Re: VirtualHost with ServerAlias and SSLCertificateFile no friends?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jul 8, 2024 at 4:18 AM Michael Osipov <michaelo@xxxxxxxxxx> wrote:
On 2024/07/04 13:57:06 Frank Gingras wrote:
> On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov <michaelo@xxxxxxxxxx> wrote:
>
> > Folks,
> >
> > please consider the following example:
> > > <VirtualHost *:443>
> > >     ServerAdmin me@xxxxxxxxxxx
> > >     ServerName foo.example.com
> > >     ServerAlias foo.sub.example.net
> > >     DocumentRoot /usr/local/www/apache24/data
> > >     ErrorLog "/var/log/apache/foo-ssl-errors.log"
> > >     CustomLog "/var/log/apache/foo-ssl-access.log" common
> > >
> > >     SSLEngine On
> > >     SSLCertificateFile /etc/ssl/foo.example.com/cert.crt
> > >     SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt
> > >     SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt
> > >     SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt
> > >
> > >     Include "..."
> > > </VirtualHost>
> >
> > I'd like to run a single vhost serving the same content under multiple
> > FQDNs to the users
> >
> > As far as I understand mod_ssl it does not seem to support to have SNI on
> > a single vhost with multiple hostnames. I get error messages in the log
> > file.
> > I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
> > FWIW: the same concept is support with Tomcat: One connector, one default
> > host, aliases and several SSLHostConfig elements.
> > Is the approach to run two vhosts here? I am sure that a SAN certificate
> > will do the trick, but for €€€ reasons I won' able to order one.
> >
> > Michael
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> >
> >
> In that case, define separate :443 vhosts for each name, and redirect to
> the main one.

As sad it is sounds and also looking into the source code there is no alternative to duplicate it.
There is a long standing issue open in Bugzilla: https://bz.apache.org/bugzilla/show_bug.cgi?id=61081

At least the docs should tell that using ServerAlias requires a SAN certificate to function properly.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


Your options were always to use a wildcard certificate, or a SAN.  This falls more into the common knowledge of TLS and certificates.

mod_ssl does tie in to openssl, sure, but explaining every concept isn't the role of the docs.

That being said, a small note to that effect should not be harmful, I will see if the docs team can come up with some alteration. 
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux