We have two domains (gis4business.co.uk and gis4business.com) that point to the same website hosted using apache. We are using SSL for the entire site and have a wildcard SSL certificate for *.gis4business.co.uk.
The default apache conf file (000-default.conf) has a single virtual host configured to redirect from http to https as follows:
<VirtualHost *:80>
...
Redirect permanent "/" "https://www.gis4business.co.uk/"
</VirtualHost>
Then we have a default SSL config file (default-ssl.conf) that has single a virtual host configured as follows:
<VirtualHost _default_:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
This configuration is working as expected for the following urls:
http://www.gis4business.co.uk
http://www.gis4business.com
https://www.gis4business.co.uk
However, the url https://www.gis4business.com results in a certificate warning (SSL_ERROR_BAD_CERT_DOMAIN in firefox and ERR_CERT_COMMON_NAME_INVALID in chrome).
Its obviously complaining about the SSL certificate not matching the domain (gis4business.com), so I assume we need an HTTPS redirect from gis4business.com to gis4business.co.uk. We have experimented with various configurations and haven't managed to get a redirect working.
We have tried:
1) Adding another virtual host (*:443) to the top of the 000-default.conf file as follows:
<VirtualHost *:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
Redirect permanent "/" "https://www.gis4business.co.uk/"
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
2) Adding another virtual host (default:443) to the top of the default-ssl.conf file as follows:
<VirtualHost _default_:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
Redirect permanent "/" "https://www.gis4business.co.uk/"
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
If redirection of https from one domain to another is possible without certificate errors, then what is the correct configuration to make it work?
Let's see how the redirect directive works
The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location.
The first request is processed by apache generating a 30x response to automatically redirect browser to the new URL
browser SERVER SSL cert
https://www.gis4business.com --> redirect *.gis4business.co.uk
302-redirect <--
https://www.gis4business.co.uk/ --> process *.gis4business.co.uk
The first request is served from https://www.gis4business.com using a certificate issued to *.gis4business.co.uk, so it is considered invalid consequently
To fix it you need to use a certificate issued to www.gis4business.com or *.gis4business.com. Define a new virtual host or request a new certificate with both hostnames.
Related
We got SSL certificate from 123reg site. but in our server have letsencrypt installed for SSL so we are simply adding our certificate file insated of letsencrypt certificate file like
we save our certificate file (new) to /etc/letsencrypt/{site-name}.
we changed 000-default-le-ssl.conf file for certificate like below
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/safco
ServerName example.com
Redirect Permanent / https://example.com/
SSLEngine on
SSLCertificateFile /etc/letsencrypt/shop/shop.crt
SSLCertificateKeyFile /etc/letsencrypt/shop/shop.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/shop/intermediate.pem
Redirect Permanent / https://example.com/
</VirtualHost>
but it's also giving Your connection is not private.
but when i try to remove
Include /etc/letsencrypt/options-ssl-apache.conf
from 000-default-le-ssl.conf file apache not restart.
how to install simple third pary SSL certificate in letsencrypt ?
I have one SSL certificate from GoDaddy (Standard UCC SSL Certificate for up to 5 sub/domains) and two virtual hosts configuration on Apache2.
I can install SSL certificate one every of them separately and they works fine until I add second one.
When the second HTTPS config is added (...), then I am getting kind of weird redirects from one.abc.com to two.abc or vice versa.
I am using the same certificate files for both configs, because it the same Multisite SSL certificate.
F.ex.:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.abc.com
DocumentRoot /var/www/htdocs
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName subd2.abc.com
DocumentRoot /var/www/test2
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
What I am doing wrong?
This:
Now - I understand that because SSL wraps around the HTTP request,
there's no way to know which host is being requested until a public
key has been sent to the client first. This essentially breaks the
possibility of SSL virtual hosts using a standard SSL certificate.
from
https://serverfault.com/questions/113076/apache-ssl-virtualhosts-on-a-single-ip-using-ucc-san-certificate
Lead me to idea that problem is simple that in case of abc.com server just do not know which HTTPS server (www.abc.com or subd2.abc.com) config to take and simply take the first one. Tests that approved.
From that comes second question / conclusion - do I have configuration for domain abc.com. And it has not, I just have it defined as ServerAlias in www.abc.com config.
When I removed from ServerAlias and created configuration with for abc.com and with redirect, than all stays in their places.
I have recently moved a website from my old web server with 123-reg.co.uk to a new Linode web server hosted with Linode.
I am running Apache with Debian 8.9.
123-reg provided me with an SSL certificate for my website which, of course, was deactivated when I moved the website to the new server. So I set to work manually reactivating the certificate on my new server.
I was able to get the necessary SSL files (CA Bundle, Key and Certificate) from 123-reg and I followed Linode's instructions to setup the SSL certificate on their servers using the following tutorials:
First tutorial and
second tutorial.
Here is the site's config file:
<VirtualHost *:80>
# All of the files here exist on the server
SSLEngine On
SSLCertificateFile /etc/ssl/certs/zetec-it.com.crt
SSLCertificateKeyFile /etc/ssl/private/zetec-it.com.key
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
The setup seems legit, but when I attempt to access the website via https the browser states that the connection isn't secure.
I'm fairly new to server admin; does anyone have any suggestions or potential solutions?
You need a VirtualHost which is listening on port 443 in order to have working HTTPS. You configured your VirtualHost to listen on Port 80 while having SSLEngine On.
In order to get https working you would only need to change <VirtualHost *:80> to <VirtualHost *:443>.
Once you did that, you would not have a configuration that handles http connections to (there would not be any VirtualHost waiting for connections for ServerName zetec-it.com).
There are generally to ways to go to serve http connections requesting the same hostname:
You redirect them to https using something like this (uses mod_rewrite in order to redirect to the same path):
<VirtualHost *:80>
ServerName zetec-it.com
ServerAlias www.zetec-it.com
RewriteEngine on
RewriteRule ^ https://zetec-it.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
You deliver the same content through http as well
<VirtualHost *:80>
# All of the files here exist on the server
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
Either way you need two config files, the https one (which is basically your example from above, remember to replace 80 with 443) and one for http which I gave you 2 examples for.
You can put them into separate files, remember to activate them in this case.
I guess I am trying to do three things at once, but I am trying to:
direct example.com to example.com.au
direct example.com.au to www.example.com.au
direct HTTP to HTTP
That is, four variations all directed to the HTTPS version.
Here are the sections in the configuration file:
<VirtualHost *:80>
ServerName example.com.au
ServerAlias www.example.com.au example.com www.example.com
ServerAdmin …
Redirect permanent / https://www.example.com.au/
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com.au:443
ServerAlias example.com.au www.example.com example.com
ServerAdmin …
VirtualDocumentRoot /whatever/example.com/www
CustomLog logs/example.log combined env=!dontlog
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.example.com.au/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com.au/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.example.com.au/chain.pem
</VirtualHost>
The problem is that although the redirection appears to be working, the certificate doesn’t seem to apply. When I attempt to open the following in my browser (without the www):
https://example.com.au/
I get the following message:
The certificate is only valid for www.example.com.au
Now I thought that the redirect should tell the browser that it’s really going to https://www.example.com.au, but:
the address bar stays the same
the certificate is invalid, presumably because the address bar stays the same
The question is: How do I configure the virtual host to redirect these variations to SSL using the one certificate?
My DNS server is properly set up (all names resolve correctly) and the LetsEncrypt is correct and current. Only the domain has been changed to protect the innocent.
The reason for the warning is: your browser, when trying to reach https://example.com.au/, can't trust that 301 Redirect respond really came from example.com.au, since there is no such hostname in the certificate.
Since you are already using Let's encrypt certs, all you need is to split your :443 VirtualHost into 4 separate vhosts, each with its own cert, and then configure 3 of them with redirection to https://www.example.com.au/ (or, if possible, get a cert that will match all needed hostnames).
I have Apache 2.4.10 with name based SSL (SNI) virtual hosting.
Virtual users can use their own certificate and upload it to server.
Everything works fine until there is some error with certificate file (i.e. file is missing or with wrong name).
Problem is Apache will not start if there is some certificate problem.
Is there some solution how to start Apache with this error (i.e. all vhosts will start except that one virtual host with failure)?
This does not work:
<If "-f /path/to/file.crt">
<VritualHost *:443>
SSLEngine On
SSLCertificateFile /path/to/file.crt
</VirtualHost>
</If>
...and this also does not work:
<VritualHost *:443>
<If "-f /path/to/file.crt">
SSLEngine On
SSLCertificateFile /path/to/file.crt
</If>
</VirtualHost>
Many thanks.