0

I operate a server hosting multiple virtualhosts with apache2.4.

A newly hosted domain (https://www.yachtenwelt.de) is correctly using the respective TLS certificate. In addition, I have to ensure that the user gets redirected to exactly this domain with any given combination, so I have to cover:

  1. http://yachtenwelt.de
  2. http://www.yachtenwelt.de
  3. https://yachtenwelt.de

The redirects from the non-https versions 1 & 2 works. But when I use #3, I get a certificate warning that there is a name mismatch in the TLS certificate, the reason being that the browser is presented with the TLS certificate for another vhost running on my server (https://www.4-happy-paws.de). You can check this e.g. via https://www.ssllabs.com/ssltest/analyze.html?d=yachtenwelt.de&hideResults=on

Strangely enough, if I proceed anyways, my browser (Chrome) afterwards says that the TLS certificate is the correct one issued for the two domains yachtenwelt.de as well as www.yachtenwelt.de.

vhost config file for yachtenwelt:

<VirtualHost *:80>
ServerName yachtenwelt.de
ServerAlias www.yachtenwelt.de
Redirect / https://www.yachtenwelt.de/
</VirtualHost>

<VirtualHost *:443>
ServerName yachtenwelt.de
Redirect / https://www.yachtenwelt.de/
</VirtualHost>

<VirtualHost *:443>
ServerName www.yachtenwelt.de
DocumentRoot /var/www/vhosts/yachtenwelt.de/html
<Directory "/var/www/vhosts/yachtenwelt.de/html">
    Options +FollowSymLinks
    AllowOverride All
</Directory>
ServerAdmin webmaster@hopf-its.de
ErrorLog /var/www/vhosts/yachtenwelt.de/log/apache2/error.log
LogLevel emerg
TransferLog /var/www/vhosts/yachtenwelt.de/log/apache2/access.log
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/yachtenwelt.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yachtenwelt.de/privkey.pem
</VirtualHost>

vhost config file for 4-happy-paws:

<VirtualHost *:80>
ServerName www.4-happy-paws.de
ServerAlias 4-happy-paws.de
Redirect / https://www.4-happy-paws.de/
</VirtualHost>

<VirtualHost *:443>
DocumentRoot /var/www/vhosts/4-happy-paws.de/html
ServerName www.4-happy-paws.de
ServerAlias 4-happy-paws.de
Alias /.well-known/acme-challenge/ /var/www/vhosts/4-happy-paws.de/html/.well-known/acme-challenge/
<Directory "/var/www/vhosts/4-happy-paws.de/html">
    Options +FollowSymLinks
    AllowOverride All
</Directory>
<Directory "/var/www/vhosts/4-happy-paws.de/html/.well-known/acme-challenge/">
    Options +FollowSymLinks
    AllowOverride All
</Directory>
ServerAdmin webmaster@hopf-its.de
ErrorLog /var/www/vhosts/4-happy-paws.de/log/apache2/error.log
LogLevel emerg
TransferLog /var/www/vhosts/4-happy-paws.de/log/apache2/access.log
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.4-happy-paws.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.4-happy-paws.de/privkey.pem
</VirtualHost>

apache2ctl -S: I cropped the output, removing the other domains I'm hosting

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server www.4-happy-paws.de (/etc/apache2/sites-enabled/4-happy-paws.de.conf:7)
         port 443 namevhost www.4-happy-paws.de (/etc/apache2/sites-enabled/4-happy-paws.de.conf:7)
                 alias 4-happy-paws.de
         port 443 namevhost yachtenwelt.de (/etc/apache2/sites-enabled/yachtenwelt.de.conf:7)
         port 443 namevhost www.yachtenwelt.de (/etc/apache2/sites-enabled/yachtenwelt.de.conf:12)
*:80                   is a NameVirtualHost
         default server www.4-happy-paws.de (/etc/apache2/sites-enabled/4-happy-paws.de.conf:1)
         port 80 namevhost www.4-happy-paws.de (/etc/apache2/sites-enabled/4-happy-paws.de.conf:1)
                 alias 4-happy-paws.de
         port 80 namevhost yachtenwelt.de (/etc/apache2/sites-enabled/yachtenwelt.de.conf:1)
                 alias www.yachtenwelt.de
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

apache2ctl -t:

Syntax OK
DHopf
  • 3
  • 2

1 Answers1

1

Unfortunatly you can't redirect the Client, without having a valid certificate. As the TLS Handshake happens before the redirect.

Since it seems as you are using Letsencrypt the best solution would be the get a certificate with both Names. If you are using certbot you could just add the -d Domain flag multiple times.

certbot -d yachtenwelt.de -d www.yachtenwelt.de [...]

Afterwards make sure to include the Certificate in both VirtualHost directives.

<VirtualHost *:443>
ServerName yachtenwelt.de
Redirect / https://www.yachtenwelt.de/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/yachtenwelt.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yachtenwelt.de/privkey.pem
</VirtualHost>
Ben
  • 160
  • 9
  • I **do** have a valid certificate which is issued exactly as you suggest to both `yachtenwelt.de` as well as `www.yachtenwelt.de`. The only case where it doesn't work is with `https://yachtenwelt.de` where - for whatever reason - I'm presented with the certificate for a different vhost - `www.4-happy-paws.de`. Extending your thought though could be a workaround: issue a certificate including all relevant domains: `certbot -d yachtenwelt.de -d www.yachtenwelt.de -d www.4-happy-paws.de [...]`, however since it's different customers I'd prefer to keep the certificates separate as well. – DHopf Oct 11 '20 at 18:03
  • I think I got the issue, I update the answer – Ben Oct 12 '20 at 11:16
  • Thank you so much Ben! The problem is solved now! Apparently (just guessing) apache needs the SSL Certificates when inside a SSL-enabled vhost and because I didn't specify any SSL Certificates in this specific vhost block it took it from the default :443 vhost, which in my case is `www.4-happy-paws.de`. – DHopf Oct 12 '20 at 12:44