I have two virtual hosts, and use two certificates. While not indicated by the following httpd.conf file, I am using *.example.com as well as *.sites.example.com and thus need to the two certificates. When accessing https://bla.sites.example.com/, the browser displays the following warning:
bla.sites.example.com uses an invalid security certificate.
The certificate is only valid for the following names: *.example.com, example.com
(Error code: ssl_error_bad_cert_domain)
If I remove the first VirtualHost which redirects to www.example.com, I don't get the warning.
Why is this, and how should I use multiple CA certificates for different VirtualHosts?
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
#Following certificate is good for example.com and *.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
RewriteEngine on
RewriteRule .* https://www.example.com%{REQUEST_URI} [NE,R,L]
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias *.sites.example.com
ErrorDocument 404 /error-404.html
DocumentRoot /var/www/example/html_sites
SSLEngine on
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
#Following certificate is good for example.com, sites.example.com and *.sites.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_sites_class2.crt
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
<Directory "/var/www/example/html_sites">
allow from all
Options +Indexes
</Directory>
</VirtualHost>
Note that I have the following settings in /etc/httpd/conf.d/ssl.conf:
#Following certificate is good for example.com and *.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCACertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
Your VHOST's are not setup correctly. You have both pointing to ServerName example.com
They both should have different specific ServerName and different document roots. Then apache will know where to send the request to the correct vhost and you won't get that error.
You can see more configuration help here. Multiple Certs using SNI
Since they are two different certs, your vhosts should look something like this.
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example/html_sites
SSLEngine on
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
#Following certificate is good for example.com and *.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
<Directory "/var/www/example/html_sites">
ErrorDocument 404 /error-404.html
allow from all
Options +Indexes
RewriteEngine on
RewriteRule .* https://www.example.com%{REQUEST_URI} [NE,R,L]
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName bla.sites.example.com
ServerAlias *.sites.example.com
DocumentRoot /var/www/example2/html_sites
SSLEngine on
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
#Following certificate is good for example.com, sites.example.com and *.sites.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_sites_class2.crt
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
<Directory "/var/www/example2/html_sites">
allow from all
Options +Indexes
</Directory>
</VirtualHost>
Also to remember to restart apache when making changes.
Related
I get slightly crazy :)
I have a domain example.com and I have a SSL certificate for www.example.com
The example.com refers to the IP address of the server (it is an EC2 instance).
In the vhost.conf of the Server I have the following entries
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://www.example.com/
</VirtualHost>
<VirtualHost _default_:443>
ServerName www.example.com
DocumentRoot /var/www/vhosts/example-wp
SSLEngine On
...
</VirtualHost>
I took the information from the apache wiki.
https://wiki.apache.org/httpd/RedirectSSL
Thanks for helping
Tristan
You already have the necessary directives listed to perform the redirect. You also need to tell the vhost file where your certificate and key for the certificate exist. You also need to say whether or not a directory the user browses to is to load SSL. Please see a full example configuration file below.
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
Redirect / https://www.example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com
ServerAlias example.com
ServerAdmin webmaster#local
DocumentRoot /path/to/web/content
DirectoryIndex index.php index.html
ErrorLog logs/error_log
CustomLog logs/access combined
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/certfile.cer
SSLCertificateKeyFile /etc/apache2/ssl.key/keyfile.key
<Directory "/path/to/web/content/">
Options None
AllowOverride None
Order allow,deny
Allow from all
SSLRequireSSL
</Directory>
</VirtualHost>
Hi I have the following use case, I have an application (let's call it foobar) on a remote server /var/www/foobar and I have the following Apache VirtualHost conf
<VirtualHost *:80>
DocumentRoot /var/www
# This is to redirect http traffic to https
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/example.com.bundle.crt
ServerName example.com:443
DocumentRoot /var/www/foobar
</VirtualHost>
And its working all fine. Now suppose I have another domain example2.com and I want it to point to the same foobar application. My current thinking is create another VirtualHost below, something like this
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/ssl/certs/example2.com.crt
SSLCertificateKeyFile /etc/ssl/private/example2.com.key
SSLCertificateChainFile /etc/ssl/certs/example2.com.bundle.crt
ServerName example2.com:443
DocumentRoot /var/www/foobar
</VirtualHost>
But I was wondering is this the correct way of doing stuff like this? I need both domains to be "independent" so I didn't make a permanent redirect from example2.com to example.com
You can do something like below,You can use the server alias for this, Also I don't see anything wrong in having 2 virtual hosts as well.
