Background: We have migrated 2 old webservers to 2 new, more robust servers- Ubuntu 17.04 and 18.04. We purchased Thawte SSL certificates for the domains we host(about 20) to use on 2 servers. Each server has its own, single static IP address.
The certificates were configured in the fashion of Common Name www.example.org, and Alternative Names www.example.org , example.org , www2.example.org
The 17.04 server holds the "www2" subdomains. The SSL certificates were setup and everything works fine- delivering https and no certificate mismatches
I setup the 18.04 server that holds our "www" and have tried to mirror the setup. After some trial and error(forgetting to a2enmod headers, syntax vhost error in .conf file) I got the first domain to deliver https
However, when I configured the next domain's .conf vhost, the SNI-enabled browsers gave an error that the site was using the first domain's certificate. I have googled and experimented, checked my syntax and paths- I'm stuck.
Interestingly, when I use SSL verification tools, they report that the 2nd domain passes, and it appears to be reporting the correct domain ownership of the certificate. But all browsers, inside network and out, report the error. If I ignore the error and proceed, it takes me to the 1st domain.
Each domain has its own .conf file in /etc/apache2/sites-available. I read where someone advised putting all virtualhosts on 1 .conf - I tried that and same result, but the 2nd domain didn't pass SSL test that time.
It seems that my 2nd domain is returning the certificate of the 1st domain, and from what I've read would expect it to do so for all the others. These sites are live though and I can't(shouldn't) bring them down while testing. I'm using our least visited site for the 2nd domain example. Someone suggested this may be a caching issue and the problem resolved itself many hours later. I can't help but think I've missed some server setting that engages SNI, but Apache 2.4 supposedly delivers SNI out the box
from ports.conf
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
from example.conf
<VirtualHost *:80>
ServerName www.example.org
ServerAlias example.org www4.example.org
ServerAdmin webmaster@xxxxxxxx.com
Redirect 301 "/" "https://www.example.org/"
</VirtualHost>
<IfModule ssl_module>
SetEnvIf HTTPS https HTTPS=on
Header always set Strict-Transport-Security "max-age=63072000" env=HTTPS
Header always set Content-Security-Policy: upgrade-insecure-requests env=HTTPS
Header always set X-XSS-Protection: "1; mode=block"
Header always set X-Frame-Options: sameorigin
Header always set X-Content-Type-Options: nosniff
Header always set X-Permitted-Cross-Domain-Policies: "master-only"
<VirtualHost *:443>
ServerName www.example.org
DocumentRoot /var/www/example/
ServerAdmin webmaster@xxxxxxxx.com
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/crt/www.example.org.crt"
SSLCertificateChainFile "/etc/apache2/ssl/crt/IntermediateCA.example.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/www.example.org.key"
DirectoryIndex index.html index.htm index.php
<FilesMatch "^wp-login\.php$|^wp-admin/.*">
AuthName "Login Login"
AuthType Basic
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</FilesMatch>
</VirtualHost>
</IfModule>
from otherdomain.conf
<VirtualHost *:80>
ServerName www.otherdomain.org
ServerAlias otherdomain.org www4.otherdomain.org
ServerAdmin webmaster@xxxxxxxx.com
Redirect 301 "/" "https://www.otherdomain.org/"
</VirtualHost>
<IfModule ssl_module>
SetEnvIf HTTPS https HTTPS=on
Header always set Strict-Transport-Security "max-age=63072000" env=HTTPS
Header always set Content-Security-Policy: upgrade-insecure-requests env=HTTPS
Header always set X-XSS-Protection: "1; mode=block"
Header always set X-Frame-Options: sameorigin
Header always set X-Content-Type-Options: nosniff
Header always set X-Permitted-Cross-Domain-Policies: "master-only"
<VirtualHost *:443>
ServerName www.otherdomain.org
DocumentRoot /var/www/otherdomain/
ServerAdmin webmaster@xxxxxxxx.com
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/crt/www.otherdomain.org.crt"
SSLCertificateChainFile "/etc/apache2/ssl/crt/IntermediateCA.otherdomain.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/www.otherdomain.org.key"
DirectoryIndex index.html index.htm index.php
<FilesMatch "^wp-login\.php$|^wp-admin/.*">
AuthName "Login Login"
AuthType Basic
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</FilesMatch>
</VirtualHost>
</IfModule>
Of possible importantance, the "www" sites and server are WordPress sites. The "www4" subdomain I used for testing purposes while bringing said WordPress sites from a PHP 5.2 environment to 7. Once the sites were displaying correctly, I pointed DNS(Cloudflare free) for www from the static IP address of the old server to the static IP address of the new(Ubuntu18.04) server.
Things I've tried:
adding a * wildcard to ports.conf
sudo service apache2 restart
sudo service apache2 stop/start
commenting the redirect I have in port 80 Virtualhost
verifying the certificate paths
waiting 6+ hours
Been at this for almost a week, I've exhausted all my search combinations, admitting defeat and asking for help. Thanks in advance.
