I have setup 2 websites on my Ubuntu web server and am having some trouble with getting two SSL certificates to work correctly. I did get one working on it's own at first, however, now I can't restart Apache successfully.
Error when trying to restart Apache
* Restarting web server apache2
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 3 of /etc/apache2/sites-enabled/website1.conf:
ServerName takes one argument, The hostname and port of the server
Action 'configtest' failed.
Output of /etc/apache2/ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Output of website1.conf (first vhost file from /etc/apache2/sites-available)
<VirtualHost *:80>
ServerAdmin support#localhost
ServerName www.website1.com website1.com
DocumentRoot /var/www/html/website1.com/public
Redirect permanent /secure https://website1.com
</VirtualHost>
<VirtualHost _default_:443>
ServerAdmin support#localhost
ServerName website1.com
DocumentRoot /var/www/html/website1.com/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /var/www/html/website1.com/private/website1.crt
SSLCertificateKeyFile /var/www/html/website1.com/private/website1_private.key
SSLCertificateChainFile /var/www/html/website1.com/private/DigiCertCA.crt
</VirtualHost>
Output of website1.conf (second vhost file from /etc/apache2/sites-available)
<VirtualHost *:80>
ServerAdmin support#localhost
ServerAlias www.website2.com website2.com
DocumentRoot /var/www/html/website2.com/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin support#localhost
ServerName website2.com
DocumentRoot /var/www/html/website2.com/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /var/www/html/website2.com/private/website2.crt
SSLCertificateKeyFile /var/www/html/website2.com/private/website2_private.key
SSLCertificateChainFile /var/www/html/website2.com/private/DigiCertCA.crt
</VirtualHost>
Any help or verification of my config would be greatly appreciated. Thanks in advance.
Related
I want my sites served via SSL to have a bunch of the same properies in my apache2 config. Unfortunately, I can't find anywhere that demos how to do that. Here's my config at the moment for two separate servers accessed by www.mydomain.com and blog.mydomain.com:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName www.mydomain.com
# Repeated stuff
ServerAdmin webmaster#localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/wordpress
ServerName blog.mydomain.com
# Repeated stuff
ServerAdmin webmaster#localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
</VirtualHost>
</IfModule>
As you can see, both virtualhosts have a lot of the same properties under #Repeated stuff. How can I specify these properties once and then have ONLY these virtualhosts inherit those properties? E.g. can virtualhosts be nested?
mod_macro gave me just what I wanted. On ubuntu it can simply be enabled with sudo a2enmod macro. My apache2 SSL config now looks something like this:
<IfModule mod_ssl.c>
<Macro SSLStuff>
ServerAdmin webmaster#localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem
</Macro>
<VirtualHost *:443>
Use SSLStuff
DocumentRoot /var/www/html
ServerName mydomain.com
ServerAlias www.mydomain.com
</VirtualHost>
<VirtualHost *:443>
Use SSLStuff
DocumentRoot /var/www/wordpress
ServerName blog.mydomain.com
</VirtualHost>
<VirtualHost *:443>
Use SSLStuff
ServerName mynodeapp.mydomain.com
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
</VirtualHost>
</IfModule>
I have two websites in the same web server (Ubuntu 16.04.2 LTS - Apache/2.4.18). Everything works well when I try to access to both websites using HTTP (port 80). This is the vhosts.conf file content:
<VirtualHost *:80>
ServerName site1
DocumentRoot /var/www/html/site1
ErrorLog ${APACHE_LOG_DIR}/site1_error.log
CustomLog ${APACHE_LOG_DIR}/site1_access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName site2
DocumentRoot /var/www/html/site2
ErrorLog ${APACHE_LOG_DIR}/site2_error.log
CustomLog ${APACHE_LOG_DIR}/site2_access.log combined
</VirtualHost>
So, both sites are accessible through "mydomain.com/site1" and "mydomain.com/site2". I have installed a Let's Encrypt certificate and, to make it works, I have configured a virtual host like this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mydomain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/site_error.log
CustomLog ${APACHE_LOG_DIR}/site_access.log combined
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
I can access both site using SSL (port 443) successfully but I can't use different log files for different sites. I have tried something like this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mydomain.com/site1
DocumentRoot /var/www/html/site1
ErrorLog ${APACHE_LOG_DIR}/site1_error.log
CustomLog ${APACHE_LOG_DIR}/site1_access.log combined
Alias /site1 /var/www/html/site1
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
<VirtualHost *:443>
ServerName mydomain.com/site2
DocumentRoot /var/www/html/site2
ErrorLog ${APACHE_LOG_DIR}/site2_error.log
CustomLog ${APACHE_LOG_DIR}/site2_access.log combined
Alias /site2 /var/www/html/site2
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
But it doesn't work. How can I distinguish between two sites in order to have two different log files?