<VirtualHost *:443>
ServerName example1.com
ServerAlias example2.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/testlink
</VirtualHost>
If you are getting unable to get a certificate error, you can create a certificate with a wildcard CN. e.g : *.comthis will match both example1.com and example2.com.
So I've been messing around with Apache, and I bought a SSL certificate. I finally got it installed, but now when I goto my domain with the URL (leethecoder.com) I assume it's trying to use HTTP? And my server, of course, with a SSL certificate is not listening on port 80. But, if I include https:// before the URL (https://leethecoder.com), it works. Is there a way I can make the server force the basic URL (leethecoder.com) goto port 443?
This is my current /sites-enabled/ configuration file.
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
ServerName www.leethecoder.com
ServerAlias www.leethecoder.com leethecoder.com
Options -Indexes
DocumentRoot /var/www/leethecoder.com/public_html/
SSLEngine on
SSLCertificateFile /etc/ssl/leethecoder.com/leethecoder_com.crt
SSLCertificateKeyFile /etc/ssl/private/sslkey.key
SSLCertificateChainFile /etc/ssl/leethecoder.com/foobundle.ca-bundle
ErrorLog /var/www/leethecoder.com/logs/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
IMO, this is "properly" (you're currently an A-, the below might help to get an A+):
<VirtualHost *:80>
ServerName leethecoder.com
ServerAlias *.leethecoder.com
UseCanonicalName Off
ErrorLog /var/www/leethecoder.com/logs/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RedirectPermanent / https://leethecoder.com/
</VirtualHost>
<VirtualHost *:443>
ServerName www.leethecoder.com
UseCanonicalName Off
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "-ALL EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES"
SSLCertificateFile /etc/ssl/leethecoder.com/leethecoder_com.crt
SSLCertificateKeyFile /etc/ssl/private/sslkey.key
SSLCertificateChainFile /etc/ssl/leethecoder.com/foobundle.ca-bundle
ErrorLog /var/www/leethecoder.com/logs/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RedirectPermanent / https://leethecoder.com/
</VirtualHost>
<VirtualHost *:443>
ServerName leethecoder.com
UseCanonicalName Off
ErrorLog /var/www/leethecoder.com/logs/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
DocumentRoot /var/www/leethecoder.com/public_html
<Directory /var/www/leethecoder.com/public_html/>
Allow From All
</Directory>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "-ALL EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES"
SSLCertificateFile /etc/ssl/leethecoder.com/leethecoder_com.crt
SSLCertificateKeyFile /etc/ssl/private/sslkey.key
SSLCertificateChainFile /etc/ssl/leethecoder.com/foobundle.ca-bundle
</VirtualHost>
This is, of course, assuming that your variables are valid, you prefer the https without the www, and that you're OK for your clients to use that cipher suite. Also, that you've enabled the site, and disabled any other conflicting sites.
Proper way to do it -- secure way -- is to use the apache virtual host redirect:
<virtualhost *:80="">
ServerName www.example.com
Redirect / https://www.example.com/
</virtualhost>
<virtualhost *:443="">
ServerName www.example.com
# ... SSL configuration goes here
</virtualhost>
Or you need to use mod_rewrite to return an HTTP_RESPONSE 301 for redirect to your HTTPS site.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]
Also you need to listen port 80.
http://httpd.apache.org/docs/current/mod/mod_rewrite.html
I have website on ubuntu with apache server. Domain is from godaddy. When I type example.com it's running file under SSL (with https). But, for www.example.com it's giving me below error.
www.example.com uses an invalid security certificate. The certificate is only valid for the following names: someother.com, www.someother.com, someother.com (Error code: ssl_error_bad_cert_domain)
What I did?
