2

When scanning one of the domains I have installed SSL for with ssllabs.com, Certificate #1 verifies correctly with grade 'A', although further down on the result page there is also a Certificate #2 that seems to be collected from the first of the domains with SSL certificate configured from the apache configuration for some reason and which of course gives a "MISMATCH" since the domain does not match the certificate. Wondering if anyone can point out whats wrong with the config.

Currently I'm setting up each domain hosted for ssl like this (domain names changed):

<Directory /home/info/>
  Options -Indexes +FollowSymLinks -Multiviews
  AllowOverride All
  Order allow,deny
  allow from all
  Require all granted
</Directory>

<VirtualHost _default_:443>
  DocumentRoot /home/info/pub/
  ServerName domain.at
  ServerAlias domain.at www.domain.at

  SSLEngine on
  SSLCertificateFile    /home/info/ssl/at.crt
  SSLCertificateKeyFile /home/info/ssl/at.key
  SSLCertificateChainFile /home/info/ssl/at.ca
</VirtualHost>

<VirtualHost _default_:443>
  DocumentRoot /home/info/pub/
  ServerName domain.dk
  ServerAlias domain.dk www.domain.dk

  SSLEngine on
  SSLCertificateFile    /home/info/ssl/dk.crt
  SSLCertificateKeyFile /home/info/ssl/dk.key
  SSLCertificateChainFile /home/info/ssl/dk.ca
</VirtualHost>

<VirtualHost _default_:443>
  DocumentRoot /home/info/pub/
  ServerName domain.fr
  ServerAlias domain.fr www.domain.fr

  SSLEngine on
  SSLCertificateFile    /home/info/ssl/fr.crt
  SSLCertificateKeyFile /home/info/ssl/fr.key
  SSLCertificateChainFile /home/info/ssl/fr.ca
</VirtualHost>

So when for example scanning "domain.fr" with ssllabs it validates correctly for .fr certificate, but then goes on to try and validate "domain.at". Should I comment out the "domain.at" config, it would try to validate "domain.dk" instead. Why is this? Grateful for help.

Looren
  • 21
  • 4

1 Answers1

1

According Apache documentation , you couldn't serve more then one SSL VirtualHosts on same IP and Port without enabling SNI. To make your configuration work you should add to Apache configuration SSLStrictSNIVHostCheck directive, more info could be found in this article.

Or another solution, install nginx as revers-proxy and terminate SSL on nginx, so Apache will serve only http.

Alexander Tolkachev
  • 4,608
  • 3
  • 14
  • 23
  • 1
    Had no idea about SNI, but from what I read about it, above 2.2 Apache it has support for it. So, regarding ssllabs "Certificate #2", am I correct to assume that what they are showing is if SNI is not enabled in the browser? – Looren Jun 03 '17 at 21:37
  • @Looren usually, sslabs show that site would work normally in browsers with SNI support. Check it next time. So looks like answer is Yes. – Alexander Tolkachev Jun 04 '17 at 19:34