Following the link proposed by CBroe, I have found the solution by using the SetEnvIf directive. The final working virtual host configuration looks like this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mydomain.com
DocumentRoot /var/www/html
SetEnvIf Request_URI ^/site1(/|$) site1
SetEnvIf Request_URI ^/site2(/|$) site2
CustomLog ${APACHE_LOG_DIR}/site1_access.log combined env=site1
CustomLog ${APACHE_LOG_DIR}/site2_access.log combined env=site2
ErrorLog ${APACHE_LOG_DIR}/site_error.log
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
So I've been messing around with Apache, and I bought a SSL certificate. I finally got it installed, but now when I goto my domain with the URL (leethecoder.com) I assume it's trying to use HTTP? And my server, of course, with a SSL certificate is not listening on port 80. But, if I include https:// before the URL (https://leethecoder.com), it works. Is there a way I can make the server force the basic URL (leethecoder.com) goto port 443?
This is my current /sites-enabled/ configuration file.
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
ServerName www.leethecoder.com
ServerAlias www.leethecoder.com leethecoder.com
Options -Indexes
DocumentRoot /var/www/leethecoder.com/public_html/
SSLEngine on
SSLCertificateFile /etc/ssl/leethecoder.com/leethecoder_com.crt
SSLCertificateKeyFile /etc/ssl/private/sslkey.key
SSLCertificateChainFile /etc/ssl/leethecoder.com/foobundle.ca-bundle
ErrorLog /var/www/leethecoder.com/logs/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
IMO, this is "properly" (you're currently an A-, the below might help to get an A+):
<VirtualHost *:80>
ServerName leethecoder.com
ServerAlias *.leethecoder.com
UseCanonicalName Off
ErrorLog /var/www/leethecoder.com/logs/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RedirectPermanent / https://leethecoder.com/
</VirtualHost>
<VirtualHost *:443>
ServerName www.leethecoder.com
UseCanonicalName Off
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "-ALL EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES"
SSLCertificateFile /etc/ssl/leethecoder.com/leethecoder_com.crt
SSLCertificateKeyFile /etc/ssl/private/sslkey.key
SSLCertificateChainFile /etc/ssl/leethecoder.com/foobundle.ca-bundle
ErrorLog /var/www/leethecoder.com/logs/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RedirectPermanent / https://leethecoder.com/
</VirtualHost>
<VirtualHost *:443>
ServerName leethecoder.com
UseCanonicalName Off
ErrorLog /var/www/leethecoder.com/logs/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
DocumentRoot /var/www/leethecoder.com/public_html
<Directory /var/www/leethecoder.com/public_html/>
Allow From All
</Directory>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "-ALL EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES"
SSLCertificateFile /etc/ssl/leethecoder.com/leethecoder_com.crt
SSLCertificateKeyFile /etc/ssl/private/sslkey.key
SSLCertificateChainFile /etc/ssl/leethecoder.com/foobundle.ca-bundle
</VirtualHost>
This is, of course, assuming that your variables are valid, you prefer the https without the www, and that you're OK for your clients to use that cipher suite. Also, that you've enabled the site, and disabled any other conflicting sites.
Proper way to do it -- secure way -- is to use the apache virtual host redirect:
<virtualhost *:80="">
ServerName www.example.com
Redirect / https://www.example.com/
</virtualhost>
<virtualhost *:443="">
ServerName www.example.com
# ... SSL configuration goes here
</virtualhost>
Or you need to use mod_rewrite to return an HTTP_RESPONSE 301 for redirect to your HTTPS site.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]
Also you need to listen port 80.
http://httpd.apache.org/docs/current/mod/mod_rewrite.html
I've created two virtual hosts on Fedora. I have a websites.config file in /etc/httpd/conf.d directory:
<VirtualHost *:443>
ServerName www.beratyeniceri.com
DocumentRoot /var/www/beratyeniceri.com/public_html
ServerAlias beratyeniceri.com
SSLEngine ON
SSLCertificateFile /etc/httpd/certs/beratyeniceri.com/1000.pem
SSLCertificateKeyFile /etc/httpd/certs/beratyeniceri.com/beratyeniceri.key
ErrorLog logs/virtual.host-error_log
CustomLog logs/virtual.host-access_log combined
</VirtualHost>
<VirtualHost *:443>
ServerName www.tugbanursari.com
DocumentRoot /var/www/tugbanursari.com/public_html
ServerAlias tugbanursari.com
SSLEngine ON
SSLCertificateFile /etc/httpd/certs/tugbanursari.com/1001.pem
SSLCertificateKeyFile /etc/httpd/certs/tugbanursari.com/tugbanur.key
ErrorLog logs/virtual.host-error_log
CustomLog logs/virtual.host-access_log combined
</VirtualHost>
When I run,
service httpd restart
it asks pass phrase for tugbanursari.com, but does not ask for beratyeniceri.com. When I switch their spot, then it only ask for second block. Hence,it skip first site which is on first block. Then, I think it does not work.
How do I fix that?
What is my server ip address to change hosts file for clients?
I have a Server which is running Debian 8.1 with Apache 2.4.10 and OpenSSL 1.0.1k.
I have a domain example.com with a few subdomains like www.example.com, cloud.example.com and db.example.com all pointet to the Server (A-Records).
All these subdomains have their own VirtualHosts with their own SSL-Certificates. Also if you send a HTTPS-Request with another domain or with the IP you'll get a page with a self-signed certificate.
Everything was running perfect until I rebootet my server.
Now when I request example.com (without a subdomain-prefix) I get the self-signed crt. The subdomains are working perfectly fine. I have the following vHost-Configs:
(because I only want HTTPS I have a Rewrite-Rule for all HTTP-Connections)
000-default.conf
<VirtualHost *:80>
ServerAdmin admin#example.com
RewriteEngine On
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
DocumentRoot /var/www
<Directory /var/www>
AllowOverride All
Require all granted
</Directory>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ErrorLog ${APACHE_LOG_DIR}/error.ssl.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.ssl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/default/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/default/ca.key
</VirtualHost>
</IfModule>
www.example.com.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/example
<Directory /var/www/example>
AllowOverride All
Require all granted
</Directory>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ErrorLog ${APACHE_LOG_DIR}/error.ssl.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.ssl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/www.example.com/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/www.example.com/ca.key
SSLCertificateChainFile /etc/ssl/certs/www.example.com/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/www.example.com/ca.pem
</VirtualHost>
</IfModule>
cloud.example.com.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName cloud.example.com
DocumentRoot /var/www/example
<Directory /var/www/example>
AllowOverride All
Require all granted
</Directory>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ErrorLog ${APACHE_LOG_DIR}/error.ssl.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.ssl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/www.example.com/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/www.example.com/ca.key
SSLCertificateChainFile /etc/ssl/certs/www.example.com/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/www.example.com/ca.pem
</VirtualHost>
</IfModule>
I really hope that somebody can help me!
The hostname was example (like the domain, but without .com) so I changed the hostname to some random typing and after a reboot everything worked fine again. When I changed my hostname back it kept working even after a reboot.
For me changing the order of VirtualHosts helped to solve the problem, by putting malfunctioning VirtualHost to the top in the conf file.