I've purchased a TLS certificate from godaddy for a domain (say somebeta.com - actual is different). The DNS points to an AWS EC2 Linux server which I operate. The httpd web server on this EC2 serves the REST API requests.
I've installed the certificate on the AWS EC2 server which points to beta.com, and at no place in httpd.conf or ssl.conf have I specified the ServerName directive. Every thing works nicely, https://somebeta.com works, green color appears, all is good.
Now I create a new subdomain routing on godaddy DNS, by pointing alpha.something.beta to another EC2 instance. When I install this certificate on another EC2 server, I get following in ssl_error_logs:
ip-<Some IP>.ap-south-1.compute.internal:443:0 server certificate does NOT include an ID which matches the server name
I looked on SO, and found that the hostname of the machine should match the CN in the certificate. If it does not, then SSL/TLS would fail (I believe mod_ssl checks and fails this).
My question is, I've not set the hostname of the actual somebeta.com EC2 server, but still the SSL/TLS works great. How is it happening? Does mod_ssl do some intelligence to figure that the localhost is actually pointing to somebeta.com (by doing DNS/etc) and that's why it works?
Please don't close the question too early, I understand the working of SSL/TLS in its entirety, I just need to know how the thing is being validated by mod_ssl in httpd. Does the absence or presence of ServerName directive matter always, or only sometimes?
Related
I have 2 domains (domain1.example and domain2.example) under the same Ubuntu 14.04 Apache server. Each domain has one SSL certificate.
It happens that, sometimes, when users open domain2.example on the browser, they receive the domain1.example SSL certificate instead of domain2.example certificate. The weird thing is that it happens sometimes, and also, that if I change the *:443 default server, it starts answering the SSL of the new *:443 default server.
What do you think is happening? I cannot find the error.
I am unable to ssl my website ainoapp.io, although i can use https://www.ainoapp.io/ as all our pages show up correctly however, site is still not secure.
Here are steps that i did on EC2 ubuntu apache system (after Godaddy approved the certificate).
enabled ssl and header module
uploaded files c969b7f1a54c0a63.crt and gd_bundle-g2-g1.crt to /etc/apache2/ssl
created two conf files in /etc/apache2/sites-available: ainosite.conf and ainosite-ssl.conf
enabled default-ssl.conf, ainosite-ssl.conf and ainosite.conf such that sites-enabled has these entries only.
EC2 instance accept inbound traffic 443
port.conf listen to port 80 and 443
restart apache
Below are the snippets:
Am I missing something here, any ideas would be a great help.
Thanks in advance.
Scrutinize the wording of the error (warning) message carefully.
The browser is not really complaining about your SSL configuration.
It's complaining that you're being inconsistent with the images on the page -- they are still <img src="http://... instead of also using HTTPS (or being relative links, or protocol agnostic).
I believe this is also referred to as a "mixed content" warning.
I have tomcat installed and running on an ubuntu 12.04 LTS system utilizing port 443 for https requests (GeoTrust certificate installed).
On the same machine, apache2 responds to requests on port 80.
Now I was given to task to secure the webapps (php) running on apache2 with SSL as well, but with a different server certificate.
Is this possible at all? - My assumption would be "no", because I cannot have two servers listening on the same port, but I'm not too sure and haven't found any helpful information about this so far.
Any help would be highly appreciated..
These days, you'll still have difficulty serving more than one certificate on a single interface/port combination (e.g. 0.0.0.0:443). IF you want to use two separate ports for HTTPS, it's no problem. If you want to bind to different interfaces (e.g. 1.2.3.4:443 and 4.3.2.1:443) it's no problem. If you want them both on the same interface/port, you'll have to rely on Server Name Indication which may or may not be supported by your web server version and/or client.
If you want different certificates, you probably want different hostnames, too, so maybe you can get a second interface configured on the machine. Note that you don't need to have multiple NICs on the machine just to enable a different interface: your OS should be able to create another interface with a different IP address and still share the NIC. Then you just set DNS to point each hostname to a different IP address and make sure you bind each SSL VirtualHost to the proper IP address (instead of using 0.0.0.0 or * for the hostname).
