4

I just purchased an SSL certificate to secure/enable only ONE domain on a server with multiple vhosts. I plan on configuring as shown below (non SNI). In addition, I still want to access phpMyAdmin, securely, via my server's IP address. Will the below configuration work? I have only one shot to get this working in production. Are there any redundant settings?

---apache ssl.conf file---

Listen 443 

SSLCertificateFile /home/web/certs/domain1.public.crt
SSLCertificateKeyFile /home/web/certs/domain1.private.key
SSLCertificateChainFile /home/web/certs/domain1.intermediate.crt

    ---apache httpd.conf file----
    ...
    DocumentRoot "/var/www/html" #currently exists
    ...
    NameVirtualHost *:443 #new - is this really needed if "Listen 443" is in ssl.conf???
    ...
    #below vhost currently exists, the domain I wish t enable SSL) 
    <VirtualHost *:80>
         ServerAdmin info@domain1.com
         ServerName domain1.com
         ServerAlias 173.XXX.XXX.XXX
         DocumentRoot /home/web/public_html/domain1.com/public
    </VirtualHost>

    #below vhost currently exists.
    <VirtualHost *:80>
      ServerName  domain2.com
      ServerAlias www.domain2.com
      DocumentRoot /home/web/public_html/domain2.com/public
    </VirtualHost>

    #new -I plan on adding this vhost block to enable ssl for domain1.com!
    <VirtualHost *:443>
         ServerAdmin info@domain1.com
         ServerName www.domain1.com
         ServerAlias 173.XXX.XXX.20

         SSLEngine on
         SSLProtocol all
         SSLCertificateFile /home/web/certs/domain1.public.crt
         SSLCertificateKeyFile /home/web/certs/domain1.private.key
         SSLCACertificateFile /home/web/certs/domain1.intermediate.crt

         DocumentRoot /home/web/public_html/domain1.com/public
    </VirtualHost>

As previously mentioned, I want to be able to access phpmyadmin via "https://173.XXX.XXX.XXX/hiddenfolder/phpmyadmin" which is stored under "var/www/html/hiddenfolder"

user1322092
  • 233
  • 2
  • 11

1 Answers1

3

What you are trying to do is SNI. The IP address is in fact a host name in matters of negotiation.

Your configuration will point both domain1.com and https://173.XXX.XXX.20 into the same directory.

You have 4 options:

  1. SNI

  2. Get an additional IP

  3. Create an alias for phpmyamin under the one SSL cert you have

  4. Just listen on another port for SSL as well and have the IP hostname use that. e.g. https://173.XXX.XXX.20:444

The configuration you have listed would most likely cause you some trouble. Edit your question with what solution you want to run with.. Or comment on this reply

user1322092
  • 233
  • 2
  • 11
Frands Hansen
  • 4,657
  • 1
  • 17
  • 29
  • 1
    "The IP address is in fact a host name in matters of negotiation" <-- The hostname and IP are both Subjects for the purposes of SSL/TLS Negotiation, an IP is not a hostname. But otherwise completely correct, it is SNI. – Chris S Apr 15 '12 at 02:15
  • What I meant was, that the common name of the cert must match the IP address, if it should validate (when connecting to https://ip). I was just trying to make it easier to understand. – Frands Hansen Apr 15 '12 at 03:14
  • Thanks Frands. In that case, option #4 is the most suitable. I only care to enable SSL for phpMyAdmin but don't care if the certificate matches. However, for domain1.com, the cert should match the domain1.com. What is the specific directives/configuration I should add in the case of #4? – user1322092 Apr 15 '12 at 04:14
  • @FrandsHansen Still wrong, Common Name is one type of Subject available for certificates to use, there are others. I appreciate that the public CAs have dumbed things down and misrepresent the technology, but I'm trying to help. – Chris S Apr 15 '12 at 04:22
  • @ChrisS No it's not wrong, there's just more to it. The IP address must be in the Common Name or listed as a Subject Alternative Name in order for the browser to accept the certificate. You can't just throw the IP address in a random attribute. – Frands Hansen Apr 17 '12 at 08:01
  • You know what, #4 is too convoluted. I'll just go with #2, an additional ip. Question, however. In httpd.conf, for the VirtualHost block for each ip:443, I need to assign SSLCertificateFile and SSLCACertificateFile; however, should I do the same for my ssl.conf file? Or, for ssl.conf, list only the default certificate and private key? Thanks again!!! – user1322092 Apr 18 '12 at 21:52
  • You need to have a Listen ip:443 directive for each of your IP addresses for SSL, and for the virtualhosts you do blablabla including the SSLCaCertificateFile and so on - I hope it makes sense, otherwise comment again and I'll elaborate. – Frands Hansen Apr 18 '12 at 23:57
  • Thanks Frands. Here's is what I was leaning towards for a configuration before you commented: http://pastebin.com/dYdH1qx5 So,instead of "Listen 443" directive in httpd.conf, it should be "Listen :443" and "Listen :443. I would do the same for both IPs but for port 80. – user1322092 Apr 19 '12 at 02:17
  • Seems fine, you only need Listen in one place. I can't actually remember if Listen 443 covers all interfaces, I think it does but check the docs to be sure on that. – Frands Hansen Apr 19 '12 at 09:03