My understanding is there is a problem with having multiple certificates on a single IP as SSL is negotiated before HTTP happens, however what we can do is Service Name Indication (SNI) in TLS to get around this. According to the SNI wikipedia page both Apache 2 modules mod_ssl and mod_gnutls support this extension and also numerous web clients.
I have been trying to use mod_gnutls on centos 5. I have two separate certificates for two domains but only 1 IP. Each works independently but when I put both into the config at once only the first will work. Any https connection on domain2 shows domain1's certificate.
My config looks like this:
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
ServerName www.domain1.com
ServerAlias www.domain1.com
DocumentRoot /var/www/html/domain1
GnuTLSEnable on
GnuTLSCertificateFile /etc/pki/tls/certs/www.domain1.crt
GnuTLSKeyFile /etc/pki/tls/domain1/private.key
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/domain2
ServerName www.domain2.com
ServerAlias www.domain2.com
GnuTLSEnable on
GnuTLSCertificateFile /etc/pki/tls/certs/domain2.crt
GnuTLSKeyFile /etc/pki/tls/domain2/private.key
</VirtualHost>
Any ideas? Really been scratching my head over this.
Many thanks
Related
I have one SSL certificate from GoDaddy (Standard UCC SSL Certificate for up to 5 sub/domains) and two virtual hosts configuration on Apache2.
I can install SSL certificate one every of them separately and they works fine until I add second one.
When the second HTTPS config is added (...), then I am getting kind of weird redirects from one.abc.com to two.abc or vice versa.
I am using the same certificate files for both configs, because it the same Multisite SSL certificate.
F.ex.:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.abc.com
DocumentRoot /var/www/htdocs
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName subd2.abc.com
DocumentRoot /var/www/test2
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
What I am doing wrong?
This:
Now - I understand that because SSL wraps around the HTTP request,
there's no way to know which host is being requested until a public
key has been sent to the client first. This essentially breaks the
possibility of SSL virtual hosts using a standard SSL certificate.
from
https://serverfault.com/questions/113076/apache-ssl-virtualhosts-on-a-single-ip-using-ucc-san-certificate
Lead me to idea that problem is simple that in case of abc.com server just do not know which HTTPS server (www.abc.com or subd2.abc.com) config to take and simply take the first one. Tests that approved.
From that comes second question / conclusion - do I have configuration for domain abc.com. And it has not, I just have it defined as ServerAlias in www.abc.com config.
When I removed from ServerAlias and created configuration with for abc.com and with redirect, than all stays in their places.
FireWall -> LoadBalancer -> Backend
Public IP is bound to firewall -> NAT to private IP farm on LB -> balance to backend on another private subnet.
https://example.com/test-redirect/index.php --> works fine
https://example.com/test-redirect/ --> works fine
https://example.com/test-redirect --> https://example.com:44312/test-redirect/ (Where 44312 is the internal port number apache has the SSL vhost bound to. FAILS)
Apache Config:
<VirtualHost *:80>
ServerAdmin REDACTED
ServerName example.com
ServerAlias *.example.com
DocumentRoot "/var/www/example.com"
Include conf.d/global-http-host-includes.conf
</VirtualHost>
<VirtualHost <internal-ip>:44312>
DocumentRoot "/var/www/example.com"
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile REDACTED.crt
SSLCertificateKeyFile REDACTED.key
Include conf.d/global-ssl-host-includes.conf
</VirtualHost>
The client that this is for handles the redirects to HTTPS from HTTP in his application. We have said numerous times that this behaviour is extremely likely top originate from the application, and it isn't something the stack nor the Apache config is doing.
Has anyone come up against a similar scenario as this? Or might have any ideas as to what is causing the internal Apache port number to be appended to the URL with it redirects?
This turned out to be an issue with not having the ServerName and ServerAlias values wihtin the SSL vHost aswell as the non-SSL vHost. After adding the name and alias in to those, the issue was fixed.
I would say this is perhaps a bug within Apache, but also some amount of misconfiguration.
I have recently moved a website from my old web server with 123-reg.co.uk to a new Linode web server hosted with Linode.
I am running Apache with Debian 8.9.
123-reg provided me with an SSL certificate for my website which, of course, was deactivated when I moved the website to the new server. So I set to work manually reactivating the certificate on my new server.
I was able to get the necessary SSL files (CA Bundle, Key and Certificate) from 123-reg and I followed Linode's instructions to setup the SSL certificate on their servers using the following tutorials:
First tutorial and
second tutorial.
Here is the site's config file:
<VirtualHost *:80>
# All of the files here exist on the server
SSLEngine On
SSLCertificateFile /etc/ssl/certs/zetec-it.com.crt
SSLCertificateKeyFile /etc/ssl/private/zetec-it.com.key
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
The setup seems legit, but when I attempt to access the website via https the browser states that the connection isn't secure.
I'm fairly new to server admin; does anyone have any suggestions or potential solutions?
You need a VirtualHost which is listening on port 443 in order to have working HTTPS. You configured your VirtualHost to listen on Port 80 while having SSLEngine On.
In order to get https working you would only need to change <VirtualHost *:80> to <VirtualHost *:443>.
Once you did that, you would not have a configuration that handles http connections to (there would not be any VirtualHost waiting for connections for ServerName zetec-it.com).
