hosting multiple SSL certs on apache - ssl

I hope someone can give me a hand with this. I have 2 IPs that I can use to do this and need to host 2 different secure (SSL) domains on the same Apache server. I've read that as of Apache 2.2.something that a single IP can be used, using some sort of add-in but I want to keep this as simple as possible and am willing to use both IPs to accomplish this task. I already have the 2 signed certificates for the domains.
This setup that I am posting here, works, but the issue I am having is that when I go to domain2.net, I receive a browser warning telling me that the cert does not match the domain but matches domain1.com
I'm using CentOS 5 and Apache 2.2.3. CentOS has a ssl.conf file and these lines are what I believe are giving me trouble:
SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key
I was under the impression that I could override these values in the virtual host containers and reference the keys that I need but it doesn't appear that way. When I comment these two lines out in the ssl.conf file, Apache won't restart. The ssl_log hints: SSLCertificateKeyFile
These are my virtual containers:
<VirtualHost 2.2.2.2:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/domain2.net.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain2.net.key
DocumentRoot "/var/www/domain2"
ServerName domain2.net
ServerAlias domain2.net
DirectoryIndex "index.php"
<Directory /var/www/html/domain2>
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost 1.1.1.1:444>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key
DocumentRoot "/var/www/html"
ServerName domain1.com
ServerAlias domain1.com
DirectoryIndex "index.php"
<Directory /var/www/html>
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
How can I get these two domains to work using SSL? I've also tried to use the same port for the different IPs but again, Apache won't restart.
I'm truly lost on this so if someone could lend a hand, I'd really appreciate it.

Great question!
I was able to get two SSL certificates working on the same server. You should be able to do what you are trying to do.
The things in your configuration that stand out as odd to me:
I'd suggest using port 443 for both SSL-protected sites. You should have a specific instruction in apache's conf files somewhere for listening on port 443. For me it is located in /etc/apache2/ports.conf
Listen 443
.
It seems odd that you have ServerName and ServerAlias both using the same domain per virtual host. Try making the ServerAlias different or leaving it out:
ServerName domain1.com
ServerAlias www.domain1.com
.
I am assuming that you replaced your IPs and domains in your posted conf. Even if they are not the actual IPs you are using, you might want to double check that they can get you to the right place outside of SSL (since obviously SSL is not working).
.
Check the apache2 error log for more information. For me the log is located at: /var/log/apache2/error.log . You can set it with:
ErrorLog /var/log/apache2/error.log
And finally, for your reference here is my ssl-default (ssl.conf). I replaced my domains and IPs with the ones you used in your example conf. I have multiple subdomains working with NameVirtualHost since I have a wildcard cert:
<IfModule mod_ssl.c>
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
NameVirtualHost 1.1.1.1:443
NameVirtualHost 2.2.2.2:443
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/ssl_access.log combined
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
# 1.1.1.1 = domain1.com
<VirtualHost 1.1.1.1:443>
ServerName www.domain1.com
ServerAdmin admin#domain1.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain1.key
SSLCertificateFile /var/www/ssl/wildcard.domain1.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /var/www/domain1/www.domain1.com/web
DirectoryIndex index.php index.html
</VirtualHost>
<VirtualHost 1.1.1.1:443>
ServerName secure.domain1.com
ServerAdmin admin#domain1.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain1.key
SSLCertificateFile /var/www/ssl/wildcard.domain1.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /var/www/domain1/secure.domain1.com/
DirectoryIndex index.php index.html
</VirtualHost>
# 2.2.2.2 = *.domain2.com
<VirtualHost 2.2.2.2:443>
ServerName admin.domain2.com
ServerAdmin admin#domain2.com
SSLEngine on
SSLCertificateKeyFile /var/www/ssl/domain2.key
SSLCertificateFile /var/www/ssl/domain2.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ErrorLog /var/log/apache2/error.log
DocumentRoot /var/www/domain2/secure.domain2.com/web
DirectoryIndex index.php index.html
php_flag display_errors on
php_value error_reporting 7
</VirtualHost>
</IfModule>
I hope this helps!!

You don't need a separate ssl.config file, but if you want to use one, then put your SSL <VirtualHost XXX:443> containers in your ssl.conf file rather than in your httpd,conf file.
The other option which we use on our site is to put the settings from the ssl.conf file in our httpd.conf file and rename the ssl.conf file to something like ssl.conf.bak (to keep it for reference).

It might help to put this Apache command before the first Virtual Host:
SSLStrictSNIVHostCheck on
This enabled me to have several different domains each with its own keys running on the same IP without getting confused.

Related

Why is Apache ignoring :80 vhost file and only matching sites in :443 vhost file?

