RE: Multi site SSL problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I set up each entry with <VirtualHost *:443> but when I do that, the second site will complain that the cert is for site1. So if I go to site2.com, I get a browser error that the cert is for site1. It will show me the content for site1.

 

I am not sure why the difference, my non ssl hosts, ie <VirtualHost *:80> all work fine, each site gives me the correct content, so why does it not work for <VirtualHost *:443>?

 

The Entries are

<VirtualHost *:443>

ServerName www.site1.com

....

 

 

<VirtualHost *:443>

ServerName www.site2.com

....

 

 

I am not sure how to do this part:

Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead

I am running Apache 2.2, does it still apply?

It does not look like mod_access_compat is listed under mods-enabled

 

From: Frank Gingras <thumbs@xxxxxxxxxx>
Sent: Thursday, May 9, 2024 4:12 PM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] Multi site SSL problems

 

 

 

On Thu, May 9, 2024 at 6:54 PM Chris me <phunction@xxxxxxxxxxx> wrote:

Hi, I am having an issue trying to get multiple sites with their own SSL cert. I purchased AlphaSSL certs for them.

The strange thing, the first cert works, the second gives me an ERR_SSL_PROTOCOL_ERROR, but only on some systems.

 

This is what I am using now:

 

(

Site1 is fine, Site2 gives me the error.

 

I originally tried with NameVirtualHost *.443

And then <VirtualHost *.443>

But when I go to site2, it complains that the cert is invalid because it is using the cert from site1?

)

 

 

<IfModule mod_ssl.c>

NameVirtualHost 192.99.9.188:443

 

<VirtualHost www.site1.com:443>

ServerName www.site1.com

ServerAdmin webmaster@xxxxxxxxx

DocumentRoot /home/httpd/sites/site1

<Directory /home/httpd/sites/site1>

                       

                        Order allow,deny

                        Allow from all

                </Directory>

 

        SSLEngine on

        SSLProtocol all -SSLv2 -SSLv3

        SSLCertificateFile    /etc/ssl/site1.ca/server.crt

        SSLCertificateKeyFile /etc/ssl/site1.ca/server.key

        SSLCertificateChainFile /etc/ssl/site1.ca/bundle.crt

</VirtualHost>

 

<VirtualHost www.site2.com:443>

ServerName www.site2.com

ServerAdmin webmaster@xxxxxxxxx

DocumentRoot /home/httpd/sites/site2

<Directory /home/httpd/sites/site2>

                       

                        Order allow,deny

                        Allow from all

                </Directory>

 

        SSLEngine on

        SSLProtocol all -SSLv2 -SSLv3

        SSLCertificateFile    /etc/ssl/site2.ca/server.crt

        SSLCertificateKeyFile /etc/ssl/site2.ca/server.key

        SSLCertificateChainFile /etc/ssl/site2.ca/bundle.crt

</VirtualHost>

</IfModule mod_ssl.c>

 

So many red flags here:

 

- Always use *:PORT when defining a vhost, unless you know exactly what you are doing

- Set the ServerName directive in every single vhost

- Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead

- Unload the mod_access_compat module when apachectl configtest passes

 

Lastly, show the output from apachectl -S when the fixes are applied 

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux