I purchased an SSL certificate and I have some subject alternative names for it but I'm not sure where to put them in the config file. Each site is hosted on the same server and they all correspond to one another. They are all basically the same site just for different uses/marketing reasons
SUBJECT ALTERNATIVE NAMES: www.example2.com, www.otherexample.com, www.helpwithSANs.com
VirtualHost IP:portServerName www.example.com
SSLEngine on
SSLCertificateFile /path_to_cert
SSLCertificateKeyFile /path_to_key
SSLCertificateChainFile /path_to_whateverthisis
So my question is where or how do I use the SUBJECT ALTERNATIVE NAMES so the cert will work on all the sites.
Related
I have a site where users can point their own custom domain to their unique directory on my site through A Records.
For example, example.com points to mysite.com/something and anothersite.org points to mysite.com/somethingelse
Each of these custom domains has an SSL certificate generated for them however is there a way to point to them dynamically in the VirtualHost file?
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
domain.com should be the current domain - if someone visits example.com then that should be where domain.com is.
Is it possible to use variables somehow?
I have tried this but it doesn't work and causes an error:
SSLCertificateFile /etc/letsencrypt/live/%{HTTP_HOST}/fullchain.pem
There is one only virtual host in total as there are hundreds of custom domains.
I'm pulling my hair out here.
Websites like wix.com, squarespace.com ...etc; can generate websites on the fly and still use SSL on every one of the millions of custom domains.
I try to do the same thing, but I can't figure out how they do it!?
The logical solution would be on Apache:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAlias *
UseCanonicalName Off
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/%0/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/%0/server.key
</VirtualHost></IfModule>
But when I restart apache I get an error: SSLCertificateFile: file '/etc/apache2/ssl/%0/server.crt' does not exist or is empty
Even when I create a dummy folder /ssl/%0/ with some dummy certificates... it still used the (wrong) dummy certificates.
I know some will get on their high horses and yell that you cannot resolve the server name BEFORE the TLS handshake.
But according to this post and other ones: %0 can be resolved with mod_vhost_alias because the server name is sent with SNI...
I know this works: a second approach would be to create a virtualhost for every custom domain:
<VirtualHost *:443>
ServerName site111.ca
ServerAlias www.site111.ca
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile "/var/app/s3/ssl/site111.ca/certificate.crt"
SSLCertificateKeyFile "/var/app/s3/ssl/site111.ca/certificate.key"
SSLCertificateChainFile "/var/app/s3/ssl/site111.ca/certificate.chain"
</VirtualHost><VirtualHost *:443>
ServerName site222.ca
ServerAlias www.site222.ca
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile "/var/app/s3/ssl/site222.ca/certificate.crt"
SSLCertificateKeyFile "/var/app/s3/ssl/site222.ca/certificate.key"
SSLCertificateChainFile "/var/app/s3/ssl/site222.ca/certificate.chain"
I could create a dirty system where I add one virtual host per new domain and reload apache every day Eeewwww... and again: Apache cap the number of virtual hosts to 256 :/
How do they do it!? Is there other technology that can help me? Nginx, Nodejs?
Thank you for your time.
I try to do the same thing, but I can't figure out how they do it!?
To generate SSL websites on the fly, they use Letsencrypt certificate authority as you can check yourself (example : CN = www.thefoodmarketchiswick.com). But for the websites hosted under .wix.com names, they're just using a wildcard certicate ( CN = *.wix.com ) . Till then, easy.
The second question, as you mentioned Apache could not handle this massive hosting (and no one believes you could host millions of applications on one single server). Have a look on this Netcraft Survey which gives some clues. I can't answer for them, but running an openssl s_client ends in error, meaning they aren't doing very compliant things.
TL;DR: they use wildcard certificates. So the problem is solved # the certificate level and at the server config level, not only at the server config level like you are trying to do.
Couple of points:
The logical solution - hardly do I see anything "logical" in Computer Science or Software Engineering. It's engineering, not math, you have to DO stuff, not THINK stuff up. So knowledge becomes more important than intelligence in a lot of cases (not all).
