Comments on: Virtual Hosts and Wildcard SSL Certificates with Apache 2.2 http://www.cb1inc.com/2008/09/11/virtual-hosts-and-wildcard-ssl-certificates-with-apache-2-2/ Fri, 13 Jan 2012 14:53:46 +0000 hourly 1 http://wordpress.org/?v=3.1.1 By: Luis Fernando Alen http://www.cb1inc.com/2008/09/11/virtual-hosts-and-wildcard-ssl-certificates-with-apache-2-2/comment-page-1/#comment-6770 Luis Fernando Alen Fri, 13 Jan 2012 12:49:21 +0000 #comment-6770 Are you sure this works? According to the Apache documentation, it is not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts, unless you use Apache 2.2.12 or later web server, built with 0.9.8j or later OpenSSL. Is that the case? http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2 "It is possible, but only if using a 2.2.12 or later web server, built with 0.9.8j or later OpenSSL. This is because it requires a feature that only the most recent revisions of the SSL specification added, called Server Name Indication (SNI). The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request did not contain any Host: field, the server had no way to decide which SSL virtual host to use. Usually, it just used the first one it found which matched the port and IP address specified." Are you sure this works?

According to the Apache documentation, it is not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts, unless you use Apache 2.2.12 or later web server, built with 0.9.8j or later OpenSSL.

Is that the case?

http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2

“It is possible, but only if using a 2.2.12 or later web server, built with 0.9.8j or later OpenSSL. This is because it requires a feature that only the most recent revisions of the SSL specification added, called Server Name Indication (SNI).

The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request did not contain any Host: field, the server had no way to decide which SSL virtual host to use. Usually, it just used the first one it found which matched the port and IP address specified.”

]]> By: Huska http://www.cb1inc.com/2008/09/11/virtual-hosts-and-wildcard-ssl-certificates-with-apache-2-2/comment-page-1/#comment-3581 Huska Mon, 17 Oct 2011 17:50:25 +0000 #comment-3581 This is similar to my setup, however I have a problem. The "HTTPS=on" server environment variable is not set on those simple vhosts. It seems as if you need a full set of SSL* directives on each vhost in order for the env vars to be set. This is similar to my setup, however I have a problem. The “HTTPS=on” server environment variable is not set on those simple vhosts. It seems as if you need a full set of SSL* directives on each vhost in order for the env vars to be set.

]]> By: Multiple subdomains (virtual hosts) using a wildcard cert and single ip | Hosting Fit http://www.cb1inc.com/2008/09/11/virtual-hosts-and-wildcard-ssl-certificates-with-apache-2-2/comment-page-1/#comment-3204 Multiple subdomains (virtual hosts) using a wildcard cert and single ip | Hosting Fit Thu, 08 Sep 2011 21:08:23 +0000 #comment-3204 [...] http://www.cb1inc.com/2008/09/11/vir…ith-apache-2.2 [...] [...] http://www.cb1inc.com/2008/09/11/vir…ith-apache-2.2 [...]

]]> By: Virtual Hosts and Wildcard SSL Certificates with Apache 2.2 | TurboLinux Blog http://www.cb1inc.com/2008/09/11/virtual-hosts-and-wildcard-ssl-certificates-with-apache-2-2/comment-page-1/#comment-2820 Virtual Hosts and Wildcard SSL Certificates with Apache 2.2 | TurboLinux Blog Thu, 04 Aug 2011 12:36:48 +0000 #comment-2820 [...] Here is a good tutorial show you about Virtual Hosts and Wildcard SSL Certificates with Apache 2.2: In order for the certificate to be trusted, you need to obtain the certificate from a trusted certificate authority. Since we are using self-signed certificates, they are not trusted and we will see some warning messages. The data will still be encrypted. [...] [...] Here is a good tutorial show you about Virtual Hosts and Wildcard SSL Certificates with Apache 2.2: In order for the certificate to be trusted, you need to obtain the certificate from a trusted certificate authority. Since we are using self-signed certificates, they are not trusted and we will see some warning messages. The data will still be encrypted. [...]

