Resolving multiple apache name-based virtual host with sslApache 2.2.14: SSLCARevocation locationSSL, Apache, and Subdomains on a Static IPfirst time setting up ssl, tutorials haven't been too helpfulProblems with multiple SSL on same IP, but only in select clientsApache Virtual Hosts Not WorkingVirtual hosts with port 80 & 443 not workingsetting up multiple ssl certificates on same server/ip on CENTOs with apache 2.2Unbuntu server running Apache with an SSL Cert IssueMy SSL configuration aren't working. Ubuntu apache 2.4ServerAlias without www not working on SSL virtualhost
How many chess players are over 2500 Elo?
Should I disclose a colleague's illness (that I should not know about) when others badmouth him
Is there a down side to setting the sampling time of a SAR ADC as long as possible?
Is it ok to put a subplot to a story that is never meant to contribute to the development of the main plot?
Why does the 6502 have the BIT instruction?
Is this resistor leaking? If so, is it a concern?
Would the Geas spell work in a dead magic zone once you enter it?
Mother abusing my finances
What are the benefits of cryosleep?
How can people dance around bonfires on Lag Lo'Omer - it's darchei emori?
Why do Russians call their women expensive ("дорогая")?
Why do airplanes use an axial flow jet engine instead of a more compact centrifugal jet engine?
Where is the logic in castrating fighters?
How to prevent bad sectors?
How can I find where certain bash function is defined?
Is there a general effective method to solve Smullyan style Knights and Knaves problems? Is the truth table method the most appropriate one?
Ticket sales for Queen at the Live Aid
How do you say “buy” in the sense of “believe”?
How does an ARM MCU run faster than the external crystal?
Graph with same number of edges and vertices is a loop?
Is using the CH340G on a commercial product a horrible idea?
What is the difference between nullifying your vote and not going to vote at all?
Apparent Ring of Craters on the Moon
Is there any use case for the bottom type as a function parameter type?
Resolving multiple apache name-based virtual host with ssl
Apache 2.2.14: SSLCARevocation locationSSL, Apache, and Subdomains on a Static IPfirst time setting up ssl, tutorials haven't been too helpfulProblems with multiple SSL on same IP, but only in select clientsApache Virtual Hosts Not WorkingVirtual hosts with port 80 & 443 not workingsetting up multiple ssl certificates on same server/ip on CENTOs with apache 2.2Unbuntu server running Apache with an SSL Cert IssueMy SSL configuration aren't working. Ubuntu apache 2.4ServerAlias without www not working on SSL virtualhost
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have the following configurations in my httpd-ssl.conf
NameVirtualHost *:8443
<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>
<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain1.com/
</VirtualHost>
<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain2.com/
</VirtualHost>
When I enter into the browser a url like https://www.domain2.com/resource-under-sub.domain1.com, it actually goes to the path https://sub.domain1.com/resource-under-sub.domain1.com instead of redirecting to http://www.domain2.com. What is wrong with my settings?
Response to @Nic regarding SNI:
I checked my Apache, and from https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI it looks SNI is enabled from the log message:Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366). I was also using Firefox 56 which should support SNI from https://www.kinamo.be/en/support/faq/which-browsers-support-server-name-indication-sni. However, when I go to the url for the second virtual host it still takes me to the first default virtual host.
This https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI and this https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol suggest for Apache 2.4 (which I am running), that the default setting supports TLSv1 and SNI. In my error and ssl logs, it does not show any records for my requests to the second virtual host, although it does for other hosts, e.g. No matching SSL virtual host for servername other.domain1.com found (using default/first virtual host) and these are using SSLv3 as seen from the message OpenSSL: Loop: SSLv3 read client hello A. However I can also see from the ssl request logs that TLSv1 is being used for some resources: TLSv1 AES128-SHA "GET /javax.faces.resource/theme.css.seam...
Do I need to explicit specify using TLSv1 in the configuration SSLProtocol +TLSv1?
