We Keep Coding

Apache SSL vhost won't use DocumentRoot but rather uses server webroot

I have an apache config using a DV wildcard cert. The ssl.conf is configured to use the certificate for all server traffic.
My vhost conf file has two virtual hosts defined there. A production vhost and a dev vhost. The conf file contents are;
<VirtualHost *:443>
ServerName www.example.com
ServerAlias example.com
ServerAdmin webmaster#example.com
DocumentRoot /var/www/html/vhosts/prod_example_com/
<Directory "/var/www/html/vhosts/prod_example_com">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog "/var/log/httpd/www.example.com-error_log"
CustomLog "/var/log/httpd/www.example.com-access_log" common
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/comodo/STAR_example_com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/csr/www_example_com.key
SSLCertificateChainFile /etc/pki/tls/certs/comodo/SectigoRSADomainValidationSecureServerCA.crt
</VirtualHost>
<VirtualHost *:443>
ServerName dev.example.com
ServerAdmin webmaster#example.com
DocumentRoot "/var/www/html/vhosts/dev_example_com"
<Directory "/var/www/html/vhosts/dev_example_com">
AllowOverride All
Require all granted
</Directory>
ErrorLog "/var/log/httpd/dev.example.com-error_log"
CustomLog "/var/log/httpd/dev.example.com-access_log" common
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/comodo/STAR_example_com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/csr/www_example_com.key
SSLCertificateChainFile /etc/pki/tls/certs/comodo/SectigoRSADomainValidationSecureServerCA.crt
</VirtualHost>
So, when I go to https://dev.example.com, it works great. However, when I try to go to https://www.example.com, it instead goes to the Apache server webroot of /var/www/html.
Have I overlooked something?
Thanks in advance to any help offered?

I seemed to have found the issue. In my particular instance, the vhost.conf VirtualHost tags were change both to *:443, but what got everything back on track was commenting out ServerName www.example.com:443 from my httpd.conf and restarting Apache. I hope this helps someone else that may be suffering from this same issue.

Installed SSL on Apache server, page not responding

My question is about SSL installation. I purchased a new SSL for a website that's hosted on a Ubuntu 16.04 box with Apache 2.4.29. I was able to get this installed and I'm not getting any errors but my page is not redirecting. I've followed some guides (DigitalOcean) but feel as I'm missing something.
I have checked the sites-available files (000-default.conf, default-ssl.conf & example.com.conf) and I'm not seeing anything that's catching my eye, but I feel I migtht be missing something. I've checked the status of Apache and I'm not getting any errors and I've restarted the services several times to no avail.
Here's a general breakdown of what I have. Am I missing something? Is additional information required for setting this up?
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
Redirect "/" "https://example.com/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
SSLCertificateFile /root/example.com.crt
SSLCertificateKeyFile /root/www.example.com.key
SSLCACertificateFile /root/intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>4
mydomain.com.conf
<VirtualHost *:443>
ServerAdmin admin#somedomain.com
ServerName mydomain.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/html
Redirect permanent / https://example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Here is my attempt at a combined configuration. Note that I do not have your setup to test it, but I have used similar configurations on production servers.
First define your port 80 VirtualHost (000-default.conf in your setup):
Listen 80
<VirtualHost *:80>
Redirect "/" "https://example.com/"
LogLevel debug
ErrorLog "${APACHE_LOG_DIR}/80_error.log"
CustomLog "${APACHE_LOG_DIR}/80_access.log" combined
</VirtualHost>
No need for a DocumentRoot since you redirect everything.
Then comment out default-ssl.conf. This file is an example of what you could do to setup an SSL enabled VirtualHost. If you use that file AND another VirtualHost on port 443, this one will always be used, since Apache uses the first VirtualHost it finds that matches the client's request (here port 443).
Another point, VirtualHost are not "added" to one another. Each is independent of the others and must contain a complete configuration. This means you cannot put some configuration in on VirtualHost on port 443, and some in another and expect it to work.
Then create your example.com.conf file:
Listen 443
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin#example.com
SSLCertificateFile "/root/example.com.crt"
SSLCertificateKeyFile "/root/example.com.key"
SSLCACertificateFile "/root/intermediate.crt"
LogLevel debug
ErrorLog "logs/443_error_log"
CustomLog "logs/443_access_log" combined
DocumentRoot "/var/www/example.com/html"
DirectoryIndex index.html
<Directory "/var/www/example.com/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Some notes:
I put the LogLevel at debug, so you can troubleshoot, but once it is working, change it to error. Otherwise you will have huge log files quickly!
For the same reason, I split the logs for port 80 and port 443. Each VirtualHost should have its own logs.
The certificate files must match the domain name. Not the filename (although it makes it easier to match), but the certificate itself.
If you want your certificate to cover example.com and www.example.com, both names must be added to the alternate names in the certificate.
I do not understand why you have Redirect permanent / https://example.com in your configuration. You are already in the https, port 443 VirtualHost.
The options based on <FilesMatch> directives in the default ssl configuration can be added if you want.
This setup will ensure that all http requests will be redirected to https://example.com. Then it will use the :443 VirtualHost, use the proper certificate for that domain and serve the content from the DocumentRoot directory.

Apache really slow with alias

I face a really strange issue with Apache2 (v2.4.7).
Our sites have both domain.com and www.domain.com, with and without HTTPS
When I only enable one of them with SSL, it response take less than 0.01s.
When I enable both of them with SSL, it takes more than 1 minute to answer.
There's no issue with "classic" HTTP configuration file, only the one with SSL
I've tried both with independent configuration files, or with aliases. No matter, more or less the same big response time.
Here's the config file:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName domain.com
ServerAlias www.domain.com # Fast when commented, slow when enabled
ServerAdmin webmaster#localhost
DocumentRoot /var/www/site
ErrorLog ${APACHE_LOG_DIR}/site-error.log
CustomLog ${APACHE_LOG_DIR}/site-access.log combined
<Directory "/var/www/site/blog">
AllowOverride All
Options FollowSymLinks
allow from all
order allow,deny
</Directory>
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/domain.com-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/domain.com-0001/chain.pem
</VirtualHost>
</IfModule>
Do you have any idea how to fix this or where does the issue comes from?
Thank you for help ;)

That's strange. Are you sure if you have mod_alias enabled and loaded? You can find that out by issuing this command on a ssh console:
httpd -t -D DUMP_MODULES | grep alias
What you can try though it this: Get your server's ip (no matter if it's private or public) from your main ethernet card and use it in your apache configuration.
Replace:
<VirtualHost *:443> with <VirtualHost server-ip:443> for all your vhosts
Restart apache and try again

Name based virtual hosts with SSL on Apache 2.2.3/CentOS 5.9

Hi I'm trying to serve one site with two subdomains, and both subdomains should be under SSL. I've purchased a wildcard SSL certificate and have it installed. In my vhosts file I have 5 definitions, www (80), app (80/443), and staging (80/443). All of the subdomains work under port 80.
Here's a snippet of my vhosts.conf file:
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
ServerAdmin support#---
ServerName app.---
DocumentRoot /var/www/vhosts/---/app/www/
ErrorLog /var/www/vhosts/---/app/log/error.log
<Directory "/var/www/vhosts/---/app/www">
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin support#---
ServerName app.---
DocumentRoot /var/www/vhosts/---/app/www/
ErrorLog /var/www/vhosts/---/app/log/ssl.log
SSLEngine ON
SSLCertificateFile /etc/httpd/conf.d/ssl/---/ssl.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/---/ssl.key
SSLCertificateChainFile /etc/httpd/conf.d/ssl/---/intermediate.crt
<Directory "/var/www/vhosts/---/app/www">
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerAdmin support#---
ServerName staging.---
DocumentRoot /var/www/vhosts/---/staging/www/
ErrorLog /var/www/vhosts/---/staging/log/error.log
<Directory "/var/www/vhosts/---/staging/www">
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin support#---
ServerName staging.---
DocumentRoot /var/www/vhosts/---/staging/www/
ErrorLog /var/www/vhosts/---/staging/log/ssl.log
SSLEngine ON
SSLCertificateFile /etc/httpd/conf.d/ssl/---/ssl.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/---/ssl.key
SSLCertificateChainFile /etc/httpd/conf.d/ssl/---/intermediate.crt
<Directory "/var/www/vhosts/---/staging/www">
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
If I change this line:
<VirtualHost *:443>
To:
<VirtualHost SERVER_IPADDRESS:443>
The first definition will work as expected and use the correct certificate. When I restart Apache I receive a message in the terminal stating there's a duplicate entry and only the first will be used.
With the conf as it is above I don't receive any errors or warnings in the terminal, but I have seen this in Apache's log:
[warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
From what I've read online that warning is expected and shouldn't be a problem.
Running configtest shows Syntax OK.
It seems the problem is named virtual hosts with SSL. I've checked 3 guides online and tried a variety of things (using *.domain.com as ServerName for both, app.domain.com as ServerAlias), subdomains as the directive (app.domain.com:443) but can't figure out the right combination to serve each subdomain under both 80 and 443 using only one IP address.
I know it's possible. Any ideas on what I'm missing?

Check the version of apache you are using. It may be that your apache is too old to support it. I think sni was supported in apache 2.2.12 and later.

The only solution I was able to find which isn't a great one was to rebuild on CentOS 6.4. The issue as noted by Russ is that the built in Apache/OpenSSL do not support SNI. I managed to get OpenSSL upgraded in 5.9, but I was not able to build Apache with SNI. I compiled it using a guide that showed the flags to use but it didn't work. That's not to say it can't be done and I may have done it wrong, this was easier since it's for a new site and downtime isn't an issue.
Once the issue was corrected the warning in error_log changes to this:
[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
Thanks for the help!

How to use https?

If on the server, we already setup/configured the SSL certificate, how could I make my websites using secure page? Just make the linke to https://example.com/etc.php?
Thanks!

Two things have to be in place.
You'll need to setup the ssl cert properly, which it sounds like you have
As the other commentator said, this will depend upon which webserver you're using. More likely than not, apache:
Apache:
You'll need to modify the apache settings to support the https version of your site. If you're using a modern installation of Apache2 with virtual hosts, usually there will be a "sites-available" directory where individual config files exists for each domain. For a domain that will have both http and https (80 and 443), you would do something like this, assuming apache is listening on 127.0.0.1 (this would not be the case for most apache installations, so be sure to change the ip). It also goes without saying that you need to change the paths and domain name in the following:
<VirtualHost 127.0.0.1:80>
ServerAdmin somebody#domain.com
ServerName somebody.com
ServerAlias www.somebody.com
DocumentRoot /home/somebody/www
<Directory "/home/somebody/www">
Options FollowSymLinks
AllowOverride All
Options -Indexes
</Directory>
ErrorLog /home/logs/somebody.error.log
CustomLog /home/logs/somebody.access.log combined
</VirtualHost>
<VirtualHost 127.0.0.1:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/something.crt
SSLCertificateKeyFile /etc/apache2/ssl/something.key
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt
ServerAdmin somebody#something.com
ServerName somebody.com
ServerAlias www.somebody.com
DocumentRoot /home/somebody/www
<Directory "/home/somebody/www">
Options FollowSymLinks
AllowOverride All
Options -Indexes
</Directory>
ErrorLog /home/logs/somebody.ssl.error.log
CustomLog /home/logs/somebody.ssl.access.log combined
</VirtualHost>
If you are using nginx, there is a similar dual block you'll need to have for :80 and :443. Look at the block you already have for 80 and consult their documentation:
http://nginx.org/en/docs/http/configuring_https_servers.html
You may also be using iis, in which case, here are the instructions for version 7:
How do I configure a site in IIS 7 for SSL?