4

I have recently created an SSL cert on my server *.key and a *csr file.

I then created the *crt and the *.ca-bundle with Comodo.

I have 2 current vhosts:

vhost for - http://www.example.com

NameVirtualHost *:80
<VirtualHost *:80>
    ServerAdmin user@example.com
    DocumentRoot "/home/example/public_html/example.com/httpdocs"
    ServerName example.com
    ServerAlias www.example.com
</VirtualHost>

vhost for https://www.example.com

NameVirtualHost *:443
<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/example_com.crt
    SSLCertificateKeyFile /etc/ssl/certs/server.key
    <Directory /home/example/public_html/example.com/httpdocs>
    AllowOverride All
    </Directory>
    DocumentRoot /home/example/public_html/example.com/httpdocs
    ServerName example.com
</VirtualHost>

The problem is, when I go to https://www.example.com I get a 404

I'm not sure if the vhost(s) is correct or why I get a 404. Has anyone ever seen this before?

I have enabled mod_ssl and restarted apache

Many Thanks

terrid25
  • 251
  • 2
  • 5
  • 12

3 Answers3

1

Without special tricks, HTTPS does not support NameVirtualHosts; remove NameVirtualhost *:443 from the config.

That said, the ServerName does not match the certificate CN - change it to www.example.com.

Restart apache.

adaptr
  • 16,576
  • 23
  • 34
  • the `www.example.com` is this in the SSL vhost? I'm pretty sure the SSL was generated by Comodo for `example.com` rather than `www.example.com` – terrid25 Mar 01 '12 at 12:37
  • You haven't shown us what the certificate is for. I am going off the statement that the SSL vhost was for www.example.com - which is incorrect, the ServerName states example.com. – adaptr Mar 01 '12 at 12:44
  • I have a site on http://www.example.com I have an ecommerce stroe running on www.example.com/shop I'd like the SSL cert to cover the shpop in terms of login (https://www.example.com/shop/account/login). This currently works with http:// but gives a 404 on the https:// version – terrid25 Mar 01 '12 at 14:43
  • Either the certificate must cover both hostnames, using a wildcard or SAN, or the resulting visits will pop up the browser warning about mixing secure and insecure data. – adaptr Mar 01 '12 at 14:53
1

The default SSL vhost in ssl.conf is doing two things:

  1. It gets to choose which certificate is presented to clients that don't support SNI.
  2. It gets all requests that don't match the ServerName or ServerAlias on another name-based vhost.

Simply removing the NameVirtualHost command won't help, as the vhost in ssl.conf will then get every request to port 443. Instead, disable that vhost completely; you don't want or need it.

And you'll still have a certificate mismatch to deal with; your cert needs to cover the hostname that your clients are using.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Ok so my understanding is this: 1)Remove the `NameVirtualHost` from the sslvhost 2)Comment out the `` in `ssl.conf` 3)Add the `www.example.com` `ServerAlias` to the sslvhost. Is this correct? – terrid25 Mar 02 '12 at 09:04
  • 1
    Only step 2 is actually needed to get it working - but do the other two as well, to make your config easier to understand and maintain. Also, verify that no other vhosts are trying to take port 443; `apache2ctl -S`. – Shane Madden Mar 02 '12 at 15:58
  • Ok. Step 1) done. Step 2) Do I comment out the whole VirtualHost and it's content?. Step 3) Done – terrid25 Mar 04 '12 at 13:44
  • 1
    Yes - either comment every line or just remove it completely. – Shane Madden Mar 04 '12 at 18:58
-1

Add ServerAlias www.example.com to the SSL enabled vhost.

fim
  • 497
  • 2
  • 5
  • 1
    That won't make a bit of difference, as SSL cannot not choose a vhost before making a secure connection. Classic chicken-and-egg. Your solution only works if he has no other 443 vhosts, or this vhost is always the first one listed. Just Say No. – adaptr Mar 01 '12 at 11:31
  • There is only one 443 vhost on the server. – terrid25 Mar 01 '12 at 12:29
  • 1
    You're partly right but the question was how to solve the 404. Even if there are multiple SSL vhosts (which we don't know for sure in this case) this would only throw an SSL warning to the browser about mismatching certificate/domain, it wouldn't throw a 404. – fim Mar 01 '12 at 12:32
  • There is a default vhost in the `ssl.conf` file. I haven't touched that. I'll remove the NameVirtualHost and restart – terrid25 Mar 01 '12 at 12:41
  • @fim pedantically, he hasn't asked for anything ;) The SSL mismatch is going to cause more issues going forward if he doesn't understand how it interacts. – adaptr Mar 01 '12 at 12:43