I have 2 vhost files: 1 with all our sites admin URLS on port 443, 1 with all our sites main URLs on port 80.
Both files are known by apache as shown by apachectl -S.
net stat shows Apache listening on :80 and :443
I am using host file from my MacBook for now.
However, only URLs that match vhosts lines in the 443 vhost file are working. Otherwise the site will load the first site in the 443 vhost file. (301 Moved Permanently)
I even try going to site-name.com:80 - but none of the site URLS from the :80 vhost file are getting matched by apache. What am I missing?
EDIT: adding code
Listen 1xx.2xx.3xx.4xx:80 is defined in httpd.conf
From vhost.conf for main site URLS (This one is NOT working)
NameVirtualHost *:80
<VirtualHost 1xx.2xx.3xx.4xx:80>
ServerAdmin admin#site1.com
ServerAlias www.site1.com
DocumentRoot /var/www/site1.com/public
ServerName site1.com
ErrorLog /var/log/httpd/site1.com-error_log
CustomLog /var/log/httpd/site1.com-access_log common
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
<Directory /var/www/site1.com/public>
Options FollowSymLinks
AllowOverride All
DirectoryIndex index.php
</Directory>
</VirtualHost>
From sslvhost.conf for admin sites (This one IS working)
Listen 443 https
NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot "/var/www/site1.com/public"
ServerName site1.com
ServerAlias site1.com admin-site1.com
LogLevel warn
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
SSLEngine on
SSLProtocol all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory /var/www/site1.com/public>
Options FollowSymLinks
AllowOverride All
DirectoryIndex index.php
</Directory>
</VirtualHost>
From the config it seems you are missing the following
Listen 80
You Can add it just below the NameVirtualHost *:80

Virtual host Object not found

Everytime I try to access https://sub.myproject.test/ this message pops up:
Object not found!
The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again.
If you think this is a server error, please contact the webmaster.
Error 404
sub.myproject.test
Apache/2.4.38 (Unix) OpenSSL/1.0.2q PHP/7.2.15 mod_perl/2.0.8-dev Perl/v5.16.3
On httpd-vhosts.conf I have:
<VirtualHost *:80>
DocumentRoot "/mnt/data/myproject/sub.myproject.com/public_html"
ServerName sub.myproject.test
ServerAlias www.sub.myproject.test
<Directory "/mnt/data/myproject/sub.myproject.com/public_html/">
AllowOverride All
Require local
</Directory>
</VirtualHost>
and on httpd-ssl.conf I have:
# catalog config
<VirtualHost *:443>
DocumentRoot "/mnt/data/myproject/sub.myproject.com/public_html"
ServerName sub.myproject.test:443
ServerAlias www.sub.myproject.test:443
ErrorLog "/opt/lampp/logs/error_log"
TransferLog "/opt/lampp/logs/access_log"
SSLEngine on
SSLCertificateFile "/opt/lampp/etc/ssl.crt/server.crt"
SSLCertificateKeyFile "/opt/lampp/etc/ssl.key/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/mnt/data/myproject/sub.myproject.com/public_html/">
SSLOptions +StdEnvVars +FakeBasicAuth
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Allow from all
Require all granted
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/opt/lampp/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
And of course in /mnt/data/myproject path I have the sub.myproject.com folder
If you could help me fix this, it'd be very appreciated
Your VirtualHost is ok (except you do not need to put :443 in ServerName and ServerAlias directives), but you never tell Apache which page to display by default, when not specified in the request.
Define DirectoryIndex in each VirtualHost.
Ex: DirectoryIndex index.html
When the request is https://example.com/
,hence nothing after the domain name, Apache will display index.html, from the DocumentRoot directory.
Unrelated to your question, you should put ServerTokens Prod and ServerSignature Off in your configuration, your error message is displaying way to much information.

local WampServer https: ERR_CONNECTION_REFUSED

Edit: It looks like this issue is the root cause. The site in question is a http site, but it redirects to https automatically, so I decided to install an SSL cert to see the outcome. /end edit.
I followed the answer here to create a local SSL cert for my WampServer 3.1.0 64-bit.
I have made a local copy of our site, migrated the database to a new local URL (www.superiorit.dev), create an entry in httpd-vhosts.conf, and added a <VirtualHost www.superiorit.dev:443> entry in C:\wamp64\bin\apache\apache2.4.27\conf\extra\httpd-ssl.conf which contains the correct path to the .cert and .key files.
When I try to load https://www.superiorit.dev in the browser, I receive the error:
This site can’t be reached
www.superiorit.dev refused to connect.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED
This is the entry in http-vhosts.conf:
<VirtualHost www.superiorit.dev:8080>
ServerName www.superiorit.dev
ServerAlias www.superiorit.dev
DocumentRoot "C:/wamp64/www/superiorit"
<Directory "C:/wamp64/www/superiorit">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
Require local
</Directory>
</VirtualHost>
This is the entry in http-ssl.conf:
<VirtualHost www.superiorit.dev:443>
DocumentRoot "c:/wamp64/www/superiorit"
ServerName www.superiorit.dev:443
ServerAdmin steve.doig#superiorit.dev
ErrorLog "c:/wamp64/logs/error.log"
TransferLog "c:/wamp64/logs/access.log"
SSLEngine on
SSLCertificateFile "C:/wamp64/bin/apache/apache2.4.27/conf/demoCA/cacert.cert"
SSLCertificateKeyFile "C:/wamp64/bin/apache/apache2.4.27/conf/demoCA/private/cacert.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "c:/Apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "c:/Apache24/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Help appreciated.

