0

This configuration works ok, but it asks for certificate on all subdomains.

<VirtualHost IP:443>
ServerName *.domain.tld
ServerAlias www.*.domain.tld
VirtualDocumentRoot /home/domaintld/subdomains/%1
ServerAdmin webmaster@*.domain.tld

UseCanonicalName off
UserDir public_html

SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 1
SSLCertificateFile /path/to/cert.crt
SSLCACertificateFile /path/to/CAcert.crt
SSLCertificateKeyFile /path/to/key.key

<Directory "/home/domaintld/subdomains/%1">
  SSLRequire %{SSL_CLIENT_S_DN_O} eq "Company" 
and %{SSL_CLIENT_S_DN_OU} in {"Department"} 
# this one is not splitted, only here to avoid horiz. scroll
</Directory>

CustomLog /usr/local/apache/domlogs/domain.tld-ssl_log combined
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

</VirtualHost>

But I want to make it to ask for only on subdomain, supposedly "theone.domain.tld"

I tried:

#...
SSLEngine on
SSLCertificateFile /path/to/cert.crt
SSLCACertificateFile /path/to/CAcert.crt
SSLCertificateKeyFile /path/to/key.key

<Directory "/home/domaintld/subdomains/theone">
  SSLVerifyClient require
  SSLVerifyDepth 1
  SSLRequire %{SSL_CLIENT_S_DN_O} eq "Company" 
and %{SSL_CLIENT_S_DN_OU} in {"Department"} 
# this one is not splitted, only here to avoid horiz. scroll
</Directory>
#...

Also with the <Directory ..> outside <VirtualHost ..>

Even added SSLCACertificateFile within <Directory ..>

I get the other subdomains working through HTTPS but "theone" gives an Error 107 (net::ERR_SSL_PROTOCOL_ERROR)

I have to mention that the whole VirtualHost and Directory are/were within <IfDefine SSL></IfDefine>

Any suggestions?

Thanks.

Andi T
  • 115
  • 1
  • 5
  • i suspect wildcard certs do not work with the "www" theme you applied . it should be name.domain.tld rather than www.name.domain.tld for each site belonging to the cert. if not, then you need to buy a combined cert pack that supports 5 site names in one cert rather than use a wildcard. thats my guess anyway. – djangofan Aug 02 '10 at 16:03
  • Yes, true. But that's not what I need, it works fine without www for all. My issue is with the client certificates.. those required by user to access the website. – Andi T Aug 02 '10 at 16:09

1 Answers1

0

SSL negotiation is completed before the the HTTP header that includes the criteria to select the proper virtual host is transmitted. This means you cannot use any unique SSL options per virtual host. The only option I am aware of would be to get another IP address and setup an IP based virtual host for the the sites you require certificate authentication on.

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • I guess the wildcards certificates dont help on this issue, so the only way to do it was with different IP for that particular subdomain. – Andi T Aug 03 '10 at 12:00