Thanks
Response to @dave_thompson_085:
Thanks, I tried the following configuration, and also cleared the browser cache:
NameVirtualHost _default_:8443
# Default virtual host and catch all
<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias www.domain1.com
SSLEngine on
SSLProtocol all -SSLv3
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain1.com/
</VirtualHost>
# This is the only virtual host name that should handle the ssl
<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>
<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain2.com/
</VirtualHost>
# Other virtual hosts like www.domain2.com
When I access https://www.domain2.com, this is what I get in the error_log_ssl:
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1830): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0000: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0010: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0020: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0060: ... www.domain2.com |
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1875): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1987): [client 207.46.13.160] SSL virtual host for servername www.domain2.com found
**[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1274): [client 207.46.13.160] handing out temporary 1024 bit DH key
**[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] (70014)End of file found: SSL input filter read failed.
[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] Connection closed to child 199 with standard shutdown (server www.domain2.com:443)
Lines marked ** only occur sometimes. It seems like SSL named virtual host is working from the line SSL virtual host for servername www.domain2.com found. In the browser, it shows that the certificate is unsafe because it doesn't match the serverName, and if I don't accept the certificate, then it doesn't go further, which is fair enough. But if I accept the certificate, it still gets redirected to sub.domain1.com, the site that truly handles the SSL. Why doesn't it redirect to www.domain2.com as specified in the settings?
Thanks so much for your help!
ssl apache-2.4 virtualhost
asked Sep 29 '17 at 18:29
clarinetclarinet
12
add a comment |
I have the following configurations in my httpd-ssl.conf
NameVirtualHost *:8443
<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>
<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain1.com/
</VirtualHost>
<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain2.com/
</VirtualHost>
When I enter into the browser a url like https://www.domain2.com/resource-under-sub.domain1.com, it actually goes to the path https://sub.domain1.com/resource-under-sub.domain1.com instead of redirecting to http://www.domain2.com. What is wrong with my settings?
Response to @Nic regarding SNI:
I checked my Apache, and from https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI it looks SNI is enabled from the log message:Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366). I was also using Firefox 56 which should support SNI from https://www.kinamo.be/en/support/faq/which-browsers-support-server-name-indication-sni. However, when I go to the url for the second virtual host it still takes me to the first default virtual host.
This https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI and this https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol suggest for Apache 2.4 (which I am running), that the default setting supports TLSv1 and SNI. In my error and ssl logs, it does not show any records for my requests to the second virtual host, although it does for other hosts, e.g. No matching SSL virtual host for servername other.domain1.com found (using default/first virtual host) and these are using SSLv3 as seen from the message OpenSSL: Loop: SSLv3 read client hello A. However I can also see from the ssl request logs that TLSv1 is being used for some resources: TLSv1 AES128-SHA "GET /javax.faces.resource/theme.css.seam...
Do I need to explicit specify using TLSv1 in the configuration SSLProtocol +TLSv1?
Thanks
Response to @dave_thompson_085:
Thanks, I tried the following configuration, and also cleared the browser cache:
NameVirtualHost _default_:8443
# Default virtual host and catch all
<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias www.domain1.com
SSLEngine on
SSLProtocol all -SSLv3
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain1.com/
</VirtualHost>
# This is the only virtual host name that should handle the ssl
<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>
<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain2.com/
</VirtualHost>
# Other virtual hosts like www.domain2.com
When I access https://www.domain2.com, this is what I get in the error_log_ssl:
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1830): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0000: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0010: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0020: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0060: ... www.domain2.com |
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1875): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1987): [client 207.46.13.160] SSL virtual host for servername www.domain2.com found
**[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1274): [client 207.46.13.160] handing out temporary 1024 bit DH key
**[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] (70014)End of file found: SSL input filter read failed.
[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] Connection closed to child 199 with standard shutdown (server www.domain2.com:443)
Lines marked ** only occur sometimes. It seems like SSL named virtual host is working from the line SSL virtual host for servername www.domain2.com found. In the browser, it shows that the certificate is unsafe because it doesn't match the serverName, and if I don't accept the certificate, then it doesn't go further, which is fair enough. But if I accept the certificate, it still gets redirected to sub.domain1.com, the site that truly handles the SSL. Why doesn't it redirect to www.domain2.com as specified in the settings?
Thanks so much for your help!
ssl apache-2.4 virtualhost
asked Sep 29 '17 at 18:29
clarinetclarinet
12
The state machine namesSSLv3 read client helloetc don't indicate the protocol version because the same state machine is used for SSL3 and TLS1.0-1.2; OpenSSL 1.1.0 (belatedly) changes them to the clearerSSLv3/TLS. SSLv3 is now broken (POODLE) and should not be used; most browsers/clients that will connect to you already refuse it, but to be on the safe side, and satisfy auditors etc who just scan, you should reject it also, which up to 2.4.16 needsSSLProtocol all -SSLv3(after that it's the default). You definitely should allow TLSv1.1 and especially 1.2 which is better. ...
– dave_thompson_085
Oct 14 '17 at 4:39
... If you're not getting any log records perhaps your browser (or other middleware like an HTTPS-intercepting proxy or filter) is caching; make sure everything is cleared, or try a new browser and/or new device and/or a standalone tool like curl.
– dave_thompson_085
Oct 14 '17 at 4:39
add a comment |
I have the following configurations in my httpd-ssl.conf
NameVirtualHost *:8443
<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>
<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain1.com/
</VirtualHost>
<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain2.com/
</VirtualHost>
When I enter into the browser a url like https://www.domain2.com/resource-under-sub.domain1.com, it actually goes to the path https://sub.domain1.com/resource-under-sub.domain1.com instead of redirecting to http://www.domain2.com. What is wrong with my settings?
Response to @Nic regarding SNI:
I checked my Apache, and from https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI it looks SNI is enabled from the log message:Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366). I was also using Firefox 56 which should support SNI from https://www.kinamo.be/en/support/faq/which-browsers-support-server-name-indication-sni. However, when I go to the url for the second virtual host it still takes me to the first default virtual host.
This https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI and this https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol suggest for Apache 2.4 (which I am running), that the default setting supports TLSv1 and SNI. In my error and ssl logs, it does not show any records for my requests to the second virtual host, although it does for other hosts, e.g. No matching SSL virtual host for servername other.domain1.com found (using default/first virtual host) and these are using SSLv3 as seen from the message OpenSSL: Loop: SSLv3 read client hello A. However I can also see from the ssl request logs that TLSv1 is being used for some resources: TLSv1 AES128-SHA "GET /javax.faces.resource/theme.css.seam...
Do I need to explicit specify using TLSv1 in the configuration SSLProtocol +TLSv1?
Thanks
Response to @dave_thompson_085:
Thanks, I tried the following configuration, and also cleared the browser cache:
NameVirtualHost _default_:8443
# Default virtual host and catch all
<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias www.domain1.com
SSLEngine on
SSLProtocol all -SSLv3
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain1.com/
</VirtualHost>
# This is the only virtual host name that should handle the ssl
<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>
<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain2.com/
</VirtualHost>
# Other virtual hosts like www.domain2.com
When I access https://www.domain2.com, this is what I get in the error_log_ssl:
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1830): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0000: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0010: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0020: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0060: ... www.domain2.com |
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1875): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1987): [client 207.46.13.160] SSL virtual host for servername www.domain2.com found
**[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1274): [client 207.46.13.160] handing out temporary 1024 bit DH key
**[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] (70014)End of file found: SSL input filter read failed.
[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] Connection closed to child 199 with standard shutdown (server www.domain2.com:443)
Lines marked ** only occur sometimes. It seems like SSL named virtual host is working from the line SSL virtual host for servername www.domain2.com found. In the browser, it shows that the certificate is unsafe because it doesn't match the serverName, and if I don't accept the certificate, then it doesn't go further, which is fair enough. But if I accept the certificate, it still gets redirected to sub.domain1.com, the site that truly handles the SSL. Why doesn't it redirect to www.domain2.com as specified in the settings?
Thanks so much for your help!
ssl apache-2.4 virtualhost
asked Sep 29 '17 at 18:29
clarinetclarinet
12
I have the following configurations in my httpd-ssl.conf
NameVirtualHost *:8443
<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>
<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain1.com/
</VirtualHost>
<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain2.com/
</VirtualHost>
When I enter into the browser a url like https://www.domain2.com/resource-under-sub.domain1.com, it actually goes to the path https://sub.domain1.com/resource-under-sub.domain1.com instead of redirecting to http://www.domain2.com. What is wrong with my settings?
Response to @Nic regarding SNI:
I checked my Apache, and from https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI it looks SNI is enabled from the log message:Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366). I was also using Firefox 56 which should support SNI from https://www.kinamo.be/en/support/faq/which-browsers-support-server-name-indication-sni. However, when I go to the url for the second virtual host it still takes me to the first default virtual host.
This https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI and this https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol suggest for Apache 2.4 (which I am running), that the default setting supports TLSv1 and SNI. In my error and ssl logs, it does not show any records for my requests to the second virtual host, although it does for other hosts, e.g. No matching SSL virtual host for servername other.domain1.com found (using default/first virtual host) and these are using SSLv3 as seen from the message OpenSSL: Loop: SSLv3 read client hello A. However I can also see from the ssl request logs that TLSv1 is being used for some resources: TLSv1 AES128-SHA "GET /javax.faces.resource/theme.css.seam...
Do I need to explicit specify using TLSv1 in the configuration SSLProtocol +TLSv1?
Thanks
Response to @dave_thompson_085:
Thanks, I tried the following configuration, and also cleared the browser cache:
NameVirtualHost _default_:8443
# Default virtual host and catch all
<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias www.domain1.com
SSLEngine on
SSLProtocol all -SSLv3
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain1.com/
</VirtualHost>
# This is the only virtual host name that should handle the ssl
<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>
<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain2.com/
</VirtualHost>
# Other virtual hosts like www.domain2.com
When I access https://www.domain2.com, this is what I get in the error_log_ssl:
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1830): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0000: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0010: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0020: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0060: ... www.domain2.com |
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1875): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1987): [client 207.46.13.160] SSL virtual host for servername www.domain2.com found
**[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1274): [client 207.46.13.160] handing out temporary 1024 bit DH key
**[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] (70014)End of file found: SSL input filter read failed.
[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] Connection closed to child 199 with standard shutdown (server www.domain2.com:443)
Lines marked ** only occur sometimes. It seems like SSL named virtual host is working from the line SSL virtual host for servername www.domain2.com found. In the browser, it shows that the certificate is unsafe because it doesn't match the serverName, and if I don't accept the certificate, then it doesn't go further, which is fair enough. But if I accept the certificate, it still gets redirected to sub.domain1.com, the site that truly handles the SSL. Why doesn't it redirect to www.domain2.com as specified in the settings?
Thanks so much for your help!
ssl apache-2.4 virtualhost
ssl apache-2.4 virtualhost
asked Sep 29 '17 at 18:29
clarinetclarinet
12
asked Sep 29 '17 at 18:29
clarinetclarinet
12
edited Oct 16 '17 at 15:42
clarinet
asked Sep 29 '17 at 18:29
clarinetclarinet
12
asked Sep 29 '17 at 18:29
clarinetclarinet
12
asked Sep 29 '17 at 18:29
clarinetclarinet
12
12
The state machine namesSSLv3 read client helloetc don't indicate the protocol version because the same state machine is used for SSL3 and TLS1.0-1.2; OpenSSL 1.1.0 (belatedly) changes them to the clearerSSLv3/TLS. SSLv3 is now broken (POODLE) and should not be used; most browsers/clients that will connect to you already refuse it, but to be on the safe side, and satisfy auditors etc who just scan, you should reject it also, which up to 2.4.16 needsSSLProtocol all -SSLv3(after that it's the default). You definitely should allow TLSv1.1 and especially 1.2 which is better. ...
– dave_thompson_085
Oct 14 '17 at 4:39
... If you're not getting any log records perhaps your browser (or other middleware like an HTTPS-intercepting proxy or filter) is caching; make sure everything is cleared, or try a new browser and/or new device and/or a standalone tool like curl.
– dave_thompson_085
Oct 14 '17 at 4:39
add a comment |
The state machine namesSSLv3 read client helloetc don't indicate the protocol version because the same state machine is used for SSL3 and TLS1.0-1.2; OpenSSL 1.1.0 (belatedly) changes them to the clearerSSLv3/TLS. SSLv3 is now broken (POODLE) and should not be used; most browsers/clients that will connect to you already refuse it, but to be on the safe side, and satisfy auditors etc who just scan, you should reject it also, which up to 2.4.16 needsSSLProtocol all -SSLv3(after that it's the default). You definitely should allow TLSv1.1 and especially 1.2 which is better. ...
– dave_thompson_085
Oct 14 '17 at 4:39
... If you're not getting any log records perhaps your browser (or other middleware like an HTTPS-intercepting proxy or filter) is caching; make sure everything is cleared, or try a new browser and/or new device and/or a standalone tool like curl.
– dave_thompson_085
Oct 14 '17 at 4:39
The state machine names
SSLv3 read client hello etc don't indicate the protocol version because the same state machine is used for SSL3 and TLS1.0-1.2; OpenSSL 1.1.0 (belatedly) changes them to the clearer SSLv3/TLS. SSLv3 is now broken (POODLE) and should not be used; most browsers/clients that will connect to you already refuse it, but to be on the safe side, and satisfy auditors etc who just scan, you should reject it also, which up to 2.4.16 needs SSLProtocol all -SSLv3 (after that it's the default). You definitely should allow TLSv1.1 and especially 1.2 which is better. ...– dave_thompson_085
Oct 14 '17 at 4:39
The state machine names
SSLv3 read client hello etc don't indicate the protocol version because the same state machine is used for SSL3 and TLS1.0-1.2; OpenSSL 1.1.0 (belatedly) changes them to the clearer SSLv3/TLS. SSLv3 is now broken (POODLE) and should not be used; most browsers/clients that will connect to you already refuse it, but to be on the safe side, and satisfy auditors etc who just scan, you should reject it also, which up to 2.4.16 needs SSLProtocol all -SSLv3 (after that it's the default). You definitely should allow TLSv1.1 and especially 1.2 which is better. ...– dave_thompson_085
Oct 14 '17 at 4:39
... If you're not getting any log records perhaps your browser (or other middleware like an HTTPS-intercepting proxy or filter) is caching; make sure everything is cleared, or try a new browser and/or new device and/or a standalone tool like curl.
– dave_thompson_085
Oct 14 '17 at 4:39
... If you're not getting any log records perhaps your browser (or other middleware like an HTTPS-intercepting proxy or filter) is caching; make sure everything is cleared, or try a new browser and/or new device and/or a standalone tool like curl.
– dave_thompson_085
Oct 14 '17 at 4:39
add a comment |
1 Answer
1
active
oldest
votes
With regular Apache and SSL certificates, you cannot do that. The negotiation of SSL is done before the name virtual hosting. So the basic answer is to get one IP per site.
A couple years ago certificates and browser started supporting SNI to get around that limit. Look up SNI (Server Name Indication). The majority of recent browsers support that now. But beware that users with old browsers will not be able to access all your sites (well actually they will always try to access the first VirtualHost defined in your configuration, which is the default chosen when name virtual hosting does not work).