]]> By: Warwick http://www.cb1inc.com/2008/09/11/virtual-hosts-and-wildcard-ssl-certificates-with-apache-2-2/comment-page-1/#comment-114 Warwick Wed, 30 Nov -0001 00:00:00 +0000 #comment-114 The "export" command was truncated in the post above. Should have been:   export SAN='DNS:[base-domain-name]' Eg,   export SAN='DNS:site-a.com' The “export” command was truncated in the post above. Should have been:
  export SAN=’DNS:[base-domain-name]‘
Eg,
  export SAN=’DNS:site-a.com’

]]> By: Warwick http://www.cb1inc.com/2008/09/11/virtual-hosts-and-wildcard-ssl-certificates-with-apache-2-2/comment-page-1/#comment-115 Warwick Wed, 30 Nov -0001 00:00:00 +0000 #comment-115 If you want browsers to be happy with the certificate when hitting the base domain (site-a.com), you might want to look at signing the certificate with a subjectAlternativeName set to the base domain as well. My openssl.conf has "subjectAltName=${ENV::SAN}" in the [ usr_crt ] section, and I set the environment variable (eg "export SAN='DNS:<alt-domain-name>'") before running the openssl commands to create the certificate. If you want browsers to be happy with the certificate when hitting the base domain (site-a.com), you might want to look at signing the certificate with a subjectAlternativeName set to the base domain as well.

My openssl.conf has “subjectAltName=${ENV::SAN}” in the [ usr_crt ] section, and I set the environment variable (eg “export SAN=’DNS:‘”) before running the openssl commands to create the certificate.

]]> By: Chris Barber http://www.cb1inc.com/2008/09/11/virtual-hosts-and-wildcard-ssl-certificates-with-apache-2-2/comment-page-1/#comment-121 Chris Barber Wed, 30 Nov -0001 00:00:00 +0000 #comment-121 I ran into a similar problem just the other day with redirects. Your config looks good. The problem was browser cache. I had to empty my cache and restart my browser and then the redirects worked. I ran into a similar problem just the other day with redirects. Your config looks good. The problem was browser cache. I had to empty my cache and restart my browser and then the redirects worked.

]]> By: hackbard http://www.cb1inc.com/2008/09/11/virtual-hosts-and-wildcard-ssl-certificates-with-apache-2-2/comment-page-1/#comment-122 hackbard Wed, 30 Nov -0001 00:00:00 +0000 #comment-122 I configured my sites-enabled conf like yours, direkt SSL is working fine, but if I go to www.domain.com or xyz.domain.com I see a bad request (400) and a redirect to https://domain.com regardless what subdomain I used. (so the redirect is not working and www.domain.com didn't work too) only the direkt SSL will work like https://test.domain.com the wildcard certificate works well with the direkt SSL connection, so it have to be the config :hmm: I'm not sure if the fcgi config have to be on every VirtualHost 1 NameVirtualHost 84.200.208.192:80 2 NameVirtualHost 84.200.208.192:443 3 4 <VirtualHost 84.200.208.192:80 84.200.208.192:443> 5 ServerName suretodie.de 6 ServerAlias www.suretodie.de 7 ServerAdmin admin@suretodie.de 8 DocumentRoot /var/www/web1/web/ 9 10 <IfModule mod_fcgid.c> 11 SuexecUserGroup web1 web1 12 PHP_Fix_Pathinfo_Enable 1 13 <Directory /var/www/web1/web/> 14 Options +ExecCGI 15 AllowOverride All 16 AddHandler fcgid-script .php 17 FCGIWrapper /var/www/php-fcgi-scripts/web1/php-fcgi-starter .php 18 Order allow,deny 19 Allow from all 20 </Directory> 21 </IfModule> 22 23 # ErrorLog /var/log/apache2/error.log 24 # CustomLog /var/log/apache2/access.log combined 25 ServerSignature Off 26 27 SSLEngine On 28 SSLCertificateFile /etc/apache2/ssl/suretodie.crt 29 SSLCertificateKeyFile /etc/apache2/ssl/suretodie.key 30 31 </VirtualHost> 32 33 #Redirects 34 # Not SSL, redirect to https://qmail.suretodie.de 35 <VirtualHost 84.200.208.192:80> 36 ServerName qmail.suretodie.de 37 Redirect / https://qmail.suretodie.de/ 38 </VirtualHost> 39 40 <VirtualHost 84.200.208.192:80> 41 ServerName webmail.suretodie.de 42 Redirect / https://webmail.suretodie.de/ 43 </VirtualHost> 44 45 46 <VirtualHost 84.200.208.192:443> 47 ServerName qmail.suretodie.de 48 ServerAdmin admin@suretodie.de 49 DocumentRoot /var/www/web1/qmailad/ 50 51 <IfModule mod_fcgid.c> 52 SuexecUserGroup web1 web1 53 PHP_Fix_Pathinfo_Enable 1 54 <Directory /var/www/web1/qmailad/> 55 Options +ExecCGI 56 AllowOverride All 57 AddHandler fcgid-script .php 58 FCGIWrapper /var/www/php-fcgi-scripts/web1/php-fcgi-starter .php 59 Order allow,deny 60 Allow from all 61 </Directory> 62 </IfModule> 63 64 # ErrorLog /var/log/apache2/error.log 65 # CustomLog /var/log/apache2/access.log combined 66 ServerSignature Off 67 </VirtualHost> 68 69 <VirtualHost 84.200.208.192:443> 70 ServerName webmail.suretodie.de 71 ServerAdmin admin@suretodie.de 72 DocumentRoot /var/www/web1/webmail/ 73 74 <IfModule mod_fcgid.c> 75 SuexecUserGroup web1 web1 76 PHP_Fix_Pathinfo_Enable 1 77 <Directory /var/www/web1/webmail/> 78 Options +ExecCGI 79 AllowOverride All 80 AddHandler fcgid-script .php 81 FCGIWrapper /var/www/php-fcgi-scripts/web1/php-fcgi-starter .php 82 Order allow,deny 83 Allow from all 84 </Directory> 85 </IfModule> 86 87 # ErrorLog /var/log/apache2/error.log 88 # CustomLog /var/log/apache2/access.log combined 89 ServerSignature Off 90 </VirtualHost> I configured my sites-enabled conf like yours, direkt SSL is working fine, but if I go to http://www.domain.com or xyz.domain.com I see a bad request (400) and a redirect to https://domain.com regardless what subdomain I used. (so the redirect is not working and http://www.domain.com didn’t work too) only the direkt SSL will work like https://test.domain.com the wildcard certificate works well with the direkt SSL connection, so it have to be the config :hmm: I’m not sure if the fcgi config have to be on every VirtualHost

1 NameVirtualHost 84.200.208.192:80
2 NameVirtualHost 84.200.208.192:443
3
4
5 ServerName suretodie.de
6 ServerAlias http://www.suretodie.de
7 ServerAdmin admin@suretodie.de
8 DocumentRoot /var/www/web1/web/
9
10
11 SuexecUserGroup web1 web1
12 PHP_Fix_Pathinfo_Enable 1
13
14 Options +ExecCGI
15 AllowOverride All
16 AddHandler fcgid-script .php
17 FCGIWrapper /var/www/php-fcgi-scripts/web1/php-fcgi-starter .php
18 Order allow,deny
19 Allow from all
20
21
22
23 # ErrorLog /var/log/apache2/error.log
24 # CustomLog /var/log/apache2/access.log combined
25 ServerSignature Off
26
27 SSLEngine On
28 SSLCertificateFile /etc/apache2/ssl/suretodie.crt
29 SSLCertificateKeyFile /etc/apache2/ssl/suretodie.key
30
31
32
33 #Redirects
34 # Not SSL, redirect to https://qmail.suretodie.de
35
36 ServerName qmail.suretodie.de
37 Redirect / https://qmail.suretodie.de/
38
39
40
41 ServerName webmail.suretodie.de
42 Redirect / https://webmail.suretodie.de/
43
44
45
46
47 ServerName qmail.suretodie.de
48 ServerAdmin admin@suretodie.de
49 DocumentRoot /var/www/web1/qmailad/
50
51
52 SuexecUserGroup web1 web1
53 PHP_Fix_Pathinfo_Enable 1
54
55 Options +ExecCGI
56 AllowOverride All
57 AddHandler fcgid-script .php
58 FCGIWrapper /var/www/php-fcgi-scripts/web1/php-fcgi-starter .php
59 Order allow,deny
60 Allow from all
61
62
63
64 # ErrorLog /var/log/apache2/error.log
65 # CustomLog /var/log/apache2/access.log combined
66 ServerSignature Off
67
68
69
70 ServerName webmail.suretodie.de
71 ServerAdmin admin@suretodie.de
72 DocumentRoot /var/www/web1/webmail/
73
74
75 SuexecUserGroup web1 web1
76 PHP_Fix_Pathinfo_Enable 1
77
78 Options +ExecCGI
79 AllowOverride All
80 AddHandler fcgid-script .php
81 FCGIWrapper /var/www/php-fcgi-scripts/web1/php-fcgi-starter .php
82 Order allow,deny
83 Allow from all
84
85
86
87 # ErrorLog /var/log/apache2/error.log
88 # CustomLog /var/log/apache2/access.log combined
89 ServerSignature Off
90

]]> By: hackbard http://www.cb1inc.com/2008/09/11/virtual-hosts-and-wildcard-ssl-certificates-with-apache-2-2/comment-page-1/#comment-131 hackbard Wed, 30 Nov -0001 00:00:00 +0000 #comment-131 sry for that copy crap, here is a better pastebin http://pastebin.com/m5a3d5201 you can delete my other post "I configured my sites-enabled conf like yours, direkt SSL is working fine, but if I go to www.domain.com or xyz.domain.com I see a bad request (400) and a redirect to https://domain.com regardless what subdomain I used. (so the redirect is not working and www.domain.com didn't work too) only the direkt SSL will work like https://test.domain.com the wildcard certificate works well with the direkt SSL connection, so it have to be the config :hmm: I'm not sure if the fcgi config have to be on every VirtualHost" greets hackbard sry for that copy crap, here is a better pastebin
http://pastebin.com/m5a3d5201
you can delete my other post

“I configured my sites-enabled conf like yours, direkt SSL is working fine, but if I go to http://www.domain.com or xyz.domain.com I see a bad request (400) and a redirect to https://domain.com regardless what subdomain I used. (so the redirect is not working and http://www.domain.com didn’t work too) only the direkt SSL will work like https://test.domain.com the wildcard certificate works well with the direkt SSL connection, so it have to be the config :hmm: I’m not sure if the fcgi config have to be on every VirtualHost”

greets hackbard

]]> By: hackbard http://www.cb1inc.com/2008/09/11/virtual-hosts-and-wildcard-ssl-certificates-with-apache-2-2/comment-page-1/#comment-132 hackbard Wed, 30 Nov -0001 00:00:00 +0000 #comment-132 Hi Chris! I checked it with deleted cache in IE and Firefox, the same as before. With the IE nothing is shown, no error, no redirect, no index :hmm: In firefox the same as belwo shows up. I don't get whats wrong :hmm: my second domain shows the same error in FF, "go to https://suretodie.de" :hmm:² Hi Chris!

I checked it with deleted cache in IE and Firefox, the same as before. With the IE nothing is shown, no error, no redirect, no index :hmm:
In firefox the same as belwo shows up.

I don’t get whats wrong :hmm:

my second domain shows the same error in FF, “go to https://suretodie.de

:hmm:²

]]>