6

Today I'm trying to configure Apache to run two domains each with their own SSL certificate. From what I have read this is supported by SNI as long as my Apache is configured with a recent version of OpenSSL. I verified that it is:

[notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.7 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- resuming normal operations

I thought I had successfully set up the second domain and certificate, but when I try to visit the second domain in chrome I get the following error:

You attempted to reach example2.com, but instead you actually reached a server identifying itself as example1.com.

this post seems closest to my issue:

hosting multiple SSL certs on apache

but from what I can tell my server is already configured correctly (clearly it is not!)

I have the following directives in my conf file for example2.com

ServerName  example2.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example2.com.key

it looks right to me. so why is apache serving example1's cert when I visit example2?

Community
  • 1
  • 1
Dan Pouliot
  • 375
  • 2
  • 7
  • 21

3 Answers3

3

turns out domain 1 was configured as 

<VirtualHost *:443>

I use webmin, which only reveals that detail when you view the directive directly.

changing * was part of the solution but introduced some other problems. I think I will punt and do IP-based SSL.

Dan Pouliot
  • 375
  • 2
  • 7
  • 21
  • My problem was I was being a fool. I'd managed to omit my ServerName declarations in my vhosts. /facepalm. It'd be nice if Apache complained about having unreachable virtualhosts configured. But whatever. – James T Snell Sep 19 '14 at 17:13
3

I add this to ports.conf (Apache/2.2.22)

NameVirtualHost *:443

You can read details in this post

Community
  • 1
  • 1
689
  • 529
  • 5
  • 6
  • 2
    NameVirtualHosts is no longer necessary with Apache/2.4. See apache docs for details [here](http://httpd.apache.org/docs/2.4/new_features_2_4.html). – Doug Knudsen Jan 02 '16 at 18:31
-7

It's not possible to have multi SSL domain on the same ip addres.

context

When a client contact a https web site all communication are crypt with the site's public key (ssl certificat). Only the private key associate to the public key can decrypt the http request. basically that's how https work.
That why in your virtual host, you define for each ssl web site the certificate and the key

SSLCertificateFile /etc/apache2/ssl/example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example2.com.key

VirtualHost Name base and SSL

When you use VirtualHost name base , when apache receive a client request the server read the request and look which domain name is requested. When the Domain Name is identified apache read virtuahost instruction and return the good web site.

When apache receive an SSL request , the system can't decrypt the message because apache need to use the SSLCertificateKeyFile defined in the Virtualhost but to know which virtualhost to use he need to be able to decrypt the message .... Because apache don't know how to process your request the system return the first virtualhost processed.

That's why you need to use VirtualHost ip base that what is it use in the example :
hosting multiple SSL certs on apache You have 2 ip 1.1.1.1 and 2.2.2.2

NameVirtualHost 1.1.1.1:443
NameVirtualHost 2.2.2.2:443
<VirtualHost 1.1.1.1:443>
  ServerName www.domain1.com
  ...
  ...
</VirtualHost>
<VirtualHost 2.2.2.2:443>
  ServerName www.domain2.com
  ...
  ...
</VirtualHost>

VirtualHost Name base and SSL wildcard certificat

If the private key AND the public key (ssl certificat) are the same for all domain, apache will be able to decrypt the communication. This situation append only when you use a wildcard certificate for a domain. example , if you have a wildcard for *.domain.com you can define VirtualHost name base like this 

NameVirtualHost 1.1.1.1:443

<VirtualHost 1.1.1.1:443>
   ServerName  foo.domain.com
   SSLEngine on
   SSLCertificateFile /etc/apache2/ssl/wildcard.domain.com.crt
   SSLCertificateKeyFile /etc/apache2/ssl/wildcard.domain.com.key
   ... 
   ...
</VirtualHost>

<VirtualHost 1.1.1.1:443>
   ServerName  bar.domain.com
   SSLEngine on
   SSLCertificateFile /etc/apache2/ssl/wildcard.domain.com.crt
   SSLCertificateKeyFile /etc/apache2/ssl/wildcard.domain.com.key
   ... 
   ...
</VirtualHost>

This configuration will work because, whatever the domain, apache use the same private key to decrypt the communication so the system will be able to select the good VirtualHost setting.

Have a nice day.

Community
  • 1
  • 1
Xerus
  • 136
  • 2
  • 5
    "*It's not possible to have multi SSL domain on the same ip addres.*" It is possible using SNI (Server Name Indication), which is what the question is about. – Bruno Aug 01 '13 at 14:18
  • 1
    To repeat what the previous poster said, it IS possible, using SNI. My question is why my particular SNI configuration is failing. – Dan Pouliot Aug 01 '13 at 15:25