0

So I recently ran into this problem and want to describe the issue and the solution here:

I have several virtualhosts on a httpd server and started to install letsencrypt SSL certificates on it via the certbot-auto tool.

This was working fine initially until some domains would throw errors in the browser that the certificate belongs to another domain and is not secure. The SSL setup for the domain was identical with those of other, working SSL setups. All of them are on the same IP address, the config was created by the certbot-auto tool. The domain shown in the browser as being the wrong domain that the ssl certificate points to was one of the other domains on the system.

uncovery
  • 305
  • 5
  • 14

1 Answers1

1

This issue can arise on CentOS (and likely other distributions) because of the way the SSL configuration is setup "out of the box".

The configuration setting that creates issues here is the 

NameVirtualHost *:443

instruction.

For non-ssl, the instruction NameVirtualHost *:80 is stored in /etc/httpd/httpd.conf and is loaded first. When the other virtualhost configs in /etc/httpd/conf.d/*.conf are loaded, this instruction is already applied. So there is no need to include it again in the virtualhosts instructions.

However, for SSL, the NameVirtualHost instruction is stored in /etc/httpd/conf.d/ssl.conf. This means that it's loaded in a row with the other virtualhost configs in the same folder. If you now have a config file that is starting with a letter above "s" (of Ssl.conf), the NameVirtualHost instruction for SSL is not loaded yet, and therefore the SSL certificate is defaulted to the default domain for that virtualhost.

The solution is to include the NameVirtualHost instruction for SSL in httpd.conf instead to make sure it is available for all the virtualhosts in the /etc/httpd/conf.d folder. It has to be removed from the ssl.conf however since it should not exist twice.

uncovery
  • 305
  • 5
  • 14