Apache with suexec, fcgid shows content from wrong vHost over ssl

Question

I changed my Apache setup to worker mode, suexec und fcgid as described in this tutorial: https://wiki.hetzner.de/index.php/Apache_PHP5_fcgi_und_SuExec.

Allmost everything works fine. I wrote a script, that sets up everything for me and also creates certificates and the vHost config with ssl.

You can see a typical file below. When I access the server on port 80, everything works fine. When I acces it over https, uses the right certs from pad.dblx.io but shows the content of the default vHost (dblx.io) instead.

I'm searching errors for hours now but can't find a misconfiguration.

Can you help me?

cat /etc/apache2/sites-available/pad.dblx.io

<VirtualHost *:80>
    ServerAdmin xxx
    ServerName pad.dblx.io
    ServerAlias pad.dblx.io *.pad.dblx.io

    SuexecUserGroup xxx xxx
    AddHandler fcgid-script .php
    DocumentRoot "/var/www/pad.dblx.io/www"
    DirectoryIndex index.htm index.html index.php

    <Directory />
        Options FollowSymLinks
        AllowOverride All
    </Directory>
    <Directory "/var/www/pad.dblx.io/www">
        Options Indexes MultiViews FollowSymLinks +ExecCGI
        FCGIWrapper /var/www/pad.dblx.io/php-fcgi/php-fcgi-starter .php     
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

    LogLevel warn
    ErrorLog  /var/www/pad.dblx.io/logs/error.log
    CustomLog /var/www/pad.dblx.io/logs/access.log combined
    ServerSignature On
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin xxx
    ServerName pad.dblx.io
    ServerAlias pad.dblx.io *.pad.dblx.io

    SuexecUserGroup xxx xxx
    AddHandler fcgid-script .php
    DocumentRoot "/var/www/pad.dblx.io/www"
    DirectoryIndex index.htm index.html index.php

    <Directory />
        Options FollowSymLinks
        AllowOverride All
    </Directory>
    <Directory "/var/www/pad.dblx.io/www">
        Options Indexes MultiViews FollowSymLinks +ExecCGI
        FCGIWrapper /var/www/pad.dblx.io/php-fcgi/php-fcgi-starter .php        
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

    SSLEngine On
    SSLCertificateFile /var/www/pad.dblx.io/certs/pad.dblx.io.crt
    SSLCertificateKeyFile /var/www/pad.dblx.io/certs/pad.dblx.io.key

    LogLevel warn
    ErrorLog  /var/www/pad.dblx.io/logs/error.log
    CustomLog /var/www/pad.dblx.io/logs/access.log combined
    ServerSignature off
</VirtualHost>

cat /etc/apache2/sites-available/default

<VirtualHost _default_:80>
    ServerAdmin xxx
    ServerName dblx.io
    ServerAlias dblx.io v220110896656016.yourvserver.net

    SuexecUserGroup xxx xxx
    AddHandler fcgid-script .php
    DocumentRoot "/var/www/dblx.io/www"
    DirectoryIndex index.htm index.html index.php

    <Directory />
        Options FollowSymLinks
        AllowOverride All
    </Directory>
    <Directory "/var/www/dblx.io/www">
        Options Indexes MultiViews FollowSymLinks +ExecCGI
        FCGIWrapper /var/www/dblx.io/php-fcgi/php-fcgi-starter .php     
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

    LogLevel warn
    ErrorLog  /var/www/dblx.io/logs/error.log
    CustomLog /var/www/dblx.io/logs/access.log combined
    ServerSignature On
</VirtualHost>

<VirtualHost _default_:443>
    ServerAdmin xxx
    ServerName dblx.io
    ServerAlias dblx.io *.dblx.io

    SuexecUserGroup xxx xxx
    AddHandler fcgid-script .php
    DocumentRoot "/var/www/dblx.io/www"
    DirectoryIndex index.htm index.html index.php

    <Directory />
        Options FollowSymLinks
        AllowOverride All
    </Directory>
    <Directory "/var/www/dblx.io/www">
        Options Indexes MultiViews FollowSymLinks +ExecCGI
        FCGIWrapper /var/www/dblx.io/php-fcgi/php-fcgi-starter .php        
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

    SSLEngine On
    SSLCertificateFile /var/www/dblx.io/certs/dblx.io.crt
    SSLCertificateKeyFile /var/www/dblx.io/certs/dblx.io.key

    LogLevel warn
    ErrorLog  /var/www/dblx.io/logs/error.log
    CustomLog /var/www/dblx.io/logs/access.log combined
    ServerSignature On
</VirtualHost>

cat /etc/apache2/ports.conf

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    NameVirtualHost *:443
    Listen 443
    SSLStrictSNIVHostCheck off
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

Answer 1

Your configuration specifies two vhost configurations for port 443 of all IPs Apache is listening to.

Without TLS SNI, you can not have more than one vhost that matches a NameVirtualHost directive and expect it to work.

If your setup does not support TLS Server Name Indication, then you are effectively limited to one TLS certificate per IP.

You will have to decide on which site you want to serve over HTTPS, get a certificate that covers both and enable TLS SNI, or get more IPs so each site can have its own.

In any case, you might also be better off specifying the IP & port explicitly like this, if you're going the "add more IPs" route:

<VirtualHost aaa.bbb.ccc.ddd:443>
...
</VirtualHost>

If you plan on going the SNI route, this Apache wiki page could be worth taking a look at.

Answer 2

I found the answer.

I created a vHost for dblx.io with my script an copied it to /etc/apache2/sites-available/default.

I forgot do delete the wildcard *.dblx.io as ServerAlias in the SSL part. It seems that this lead to the errors. I changed it and it works now :)

Thanks for your help.