
There are generally to ways to go to serve http connections requesting the same hostname:
You redirect them to https using something like this (uses mod_rewrite in order to redirect to the same path):
<VirtualHost *:80>
ServerName zetec-it.com
ServerAlias www.zetec-it.com
RewriteEngine on
RewriteRule ^ https://zetec-it.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
You deliver the same content through http as well
<VirtualHost *:80>
# All of the files here exist on the server
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
Either way you need two config files, the https one (which is basically your example from above, remember to replace 80 with 443) and one for http which I gave you 2 examples for.
You can put them into separate files, remember to activate them in this case.
I guess I am trying to do three things at once, but I am trying to:
direct example.com to example.com.au
direct example.com.au to www.example.com.au
direct HTTP to HTTP
That is, four variations all directed to the HTTPS version.
Here are the sections in the configuration file:
<VirtualHost *:80>
ServerName example.com.au
ServerAlias www.example.com.au example.com www.example.com
ServerAdmin …
Redirect permanent / https://www.example.com.au/
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com.au:443
ServerAlias example.com.au www.example.com example.com
ServerAdmin …
VirtualDocumentRoot /whatever/example.com/www
CustomLog logs/example.log combined env=!dontlog
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.example.com.au/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com.au/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.example.com.au/chain.pem
</VirtualHost>
The problem is that although the redirection appears to be working, the certificate doesn’t seem to apply. When I attempt to open the following in my browser (without the www):
https://example.com.au/
I get the following message:
The certificate is only valid for www.example.com.au
Now I thought that the redirect should tell the browser that it’s really going to https://www.example.com.au, but:
the address bar stays the same
the certificate is invalid, presumably because the address bar stays the same
The question is: How do I configure the virtual host to redirect these variations to SSL using the one certificate?
My DNS server is properly set up (all names resolve correctly) and the LetsEncrypt is correct and current. Only the domain has been changed to protect the innocent.
The reason for the warning is: your browser, when trying to reach https://example.com.au/, can't trust that 301 Redirect respond really came from example.com.au, since there is no such hostname in the certificate.
Since you are already using Let's encrypt certs, all you need is to split your :443 VirtualHost into 4 separate vhosts, each with its own cert, and then configure 3 of them with redirection to https://www.example.com.au/ (or, if possible, get a cert that will match all needed hostnames).
My understanding is there is a problem with having multiple certificates on a single IP as SSL is negotiated before HTTP happens, however what we can do is Service Name Indication (SNI) in TLS to get around this. According to the SNI wikipedia page both Apache 2 modules mod_ssl and mod_gnutls support this extension and also numerous web clients.
I have been trying to use mod_gnutls on centos 5. I have two separate certificates for two domains but only 1 IP. Each works independently but when I put both into the config at once only the first will work. Any https connection on domain2 shows domain1's certificate.
My config looks like this:
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
ServerName www.domain1.com
ServerAlias www.domain1.com
DocumentRoot /var/www/html/domain1
GnuTLSEnable on
GnuTLSCertificateFile /etc/pki/tls/certs/www.domain1.crt
GnuTLSKeyFile /etc/pki/tls/domain1/private.key
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/domain2
ServerName www.domain2.com
ServerAlias www.domain2.com
GnuTLSEnable on
GnuTLSCertificateFile /etc/pki/tls/certs/domain2.crt
GnuTLSKeyFile /etc/pki/tls/domain2/private.key
</VirtualHost>
Any ideas? Really been scratching my head over this.
Many thanks