You have a correct point about SNI - it is a push-back of host identification meachanism to the TCP/SSL layer (prior to HTTP where HTTP headers become available).
virtualhost for every custom domain - Depending on the scale we are talking about, it could work. However, if you onboard a client with 200, 1000, 5000 - subdomains. What then?
How do they do it - Let me just provide examples: HTTP proxy like cloudflare generates a free certificate for you, that you have to add on your server (PROXY->ORIGIN ecryption) and END_USER -> CLOUDFLARE connection is encrypted using a wildcard certificate. These are the DNS names of the wildcard certificate they issued for me:
Abbreviated:
DNS Name=sni178747.cloudflaressl.com
DNS Name=*.9992924.com
DNS Name=*.apum.de
DNS Name=*.arbomedia.net
DNS Name=*.australiacasinobonus.net
DNS Name=*.auto-lpg.de
DNS Name=*.autoprof.de
DNS Name=*.circuitodesafio.com.br
DNS Name=*.data--center.info
DNS Name=*.devclub.com
DNS Name=*.eissportanlagen.de
DNS Name=*.entrepreneur-hebdo.fr
DNS Name=*.environmentalbrasil.com.br
DNS Name=*.gofitnessplan.fr
DNS Name=*.golfinterieur.info
DNS Name=*.greenbuch.cf
DNS Name=*.mindaugas.cf
DNS Name=*.mp3fdm.trade
DNS Name=*.mp3freedom.info
DNS Name=*.mp3star.cricket
DNS Name=environmentalbrasil.com.br
DNS Name=gofitnessplan.fr
DNS Name=golfinterieur.info
DNS Name=greenbuch.cf
DNS Name=mindaugas.cf
DNS Name=mp3fdm.trade
DNS Name=mp3freedom.info
DNS Name=mp3star.cricket
DNS Name=preussische-geschichte.de
How does the configuration of such server look? It is really a server farm, under a loadbalancer, w/ resources shareded (static resources on separately tuned machines w/ cache). There are multiple virtual hosts / domains / host aliases on each of the server, but only 1 SSL file for many of them (or all, depending on the scale). The domains can have dedicated configurations, they can be grouped together if their configurations are identical.
Regarding webserver recommendations - unless there is a good reason to use APACHE, I would not use it. There is a reason why nginx is gaining traction and popularity.
I have issue with my provider - ehost.
I have wildcard certificate. I wanted to first test it before I go live. So I request to install it on subdomain first (uat.domain.com). I have tested application and want to go live. Provider said that it is impossible to install certificate on primary domain (domain.com) because they have installed it first on subdomain.
Of course they have offered me to buy certificate from them.
I really don't understand the issue can someone tell me if they have right or not? I thought that is possible even to take the certficate from ehost and send it to another provider and install it. The certificate is now installed on Apache Server and folders to subdomain and primary domain are in the same server.
Without looking at the actual configuration it is hard to tell, but to answer your question, if they say it is impossible, that is because they are just using 1 VirtualHost in their server.
Generally shared hosting have these kind of issues because they dedicate 1 single instance of Apache to many different clients and have 1 virtualhost per client, but this is just guessing you need to check this is what currently happening.
But I can also describe how Apache works so you understand what may be happening:
If the Apache configuration has different virtualhosts, you can have as many different certificates, wildcards and whatnot, as virtualhosts you have.
This is, 1 certificate per VirtualHost.
But that is not all, if you have several different domain or subdomain names this is when you need to carefully plan how you must configure them.
For instance
If you have defined this virtualhost first:
<VirtualHost *:443>
ServerName example.com
ServerAlias *.example.com
</VirtualHost>
No other virtualhosts for whatever.example.com or example.com will apply or be used since this virtualhost will grab all the requests for those names.
But if you have:
<VirtualHost *:443>
ServerName domain.com
</VirtualHost>
And now you need to define a virtualhost with a new wildcard certificate for your subdomain, you can perfectly do using the new wildcard certificate for *.example.com:
<VirtualHost *:443>
ServerName xxxxx.example.com
</VirtualHost>
and can now define more virtualhosts if you want/need with the same wildcard cert for *.example.com:
<VirtualHost *:443>
ServerName yyyyy.example.com
</VirtualHost>
Note these are stripped down virtualhost examples (obviously your virtualhosts will have more directives inside them, specially the ones loading the key and certificates, etc).
And briefly, things you need to consider:
Apache HTTPD looks at Host header to know to which virtualhost it must deliver the request.
If you overlap names or define too greedy serveraliases, further defined virtualhosts may never receive requests if the previous virtualhosts matches the host name requested. This is, first match in virtualhost list wins.
Apache lets you have 1 certificate per virtualhost, it does not matter if you use the same certificate in several virtualhosts though.
You just have to be careful of not overlapping names and wildcards if you use ServerAlias. Having two virtualhosts covering the same name will just make httpd ignore the second virtualhost for the same name.
If you have several different files for different virtualhosts, their files are read in alphabetical order, so if you have a-virtualhost.conf with servername 1.example.com and b-virtualhost.conf also with servername 1.example.com, b-virtualhost.conf will be ignored.
Trying to setup SSL on Apache (on AWS Linux). Firefox gives me these details in it's nastygram:
The certificate is not trusted because it is self-signed.
The certificate is only valid for ip-###-##-#-##
I'm currently working under the assumption that this is a problem with the ChainFile or CA cert - quite possibly because I dont have the correct info in httpd.conf. Can you comment on the code below or let me know where else to look for the error?
httpd.conf:
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName https://###-##-#-##
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /home/ec2-user/StartSSLcert.pem
SSLCertificateKeyFile /home/ec2-user/StartSSLkey.pem
SSLCertificateChainFile /home/ec2-user/sub.class1.server.sha1.ca.pem
SSLCACertificateFile /home/ec2-user/ca.pem
</VirtualHost>
This page has been my primary reference: http://www.startssl.com/?app=21 However, it includes many lines of code not in other examples I've found online with no description of what they do.
I've been guess-and-checking between the example above and a simpler example like: http://www.sslshopper.com/apache-server-ssl-installation-instructions.html
Everything I try is either untrusted by Firefox or I get errors when restarting apache. Ideas?
by default, the ssl settings in:
/etc/httpd/conf.d/ssl.conf
override the corresponding block in:
/etc/httpd/conf/httpd.conf
When using AWS you need to edit ssl.conf
"The certificate is only valid for ip-###-##-#-##"
credit due here:
Cannot setup SSL keys on my apache server in AWS EC2
If your server have more than one IP address, replace the * with IP address inside""
See: http://httpd.apache.org/docs/2.4/mod/core.html#virtualhost
Whats more, make sure you create your private key, CSR correctly.
See:https://library.linode.com/security/ssl-certificates/commercial#sph_create-a-certificate-signing-request
I have 2 different applications.
1) tools.helpme.com Require Client Certificates from users!
SSLCACertificateFile /usr/local/etc/apache22/certs/cacert.pem
SSLCertificateKeyFile /usr/local/etc/apache22/certs/server.key
SSLCertificateFile /usr/local/etc/apache22/certs/server.crt
SSLCertificateChainFile /usr/local/etc/apache22/certs/server.crt
SSLVerifyClient require
2) apps.helpme.com Requires basic SSL from the Server only!
SSLCACertificateFile /usr/local/etc/apache22/certs/cacert.pem
SSLCertificateKeyFile /usr/local/etc/apache22/certs/server.key
SSLCertificateFile /usr/local/etc/apache22/certs/server.crt
SSLCertificateChainFile /usr/local/etc/apache22/certs/server.crt
SSLVerifyClient none
I have each of them working independently of the other - and it is perfect.
However, I cannot get both of them running together, they are on different VirtualHosts - Name based hosting.
If I try run both of them together, it seems (2) takes preference and works, but (1) gets a GATEWAY_TIMEOUT!
The error log for that virtaul host says: Re-negotiation handshake failed: Not accepted by client!?
You need the sites on two different IP addresses, as the SSL handshake occurs before sending the HOST http header. You can run on separate port numbers though with the same IP, but that doesn't really help for two different web services?