Honestly, SNI is the easiest thing to do: just use VirtualHosts with SSL enabled (with different certs) in each one the way you'd "expect" it to work and see if the server starts up without complaint. If so, you'll need to test your clients to see if it's going to work for your audience. For the SNI scenario, I am assuming that Apache httpd would handle all of the SSL traffic and that you'd use something like mod_proxy_* or mod_jk to proxy to Tomcat.
For the split-IP scenarios, you can do whatever you want: terminate SSL within Tomcat or use httpd for everything and proxy for dynamic content to Tomcat.
I am trying to host 2 sites on a single IP address and they need to be accessed via SSL however the majority of my users use Internet Explorer on Windows XP meaning using multiple SSLs with SNI may prevent them getting access.
I was wondering if I could use a multiple virtual hosts but still use a single SSL certificate and avoid SNI ?
Alternatively how feasible is it for me to install two Apache webserver instances, each its own DocumentRoot and own SSL certificate and for me to simply use the first Apache webserver as an entry point to entertain some requests and to redirect others to the other SSLed Apache instance ?
Could I potentially use the Windows Host file (Windows 2008 Server) to redirect incoming requests to the intended Apache Server instead of using VirtualHosts ?
Apologies if I have confused concepts.
You can try to purchase an X.509 certificate with two domains in it. I don't know what particular CAs do this, but I also don't see why they would refuse. You need to ask their support, though.
Your idea to redirect some requests to another server residing on a different port sounds good as well, though you will have to use two different certificates for different domain names, of course.
Finally if your second domain can be something like additional.mydomain.com , you have greater chance to buy a certificate issued for mydomain.com + www.mydomain.com + additional.mydomain.com (this can be a wildcard certificate or a certificate with additional subdomain names).
I have a question, I fear the answer.
I have:
a top level domain name (free from Tokelau, a territory of New Zealand, .tk, where else?),
a free 2 year ssl certificate from startSSL.com,
a free hosting package.
Now I jumped through every hoop startSSL wanted (admittedly wasn't too difficult), to get me my 2 year ssl certificate, and now I fear I have encountered a final barrier to success that might still stall my plans. I dreamt of a corner certificate stating "Secured by startSSL". I got the code snippet and everythings, and have pasted it into my website.
Problem. my host is not so keen on a free package to allow me to ssl.
As far as I know you need access to some config files to allow this to happen?
or can you just like with .htaccess and .htpassword files do the setting on your webhost?
Also you need a static IP. Are there any workarounds?
Or am I dreaming? Anyone with advice?
SSL Requires some files and configuration changes, pointing to the files.
Also, the static IP is required because with an encrypted request, there's no way to know to what host the request is intended without decryption. The use of a static IP address gives that request a destination.
To clarify: when using virtual hosts, multiple hosts will share the same IP address, so when a request comes in, the first two lines are:
GET /path/to/resource HTTP/1.1
Host: www.example.com
Apache (or any web server), looks at the 'Host' field to determine how to route the request. If the request is encrypted, there's no way to determine how to route the request, and you need to know what certificate to use in order to decrypt it.
Forget it. If your host doesn't have SSL configured, you have no chance to add it without their help
There are two problems with your proposed set-up.
Free hosts generally don't provide a control panel interface to allow installation of SSL Certificates (at least I've never seen it) as this requires either their help on the back-end or VPS / Dedicated Server access from the front-end.
Static IP address is a must for SSL certificate installation.
From webserver perspective, SSL cert is about a port and an IP address, even when being used with Name-based virtual hosts.
SSL is about the IP the matching the cert and domain in the URL/request(to verify the cert).
You would have to give a second SSL cert different port or different IP address on the webserver.
Alternatively, you can also get multi-domain and wildcard certs that allow different hostnames or domains to match the cert with different client request URLs, but the cert is still the only thing on that port/IP of the webserver.
Just my $.02