I have limited experience setting up SSL certs, so far i've been able to get single SSL certs working on different servers, now I'm stuck trying to get a wildcard SSL cert setup alongside an existing organisational SSL for same domain, it keeps pointing at the organisational cert even though I specify the wildcard cert in the the virtual host.
I'll try explain the best I can using sample data:
organisational certificate site.example.com
wildcard certificate *.example.com
apache version 2.2.3
I will leave out the port 80 stuff as there is no issues there
Example configuration:
NameVirtualHost *:443
NameVirtualHost 192.0.2.201:443
NameVirtualHost 192.0.2.202:443
<VirtualHost 192.0.2.202:443>
ServerName site.example.com
DocumentRoot /var/www/html/site
SSLEngine On
SSLCertificateFile /locationof/organisational.crt
SSLCertificateChainFile /locationof/organisational.intermediate.pem
SSLCertificateKeyFile /locationof/organisational.key
</VirtualHost>
<VirtualHost 192.0.2.202:443>
ServerName mytestsite.example.com
DocumentRoot /var/www/html/mytestsite
SSLEngine On
SSLCertificateFile /locationof/wildcard.crt
SSLCertificateChainFile /locationof/wildcard.intermediate.pem
SSLCertificateKeyFile /locationof/wildcard.key
</VirtualHost>
There are no issues with either certificate.
When I restart Apache and go to https://mytestsite.example.com in Firefox it tells me 'Your connection is not sercure' when expanding the Advanced button I can see from the message 'The certificate is only valid for the following names: site.example.com, www.site.example.com' So I guess it's picking up the organisational virtual host each time and isn't getting to the wildcard virtual host, I've tried switching them about as I've read that Apache can be affected by the order of the virtual hosts but it made no difference to me.
I'm sure it's something simple I'm doing wrong but I've searched various sites and Google but just can't pinpoint the issue :(
EDIT - additional info from running httpd -S
192.0.2..201:443 is a NameVirtualHost
default server www.anothersite.net (/etc/httpd/conf/httpd.conf:aaaa)
port 443 namevhost www.anothersite.net (/etc/httpd/conf/httpd.conf:aaaa)
192.0.2.202:443 is a NameVirtualHost
default server site.example.com (/etc/httpd/conf/httpd.conf:xxxx)
port 443 namevhost site.example.com (/etc/httpd/conf/httpd.conf:xxxx)
port 443 namevhost mytestsite.example.com (/etc/httpd/conf/httpd.conf:yyyy)
wild alias *.*
*:443 is a NameVirtualHost
default server someoldsite.com (/etc/httpd/conf.d/ssl.conf:xx)
port 443 namevhost someoldsite.com (/etc/httpd/conf.d/ssl.conf:xx)
// there is no virtual host for this old site, it seems it is the name of the server inside /etc/hosts file
I checked the *:443 path in case there was a redirect or something like that but there is not. I've added in the additional NameVirtualHost settings to example configuration. From the info above I'm still not sure what's going wrong! The wildcard SSL certificate is set up on 2 other servers and works fine but it is the only SSL certificates on those servers as opposed to this server which has 2 others and 1 sharing the same domain
EDIT 2
there is a ssl.conf file being include with the following <VirtualHost _default_:443> but don't think that is causing any harm?
this server has been working fine using both certs on .201 and .202 and the wildcard cert works fine on two other servers, I just can't get the wildcard ssl cert to work along with the .202 organisational cert :(
For a web application running on Tomcat, to support multiple SSL sites on one Ip address, I like to add Apache in front of Tomcat.
Is it possible for user to upload its own SSL certificate and configure it dynamically without server restart?
<VirtualHost *:443>
DocumentRoot
ServerName
SSLCertificateFile
SSLCertificateKeyFile
SSLCACertificateFile
SSLEngine on
</VirtualHost>
For apache, the SSL configuration above needs to be added into apache conf file,
and requires server restart. Server restart is not acceptable because there will be many users on the same server. Any solution?
Thanks for help.
I'm running an application on Tomcat7 with Apache Portable Runtime, I bought an SSL certificate and configured it correctly - when I try to connect through the ip:port combination, it connects fine but warns me the certificate is issued to the domain name, not the IP.
The VPS I'm on doesn't have SELinux (and there's an issue installing), which is AFAIK required to have SSL be configured in apache, so I want to just route the requests to Tomcat, which does it on its end.
I configured apache to proxy the connections, first with port 80 that works perfectly:
NameVirtualHost www.mysite.com:80
<VirtualHost www.mysite.com:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName http://www.mysite.com
ServerAlias http://www.mysite.com
ProxyPass / http://localhost:8180/MYSITE/
ProxyPassReverse / http://localhost:8180/MYSITE/
ProxyPassReverseCookiePath /MYSITE/ /
</VirtualHost>
And then with the SSL port that doesn't want to work for some reason:
NameVirtualHost www.mysite.com:443
<VirtualHost www.mysite.com:443>
SSLProxyEngine On
ProxyPreserveHost On
ProxyRequests Off
ServerName https://www.mysite.com
ServerAlias https://www.mysite.com
ProxyPass / https://localhost:8443/MYSITE/
ProxyPassReverse / https://localhost:8443/MYSITE/
ProxyPassReverseCookiePath /MYSITE/ /
CacheDisable *
</VirtualHost>
EDIT:
I added the
RequestHeader set Front-End-Https "On"
directive to the VirtualHost www.mysite.com:443, as per: http://www.gossamer-threads.com/lists/apache/users/396577
Here is the Tomcat APR Connector as configured in Tomcat's server.xml -
<Connector port="8443" maxHttpHeaderSize="16500"
maxThreads="150"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
SSLCertificateFile="x509-cert-path"
SSLCertificateKeyFile="key-file-path"
/>
There were no errors/warnings enabling the virtual hosts and restarting apache. When I try to https, this is what I see in FFox:
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
And in Chromium:
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
Apache's error.log shows this warning message:
[warn] [client 216.58.38.90] proxy: no HTTP 0.9 request (with no host line) on incoming request and preserve host set forcing hostname to be www.mysite.com for uri /
I've spent days trying to configure it, and would be very grateful if someone explained what's going on and how to fix it.
Many thanks.
Victor.
You don't need the 8443 HTTPS connector in Tomcat. Apache HTTPD should terminate the SSL connection, and speak plaintext to Tomcat, via ProxyPass / http://localhost:8080/MYSITE/. You just need a plaintext HTTP connector with port=8080, and address=127.0.0.1 so no outsiders can get at it.
Better still, dont' have any HTTP connectors in Tomcat, just an AJP connector, address=127.0.0.1 still, and use mod_proxy_ajp in Apache.
Today I'm trying to configure Apache to run two domains each with their own SSL certificate. From what I have read this is supported by SNI as long as my Apache is configured with a recent version of OpenSSL. I verified that it is:
[notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.7 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- resuming normal operations
I thought I had successfully set up the second domain and certificate, but when I try to visit the second domain in chrome I get the following error:
You attempted to reach example2.com, but instead you actually reached a server identifying itself as example1.com.
this post seems closest to my issue:
hosting multiple SSL certs on apache
but from what I can tell my server is already configured correctly (clearly it is not!)
I have the following directives in my conf file for example2.com
ServerName example2.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example2.com.key
it looks right to me. so why is apache serving example1's cert when I visit example2?
turns out domain 1 was configured as
<VirtualHost *:443>
I use webmin, which only reveals that detail when you view the directive directly.
changing * was part of the solution but introduced some other problems. I think I will punt and do IP-based SSL.
I add this to ports.conf (Apache/2.2.22)
NameVirtualHost *:443
You can read details in this post
It's not possible to have multi SSL domain on the same ip addres.
context
When a client contact a https web site all communication are crypt with the site's public key (ssl certificat). Only the private key associate to the public key can decrypt the http request. basically that's how https work.
That why in your virtual host, you define for each ssl web site the certificate and the key
SSLCertificateFile /etc/apache2/ssl/example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example2.com.key
VirtualHost Name base and SSL
When you use VirtualHost name base , when apache receive a client request the server read the request and look which domain name is requested. When the Domain Name is identified apache read virtuahost instruction and return the good web site.
When apache receive an SSL request , the system can't decrypt the message because apache need to use the SSLCertificateKeyFile defined in the Virtualhost but to know which virtualhost to use he need to be able to decrypt the message ....
Because apache don't know how to process your request the system return the first virtualhost processed.
That's why you need to use VirtualHost ip base that what is it use in the example :
hosting multiple SSL certs on apache
You have 2 ip 1.1.1.1 and 2.2.2.2
NameVirtualHost 1.1.1.1:443
NameVirtualHost 2.2.2.2:443
<VirtualHost 1.1.1.1:443>
ServerName www.domain1.com
...
...
</VirtualHost>
<VirtualHost 2.2.2.2:443>
ServerName www.domain2.com
...
...
</VirtualHost>
VirtualHost Name base and SSL wildcard certificat
If the private key AND the public key (ssl certificat) are the same for all domain, apache will be able to decrypt the communication. This situation append only when you use a wildcard certificate for a domain. example , if you have a wildcard for *.domain.com you can define VirtualHost name base like this
NameVirtualHost 1.1.1.1:443
<VirtualHost 1.1.1.1:443>
ServerName foo.domain.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/wildcard.domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/wildcard.domain.com.key
...
...
</VirtualHost>
<VirtualHost 1.1.1.1:443>
ServerName bar.domain.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/wildcard.domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/wildcard.domain.com.key
...
...
</VirtualHost>
This configuration will work because, whatever the domain, apache use the same private key to decrypt the communication so the system will be able to select the good VirtualHost setting.
Have a nice day.
I'm trying to configure Apache on my server to work with ssl, but everytime I visit my site, I get the following message in my browser:
SSL connection error.
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
The error message above seems to be native to Google Chrome. However, even though the messages are different, ssl for the site is not working on any browser.
Just some background on the situation: I am using Ubuntu 10.04 desktop edition.
I installed apache by installing zend server (it installed apache automatically).
I then installed openssl. Non-https pages work fine on the site.
I tried getting trial certificates from multiple certificate sites but nothing is working (same error).
I was previously hosting my site on another server on which ssl worked just fine. I also tried using the key and cert file from that server, but I got the same error.
The domain name and IP are still the same though. My SSLCertificateFile and SSLCertificateKeyFile are pointing to the correct directory and files.
I also do not have SSLVerifyClient enabled.
If anyone has any suggestions, it would be most appreciated.
I had the same problem as #User39604, and had to follow VARIOUS advices. Since he doesnt remember the precise path he followed, let me list my path:
check if you have SSL YES using <?php echo phpinfo();?>
if necessary
A. enable ssl on apache sudo a2enmod ssl
B. install openssl sudo apt-get install openssl
C. check if port 443 is open sudo netstat -lp
D. if necessary, change /etc/apache2/ports.conf, this works
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
NameVirtualHost *:443
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
acquire a key and a certificate by
A. paying a Certificating Authority (Comodo, GoDaddy, Verisign) for a pair
B. generating your own* - see below (testing purposes ONLY)
change your configuration (in ubuntu12 /etc/apache2/httpd.conf - default is an empty file) to include a proper <VirtualHost>
(replace MYSITE.COM as well as key and cert path/name to point to your certificate and key):
<VirtualHost _default_:443>
ServerName MYSITE.COM:443
SSLEngine on
SSLCertificateKeyFile /etc/apache2/ssl/MYSITE.COM.key
SSLCertificateFile /etc/apache2/ssl/MYSITE.COM.cert
ServerAdmin MYWEBGUY#localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/errorSSL.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/accessSSL.log combined
</VirtualHost>
while many other virtualhost configs wil be available in /etc/apache2/sites-enabled/ and in /etc/apache2/sites-available/ it was /etc/apache2/httpd.conf that was CRUCIAL to solving all problems.
for further info:
http://wiki.vpslink.com/Enable_SSL_on_Apache2
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert
*generating your own certificate (self-signed) will result in a certificate whose authority the user's browser will not recognize. therefore, the browser will scream bloody murder and the user will have to "understand the risks" a dozen times before the browser actually opens up the page. so, it only works for testing purposes. having said that, this is the HOW-TO:
goto the apache folder (in ubuntu12 /etc/apache2/)
create a folder like ssl (or anything that works for you, the name is not a system requirement)
goto chosen directory /etc/apache2/ssl
run sudo openssl req -new -x509 -nodes -out MYSITE.COM.crt -keyout MYSITE.COM.key
use MYSITE.COM.crt and MYSITE.COM.key in your <VirtualHost> tag
name format is NOT under a strict system requirement, must be the same as the file :)
- names like 212-MYSITE.COM.crt, june2014-Godaddy-MYSITE.COM.crt should work.
I was getting the same error in chrome (and different one in Firefox, IE).
Also in error.log i was getting [error] [client cli.ent.ip.add] Invalid method in request \x16\x03
Following the instructions form this site I changed my configuration FROM:
<VirtualHost subdomain.domain.com:443>
ServerAdmin admin#domain.com
ServerName subdomain.domain.com
SSLEngine On
SSLCertificateFile conf/ssl/ssl.crt
SSLCertificateKeyFile conf/ssl/ssl.key
</VirtualHost>
TO:
<VirtualHost _default_:443>
ServerAdmin admin#domain.com
ServerName subdomain.domain.com
SSLEngine On
SSLCertificateFile conf/ssl/ssl.crt
SSLCertificateKeyFile conf/ssl/ssl.key
</VirtualHost>
Now it's working fine :)
Step to enable SSL correctly.
sudo a2enmod ssl
sudo apt-get install openssl
Configure the path of SSL certificates in your SSL config file (default-ssl.conf) that might be located in /etc/apache2/sites-available. I have stored certificates under /etc/apache2/ssl/
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/certificate.crt
SSLCertificateChainFile /etc/apache2/ssl/ca_bundle.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
Enable SSL config file
sudo a2ensite default-ssl.conf
A common cause I wanted to suggest for this situation:
Sometimes a customer is running Skype, which is using port 443 without their realizing it. When they go to start Tomcat or Apache, it appears to start but cannot bind with port 443. This is the exact message that the user would receive in the browser. The fix is to stop what was running on port 443 and re-start the webserver so it can bind with port 443.
The customer can re-start Skype after starting the webserver, and Skype will detect that port 443 is in use and choose a different port to use.
#Make sure that you specify the port for both http and https ie.
NameVirtualHost:80
NameVirtualHost:443
#and
<VirtualHost *:80>
<VirtualHost *:443>
#mixing * and *:443 does not work it has to be *:80 and *:443
I got this problem and the solution was a bit silly.
I am using Cloudflare which acts as a proxy to my website. In order to be able to login via SSH, I added an entry to my /etc/hosts file so I didn't need to remember my server's IP address.
xxx.xx.xx.xxx example.com
So in my browser when I went to https://www.example.com, I was using the Cloudflare proxy, and when I went to to https://example.com I was going directly to the server. Because the Cloudflare setup doesn't require you to add the intermediate certificates, I was seeing this security exception in my browser when I went to https://example.com, but https://www.example.com was working.
The solution: remove the entry from my laptop's /etc/hosts file.
If this isn't your problem, I recommend using one of the many online SSL checker tools to try diagnose your problem.
I also recommend using ping to check the IP address being reported and check it against the IP address expected.
ping https://www.example.com/
Another very helpful SSL resource is the Mozilla SSL Configuration Generator. It can generate SSL configuration for you.
I didn't know what I was doing when I started changing the Apache configuration. I picked up bits and pieces thought it was working until I ran into the same problem you encountered, specifically Chrome having this error.
What I did was comment out all the site-specific directives that are used to configure SSL verification, confirmed that Chrome let me in, reviewed the documentation before directive before re-enabling one, and restarted Apache. By carefully going through these you ought to be able to figure out which one(s) are causing your problem.
In my case, I went from this:
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +StrictRequire
SSLRequireSSL On
to this
<Location /sessions>
SSLRequireSSL
SSLVerifyClient require
</Location>
As you can see I had a fair number of changes to get there.
I had this error when I first followed instructions to set up the default apache2 ssl configuration, by putting a symlink for /etc/apache2/sites-available/default-ssl in /etc/apache2/sites-enabled. I then subsequently tried to add another NameVirtualHost on port 443 in another configuration file, and started getting this error.
I fixed it by deleting the /etc/apache2/sites-enabled/default-ssl symlink, and then just having these lines in another config file (httpd.conf, which probably isn't good form, but worked):
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
SSLCertificateChainFile /etc/apache2/ssl/chain_file.crt
SSLCertificateFile /etc/apache2/ssl/site_certificate.crt
SSLCertificateKeyFile /etc/apache2/ssl/site_key.key
ServerName www.mywebsite.com
ServerAlias www.mywebsite.com
DocumentRoot /var/www/mywebsite_root/
</VirtualHost>
I encounter this problem, because I have <VirtualHost> defined both in httpd.conf and httpd-ssl.conf.
in httpd.conf, it's defined as
<VirtualHost localhost>
in httpd-ssl.conf, it's defined as
<VirtualHost _default_:443>
The following change solved this problem, add :80 in httpd.conf
<VirtualHost localhost:80>
This is what fixed it for me on Ubuntu.
Enabled the module: a2enmod ssl
Moved all cert related files to a folder /usr/local/ssl and made it world readable: chmod -R +r /usr/local/ssl
Changed <VirtualHost *:80> to <VirtualHost *:*> in my virtual host.
Added SSLEngine On before all other SSL directives in my virtual host.
If you set a pass phrase on the cert, Apache should prompt you for it on restart.
Similar to other answers, this error can be experienced when there are no sites configured to use SSL.
I had the error when I upgraded from Debian Wheezy to Debian Jessie. The new version of Apache requires a site configuration file ending in .conf. Because my configuration file didn't, it was being ignored, and there were no others configured to serve SSL connections.
I encountered this issue, also due to misconfiguration. I was using tomcat and in the server.xml had specified my connector as such:
<Connector port="17443" SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keyAlias="wrong" keystorePass="secret"
keystoreFile="/ssl/right.jks" />
When i fixed it thusly:
<Connector port="17443" SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keyAlias="right" keystorePass="secret"
keystoreFile="/ssl/right.jks" />
It worked as expected. In other words, verify that you not only have the right keystore, but that you have specified the correct alias underneath it. Thanks for the invaluable hint user396404.
I solved it by commenting out:
AcceptFilter https none
in httpd.conf
according to:
http://www.apachelounge.com/viewtopic.php?t=4461
It turns out that the SSL certificate was installed improperly. Re-installing it properly fixed the problem