I tried to talk with godaddy. They suggested me to disable SSL v3 from apache server. Everything is ok from their side.
Then I changed ssl.conf file with this: SSLProtocol All -SSLv2 -SSLv3 according to this documentation. But, still it's giving me the same error.
configurations
<VirtualHost *:80>
ServerAdmin myemail#gmail.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example/public_html
ErrorLog /var/www/example/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost _default_:443>
ServerName example.com
DocumentRoot /var/www/example/public_html
ErrorLog /var/www/example/error.log
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.key
SSLCertificateChainFile /etc/apache2/ssl/example-bundle.crt
</VirtualHost>
Let me know if you need more info.
I have a CentOS/Apache+OpenSSL server. I host two domain names with wildcard sub domains (application logic surfaces the correct site), e.g.
https://*.testing1.com
https://*.testing2.com
It works great over HTTP:-
<VirtualHost *:80>
# Admin email, Server Name (domain name) and any aliases
ServerAdmin webmaster#testing1.com
ServerName testing1.com
ServerName testing2.com
ServerAlias *.testing1.com *.testing2.com
# Index file and Document Root (where the public files are located)
DirectoryIndex index.html index.php
DocumentRoot /home/app/public_html/public
</VirtualHost>
I've purchased two Wildcard SSL certificated for both testing1.com and testing2.com, but I'm unsure how to set it up in this structure:-
<VirtualHost *.testing1.com:443>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/*.testing1.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/*.testing1.com.key
SSLCACertificateFile /etc/httpd/ssl/geotrust.cer
ServerAdmin john#testing1.com
ServerName testing1.com
ServerAlias *.testing1.com
DirectoryIndex index.html index.php
DocumentRoot /home/app/public_html/public
</VirtualHost>
<VirtualHost *.testing2.com:443>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/*.testing2.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/*.testing2.com.key
SSLCACertificateFile /etc/httpd/ssl/geotrust.cer
ServerAdmin john#testing2.com
ServerName testing2.com
ServerAlias *.testing2.com
DirectoryIndex index.html index.php
DocumentRoot /home/app/public_html/public
</VirtualHost>
The above for the SSL doesn't work, with the *.testing1.com definition, nor with just testing1.com.
I will also need to repeat this for testing2.com
Name-based virtualhosts and SSL wil only work if all the virtualhosts are within the same domain and you have a wildcard SSL certificate for that domain.
But you have 2 different domains.
In this case it will only work if you give each SSL-enabled virtualhost it's own IPaddress.
So you should use IP-based virtualhosts, not Name-based.
Explanation:
The ServerName which is requested, is contained in the HTTP request headers, but before that the SSL encryption must be already setup. So the ServerName is only available after the encryption has been setup. Therefore Apache can never know which SSL certificate te serve up and wil just use the first one available on that particular IPaddress.
With the single dedicated IP we can configure domain-based wildcard SSL in centos + apache2.2 server.
Hope the configurations below will help you guys!!
NameVirtualHost IP:80
NameVirtualHost IP:443
Domain 1
<VirtualHost IP:80>
ServerName abc.domain1.com
DocumentRoot /var/www/html/domain1
</VirtualHost>
<VirtualHost IP:443>
ServerName *.domain1.com
DocumentRoot /var/www/html/domain1
SSLEngine On
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /var/www/html/domain1/cert/5465456.crt
SSLCertificateKeyFile /var/www/html/domain1/cert/domain1.com.key
SSLCertificateChainFile /var/www/html/domain1/cert/g2-g1.crt
</VirtualHost>
Domain 2
<VirtualHost IP:80>
ServerName abc.domain2.com
DocumentRoot /var/www/html/domain2
</VirtualHost>
<VirtualHost IP:443>
ServerName abc.domain2.com
DocumentRoot /var/www/html/domain2
SSLEngine On
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /var/www/html/domain2/cert/5465456.crt
SSLCertificateKeyFile /var/www/html/domain2/cert/domain1.com.key
SSLCertificateChainFile /var/www/html/domain2/cert/g2-g1.crt
</VirtualHost>