There are generally to ways to go to serve http connections requesting the same hostname:
You redirect them to https using something like this (uses mod_rewrite in order to redirect to the same path):
<VirtualHost *:80>
ServerName zetec-it.com
ServerAlias www.zetec-it.com
RewriteEngine on
RewriteRule ^ https://zetec-it.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
You deliver the same content through http as well
<VirtualHost *:80>
# All of the files here exist on the server
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
Either way you need two config files, the https one (which is basically your example from above, remember to replace 80 with 443) and one for http which I gave you 2 examples for.
You can put them into separate files, remember to activate them in this case.
I have a unix system whose actual name is "ech-10.45.25.12"
i have installed apache server in it.
Now i need to configure it in such a way that the two applications running in the same machine in tomcat in two different ports should be accessed by the same domain.
ie., i have two applications running in the same machine under different port
http://ech-10.45.25.12:8080/issuetracker/
http://ech-10.45.25.12:8180/dashboard/
I would like to name this server(ech-10.45.25.12) as devjunior.mycompany.com
The following is the configuration i have made in httpd.conf
Listen 80
Listen 8080
Listen 8180
NameVirtualHost ech-10.45.25.12:80
NameVirtualHost ech-10.45.25.12:8080
NameVirtualHost ech-10.45.25.12:8180
<VirtualHost ech-10.45.25.12:80>
ServerName devjunior.mycompany.com
DocumentRoot /www/domain-80
</VirtualHost>
<VirtualHost ech-10.45.25.12:8080>
ServerName devjunior.mycompany.com
DocumentRoot /www/domain-8080
</VirtualHost>
<VirtualHost ech-10.45.25.12:8180>
ServerName devjunior.mycompany.com
DocumentRoot /www/domain-8080
</VirtualHost>
i know i am doing a major mistake
But i should be able to access the applications by using the following urls
http://devjunior.mycompany.com/issuetracker
http://devjunior.mycompany.com/dashboard
Should i create ANY directories under any folders any where in the system
Please tell that also.
You configured only the names. So you've configured Apache to listen for:
http://devjunior.mycompany.com:8080
http://devjunior.mycompany.com:8180
You can:
Configure 2 domains with namevirtualhost without using ports. this is the most elegant way of doing what you want
Configure a single domain that points to a single directory on the filesystem with 2 links for the diferrent applications. This works with php mostly or pure html pages. With more complex applications you could incur in a lot of headache..
Domain and port. Like you've done. But you can access only by http://devjunior.mycompany.com:8080/issuetracker and http://devjunior.mycompany.com:8180/dashboard
Solution 1
You can use different domains or subdomains (which are cookie friendly in an eventuality of single sign on).
Listen 80
NameVirtualHost ech-10.45.25.12:80
<VirtualHost ech-10.45.25.12:80>
ServerName devjunior.mycompany.com
DocumentRoot /www/domain-80
</VirtualHost>
<VirtualHost ech-10.45.25.12:80>
ServerName dashboard.devjunior.mycompany.com
DocumentRoot /www/domain-8080
</VirtualHost>
<VirtualHost ech-10.45.25.12:80>
ServerName issuetracker.devjunior.mycompany.com
DocumentRoot /www/domain-8180
</VirtualHost>
Solution 2 is left as an excercise for the reader... :P
Here is what i did to make it work.
Though the change of name in etc/hosts file did nothing in my intranet, so i used the actual name of the machine which is ech-10.45.25.12
NameVirtualHost ech-10.45.25.12:80
<VirtualHost ech-10.45.25.12:80>
ServerName ech-10.45.25.12
ProxyPreserveHost on
ProxyPass /issuetracker http://ech-10.45.25.12:8080/issuetracker
ProxyPass /dashboard http://ech-10.45.25.12:8180/dashboard
</VirtualHost>
Also dont forget to add the "proxyName" & "proxyPort" attribute to the tag in tomcat's server.xml
I installed SSL (stupidly) to encrypt the data being sent, the only trouble was my subdomain was redirecting to my main. I changed my default virtual host back to the original settings and also typed a2dismod ssl. Now when ever I type in www.domain.com it redirects to https://www.domain.com and then says SSL Connection Error.
I'm hoping to either get SSL working on the main+sub or just remove completely. Has anyone got any idea why it's redirecting to Https?
My VirtualHosts file is:
<VirtualHost *:80>
ServerName www.domain.com
DocumentRoot /var/www/folder
#SSLEngine on
#SSLCertificationFile /etc/apache2/ssl/apache.crt
#SSLCertificationKeyFile /etc/apache2/ssl/apache.key
</VirtualHost>
<VirtualHost *:80>
ServerName sub.domain.com
DocumentRoot /var/www/sub
#SSLEngine on
#SSLCertificationFile /etc/apache2/ssl/apache.crt
#SSLCertificationKeyFile /etc/apache2/ssl/apache.key
</VirtualHost>
Now if I un-comment the lines with # on and change *:80 to *:443 it redirects to the main site with SSL enabled...
You are enabling mod_ssl (with the "SSLEngine on" directive) on a HTTP Virtual Host on TCP/80. You need to set up different Virtual Hosts bound to the TCP/443 port, on only enable mod_ssl on these.
Otherwise, mod_ssl expect an HTTPS connection on port 80 and, seeing that your browser is speaking HTTP, tries to redirect the browser to https://www.domain.com.