In your question you say that are are always sent to sub-domain1, which is logical, since it takes the first VirtualHost found, as I just explained above.
answered Sep 29 '17 at 18:39
Nic3500Nic3500
1416
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f876196%2fresolving-multiple-apache-name-based-virtual-host-with-ssl%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
With regular Apache and SSL certificates, you cannot do that. The negotiation of SSL is done before the name virtual hosting. So the basic answer is to get one IP per site.
A couple years ago certificates and browser started supporting SNI to get around that limit. Look up SNI (Server Name Indication). The majority of recent browsers support that now. But beware that users with old browsers will not be able to access all your sites (well actually they will always try to access the first VirtualHost defined in your configuration, which is the default chosen when name virtual hosting does not work).
In your question you say that are are always sent to sub-domain1, which is logical, since it takes the first VirtualHost found, as I just explained above.
answered Sep 29 '17 at 18:39
Nic3500Nic3500
1416
add a comment |
With regular Apache and SSL certificates, you cannot do that. The negotiation of SSL is done before the name virtual hosting. So the basic answer is to get one IP per site.
A couple years ago certificates and browser started supporting SNI to get around that limit. Look up SNI (Server Name Indication). The majority of recent browsers support that now. But beware that users with old browsers will not be able to access all your sites (well actually they will always try to access the first VirtualHost defined in your configuration, which is the default chosen when name virtual hosting does not work).
In your question you say that are are always sent to sub-domain1, which is logical, since it takes the first VirtualHost found, as I just explained above.
answered Sep 29 '17 at 18:39
Nic3500Nic3500
1416
add a comment |
With regular Apache and SSL certificates, you cannot do that. The negotiation of SSL is done before the name virtual hosting. So the basic answer is to get one IP per site.
A couple years ago certificates and browser started supporting SNI to get around that limit. Look up SNI (Server Name Indication). The majority of recent browsers support that now. But beware that users with old browsers will not be able to access all your sites (well actually they will always try to access the first VirtualHost defined in your configuration, which is the default chosen when name virtual hosting does not work).
In your question you say that are are always sent to sub-domain1, which is logical, since it takes the first VirtualHost found, as I just explained above.
answered Sep 29 '17 at 18:39
Nic3500Nic3500
1416
With regular Apache and SSL certificates, you cannot do that. The negotiation of SSL is done before the name virtual hosting. So the basic answer is to get one IP per site.
A couple years ago certificates and browser started supporting SNI to get around that limit. Look up SNI (Server Name Indication). The majority of recent browsers support that now. But beware that users with old browsers will not be able to access all your sites (well actually they will always try to access the first VirtualHost defined in your configuration, which is the default chosen when name virtual hosting does not work).
In your question you say that are are always sent to sub-domain1, which is logical, since it takes the first VirtualHost found, as I just explained above.
answered Sep 29 '17 at 18:39
Nic3500Nic3500
1416
answered Sep 29 '17 at 18:39
Nic3500Nic3500
1416
answered Sep 29 '17 at 18:39
Nic3500Nic3500
1416
answered Sep 29 '17 at 18:39
Nic3500Nic3500
1416
1416
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f876196%2fresolving-multiple-apache-name-based-virtual-host-with-ssl%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
The state machine names
SSLv3 read client helloetc don't indicate the protocol version because the same state machine is used for SSL3 and TLS1.0-1.2; OpenSSL 1.1.0 (belatedly) changes them to the clearerSSLv3/TLS. SSLv3 is now broken (POODLE) and should not be used; most browsers/clients that will connect to you already refuse it, but to be on the safe side, and satisfy auditors etc who just scan, you should reject it also, which up to 2.4.16 needsSSLProtocol all -SSLv3(after that it's the default). You definitely should allow TLSv1.1 and especially 1.2 which is better. ...– dave_thompson_085
Oct 14 '17 at 4:39
... If you're not getting any log records perhaps your browser (or other middleware like an HTTPS-intercepting proxy or filter) is caching; make sure everything is cleared, or try a new browser and/or new device and/or a standalone tool like curl.
– dave_thompson_085
Oct 14 '17 at 4:39