My VirtualHost redirects for an HTTPS site are broken

Apache/2.2.15, CentOS Linux.
I have a site where I want the whole site to be SSL-encrypted all the time. Normally, I don't use mod_rewrite to do my www/non-www redirects; I just use VirtualHosts and the Redirect directive.
Trying to do this with my HTTPS site, however, is returning a generic SSL connection error in all browsers. Here's my vhost file (domain names and IP addresses changed):
NameVirtualHost 192.168.0.256:80
NameVirtualHost 192.168.0.256:443
<VirtualHost 192.168.0.256:80>
ServerName www.example.com
ServerAlias example.com
Redirect / https://www.example.com/
</VirtualHost>
# ############################
# This block breaks everything
# ############################
<VirtualHost 192.168.0.256:443>
ServerName example.com:443
Redirect / https://www.example.com/
</VirtualHost>
<VirtualHost 192.168.0.256:443>
DocumentRoot /var/www/example_site/htdocs/
ServerName www.example.com:443
ErrorLog /var/www/logs/example_site/error_log
SSLEngine On
SSLCertificateFile /etc/httpd/ssl.crt/www.example.com.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/www.example.com.key
SSLCACertificateFile /etc/httpd/ssl.crt/www.example.com.ca-bundle
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<Directory /var/www/example_site/htdocs/>
Options FollowSymLinks MultiViews
AllowOverride All
</Directory>
<Files ~ "\.php$">
SSLOptions +StdEnvVars
</Files>
</VirtualHost>
The block marked "This block breaks everything" appears to be the culprit. When that VirtualHost block is commented out, the site loads as expected and everything's fine. But I really want/need to redirect non-www to www, and when that block is enabled, I get this on every attempt to load the site:
Error logs don't seem to show anything useful. Can anyone tell from this what exactly is going wrong?
Port 443 always needs a certificate attached to it. Even if its just a simple redirect. Connect -> SSL -> Data transfer.

ssl on a local dev server

I am running ubuntu as a testing server on my laptop. I am attempting to set up some of the test sites with self signed ssl certificates. I think I have everything correct except perhaps the apache 2 conf files.
When creating the cerificates I gave the common name as *.hr4.mdev. "mdev" is what I have arbitrarily called my local dev environment.
So I modified my existing conf file to listen on 443 instead on 80 (line 1) and I added lines 6, 7 and 8.
<VirtualHost *:443>
ServerAdmin myemail#mydomain.com
ServerName marino.hr4.mdev
ServerAlias *.marino.hr4.mdev
DocumentRoot /var/www/marino.hr4/htdocs
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<Directory /var/www/marino.hr4/htdocs>
php_value include_path /var/www/marino.hr4/htdocs
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /var/www/marino.hr4/logs/error.log
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel debug
CustomLog /var/www/marino.hr4/logs/access.log combined
</VirtualHost>
Now when I go to the site (https://marino.hr4.mdev) I am advised that "It works!" Which is reassuring on a certain level, but it is not the content that I expected to see.
Having referenced tremor's link, my conf file now looks like this:
<VirtualHost 192.168.73.128:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ServerAdmin bernard#theminery.com
ServerName marino.hr4.mdev
ServerAlias *.marino.hr4.mdev
DocumentRoot /var/www/marino.hr4/htdocs
<Directory /var/www/marino.hr4/htdocs>
php_value include_path /var/www/marino.hr4/htdocs
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /var/www/marino.hr4/logs/error.log
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel debug
CustomLog /var/www/marino.hr4/logs/access.log combined
</VirtualHost>
after restarting Apache I am asked to add a security exception, which is fine, but I am then kicked to another site I have set up on my machine.
Add NameVirtualHost directive, something like this perhaps?
NameVirtualHost *:443
Listen 443
Your apache server is obviously serving up it's default server "It works" instead of your website.
Here is some supporting information from apache: http://wiki.apache.org/httpd/NameBasedSSLVHosts
Edit:
Potentially move your virtual host to the first referenced vhost in the conf file, default is selected based on order.
So in the end I modified the ports.conf file and added 443 to the Listen directive, so now it reads:
Listen 80 443
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
listen 443
</IfModule>
I also changed the first line of my conf file from
<VirtualHost 192.168.73.128:443>
back to
<VirtualHost *:443>
Special thanks to tremor for pointing me in the right direction.