Re: Re: {Disarmed} Re: [users@httpd] Multi-domain with SSL - Virtualhost all need IPs?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



That does not look like valid httpd syntax. 

If you can't use a SAN, then you need to configure all your vhosts as IP:443, whereas one vhost uses a separate IP, and the remainder uses the second IP.

On Wed, 18 May 2022 at 17:02, Paul Kudla (SCOM.CA Internet Services Inc.) <paul@xxxxxxx> wrote:

ok san is only useable if the cert is setup that way

i bought a proper *.scom.ca wildcard ssl cert for my domain

i then buy mail.xxx.com certs for the other domains

sni works well when configured this way.

granted san might or might not work (i never tries that) however san was
designed more for apache web servers vs email etc

san does allow adding domains but i more complicated to control what the
cert is doing (or not)

sound like what i did will work better for you situation

example sni.conf file (import this at the end of your main dovecot.conf file

using :

#Addition ssl config
!include sni.conf

please note that below i wront a python script to pull the cert from a
db table

getssl.cert

all it does it return the text for the ssl cert (key first then
certificate then both Intermediate certs)

you can point this to an ssl key file (the old way) formatted the same

either will work

note you need both the default cert setup AND the local name as well

a *. signifies a wildcard ssl cert

like *.scom.ca

note you need to do something similiar in postfix as well for this to
work across smtp + dovecot




# cat sni.conf
#sni.conf
ssl = yes
verbose_ssl = yes
ssl_dh =</usr/local/etc/dovecot/dh-4096.pem
ssl_prefer_server_ciphers = yes
#ssl_min_protocol = TLSv1.2

#Default *.scom.ca
ssl_key =</usr/local/etc/dovecot/scom.pem
ssl_cert =</usr/local/etc/dovecot/scom.pem
ssl_ca =</usr/local/etc/dovecot/scom.pem

local_name .scom.ca {
   ssl_key = /programs/common/getssl.cert -c *.scom.ca -q yes
   ssl_cert = /programs/common/getssl.cert -c *.scom.ca -q yes
   ssl_ca = /programs/common/getssl.cert -c *.scom.ca -q yes
}


local_name mail.clancyca.com {
   ssl_key = /programs/common/getssl.cert -c mail.clancyca.com -q yes
   ssl_cert = /programs/common/getssl.cert -c mail.clancyca.com -q yes
   ssl_ca = /programs/common/getssl.cert -c mail.clancyca.com -q yes
}

local_name secure.clancyca.com {
   ssl_key = /programs/common/getssl.cert -c secure.clancyca.com -q yes
   ssl_cert = /programs/common/getssl.cert -c secure.clancyca.com -q yes
   ssl_ca = /programs/common/getssl.cert -c secure.clancyca.com -q yes
}

local_name mail.paulkudla.net {
   ssl_key = /programs/common/getssl.cert -c mail.paulkudla.net -q yes
   ssl_cert = /programs/common/getssl.cert -c mail.paulkudla.net -q yes
   ssl_ca = /programs/common/getssl.cert -c mail.paulkudla.net -q yes
}

local_name mail.ekst.ca {
   ssl_key = /programs/common/getssl.cert -c mail.ekst.ca -q yes
   ssl_cert = /programs/common/getssl.cert -c mail.ekst.ca -q yes
   ssl_ca = /programs/common/getssl.cert -c mail.ekst.ca -q yes
}

local_name mail.hamletdevelopments.ca {
   ssl_key = /programs/common/getssl.cert -c mail.hamletdevelopments.ca
-q yes
   ssl_cert = /programs/common/getssl.cert -c mail.hamletdevelopments.ca
-q yes
   ssl_ca = /programs/common/getssl.cert -c mail.hamletdevelopments.ca
-q yes
}




Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266

On 5/18/2022 3:31 PM, Frank Gingras wrote:
> See if you can add a SAN to that wildcard certificate first.
>
> On Wed, 18 May 2022 at 15:21, frank picabia <fpicabia@xxxxxxxxx
> <mailto:fpicabia@xxxxxxxxx>> wrote:
>
>
>     We have a server with over 300 vhosts on it.  Marketing/CMS madness
>     I guess.
>     All on the same domain name.  Many VirtualHosts are defined with *:443
>     and then ServerName to rely on SNI.
>     We have a wildcard cert for the domain and all the hosts use that.
>
>     Now there is a different domain to add for SSL.  For some reason
>     the first domain name's certificate is being found.  I've put the
>     IP for our new comer domain so we have <VirtualHost *MailScanner
>     warning: numerical links are often malicious:* 1.1.1.1:443
>     <http://1.1.1.1:443> >
>     but it is still finding the other cert.  This IP is uniquely assigned
>     with the different domain, as you'd expect with DNS.  So it can't
>     be a overlap of the IP used elsewhere.
>
>     Researching this problem ("wrong cert loaded for vhost"),
>     I read that in the initial SSL connection, it
>     is talking to the IP, and whatever values we have for ServerName
>     have no bearing until the page is being accessed.  If that's the case
>     then it might have matched another vhost with *:443 first
>     I tried putting my new domain at the top of ssl.conf but it made no
>     difference.
>
>     I'm thinking I need to edit each *:443 case and change it to the
>     appropriate IP.
>     That will be a lot of work, so I'm looking for affirmation that is
>     likely to make the difference.
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux