Re: {Disarmed} Re: [users@httpd] Multi-domain with SSL - Virtualhost all need IPs?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




you need to  set the cert files per virtual domain

example :

<VirtualHost *:443>
ServerName underconstruction.scom.ca
ServerAlias underconstruction.scom.ca
DocumentRoot /www/underconstruction.scom.ca
SSLEngine on
SSLProtocol all
SSLCertificateKeyFile /www/scom.ca/ssl/scom.ca.key
SSLCertificateFile /www/scom.ca/ssl/scom.ca.crt
SSLCertificateChainFile /www/scom.ca/ssl/scom.ca.chain
</VirtualHost>


<VirtualHost *:443>
ServerName ekst.ca
ServerAlias ekst.ca
ServerAlias www.ekst.ca
DocumentRoot /www/ekst.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile /www/ekst.ca/ssl/ekst.ca.crt
SSLCertificateKeyFile /www/ekst.ca/ssl/ekst.ca.key
SSLCertificateChainFile /www/ekst.ca/ssl/ekst.ca.chain
</VirtualHost>





Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266

On 5/18/2022 5:26 PM, frank picabia wrote:
Sorry, different domain.

300 hosts like *.example1.com <http://example1.com>
and now we have 1 example2.com <http://example2.com>


On Wed, May 18, 2022 at 4:31 PM Frank Gingras <thumbs@xxxxxxxxxx <mailto:thumbs@xxxxxxxxxx>> wrote:

    See if you can add a SAN to that wildcard certificate first.

    On Wed, 18 May 2022 at 15:21, frank picabia <fpicabia@xxxxxxxxx
    <mailto:fpicabia@xxxxxxxxx>> wrote:


        We have a server with over 300 vhosts on it.  Marketing/CMS
        madness I guess.
        All on the same domain name.  Many VirtualHosts are defined with
        *:443
        and then ServerName to rely on SNI.
        We have a wildcard cert for the domain and all the hosts use that.

        Now there is a different domain to add for SSL.  For some reason
        the first domain name's certificate is being found.  I've put the
        IP for our new comer domain so we have <VirtualHost *MailScanner
        warning: numerical links are often malicious:* 1.1.1.1:443
        <http://1.1.1.1:443> >
        but it is still finding the other cert.  This IP is uniquely
        assigned
        with the different domain, as you'd expect with DNS.  So it can't
        be a overlap of the IP used elsewhere.

        Researching this problem ("wrong cert loaded for vhost"),
        I read that in the initial SSL connection, it
        is talking to the IP, and whatever values we have for ServerName
        have no bearing until the page is being accessed.  If that's the
        case
        then it might have matched another vhost with *:443 first
        I tried putting my new domain at the top of ssl.conf but it made
        no difference.

        I'm thinking I need to edit each *:443 case and change it to the
        appropriate IP.
        That will be a lot of work, so I'm looking for affirmation that
        is likely to make the difference.



--
This message has been scanned for viruses and
dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
believed to be clean.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux