0

Up to this point I've been using SNI in my ssl.conf file with Apache 2.2.31 I'm serving up different sites all in the same document root. For example:

NameVirtualHost *:443

<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName www.domain1.com

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ...
SSLHonorCipherOrder on

SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle_domain1.crt
</VirtualHost>

<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName www.domain2.com

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ...
SSLHonorCipherOrder on

SSLCertificateFile /etc/pki/tls/certs/domain2.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain2.com.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle_domain2.crt
</VirtualHost>

...

Now I've added a wildcard cert in the hopes I can add sub-domains without any extra Apache configuration to another new domain. So the ssl.conf looks like this:

NameVirtualHost *:443

<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName www.domain1.com

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ...
SSLHonorCipherOrder on

SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle_domain1.crt
</VirtualHost>

<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName www.domain2.com

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ...
SSLHonorCipherOrder on

SSLCertificateFile /etc/pki/tls/certs/domain2.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain2.com.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle_domain2.crt
</VirtualHost>

...

<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName newdomain.com

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ...
SSLHonorCipherOrder on

SSLCertificateFile /etc/pki/tls/certs/newdomain_wildcard.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/newdomain_wildcard.com.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle_newdomain_wildcard.crt
</VirtualHost>

It works for newdomain.com but not on other sub-domains (i.e. test.newdomain.com). I also get this warning on server start if that relevant:

[warn] RSA server certificate wildcard CommonName (CN) `*.newdomain.com' does NOT match server name!?

If I change ServerName to *.newdomain.com, I don't get warnings but the certificate doesn't work at all.

Tom
  • 143
  • 2
  • 11

1 Answers1

0

I'm pretty sure you have to give an actual ServerName and not a wildcard one.

Does your new cert have just "*.newdomain.com" or also "newdomain.com"? I'd guess just the first so can only be used for subdomains and not top level domain (TLD). In that case just set the ServerName to www.newdomain.com, or any other ServerName that the wildcard will match. It's good practice to have a cert that also covers the bare TLD though.

You should also move the newdomain server config to be first. That way it will be the default and anything not explicitly match will fall in here (e.g. If someone uses ransom.newdomain.com). Currently as www.domain1.com is first it will match these requests and presumably cause a cert error.

Barry Pollard
  • 4,591
  • 15
  • 26