-1

I have two virtual hosts, and use two certificates. While not indicated by the following httpd.conf file, I am using *.example.com as well as *.sites.example.com and thus need to the two certificates. When accessing https://bla.sites.example.com/, the browser displays the following warning:

bla.sites.example.com uses an invalid security certificate.
The certificate is only valid for the following names: *.example.com, example.com
(Error code: ssl_error_bad_cert_domain)

If I remove the first VirtualHost which redirects to www.example.com, I don't get the warning.

Why is this, and how should I use multiple CA certificates for different VirtualHosts?

<VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
    SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
    #Following certificate is good for example.com and *.example.com
    SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
    SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
    RewriteEngine on
    RewriteRule .* https://www.example.com%{REQUEST_URI} [NE,R,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName example.com
    ServerAlias *.sites.example.com
    ErrorDocument 404 /error-404.html
    DocumentRoot /var/www/example/html_sites
    SSLEngine on
    SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
    SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
    #Following certificate is good for example.com, sites.example.com and *.sites.example.com
    SSLCertificateFile /etc/pki/tls/certs/example_startssl_sites_class2.crt
    SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
    <Directory "/var/www/example/html_sites">
        allow from all
        Options +Indexes
    </Directory>
</VirtualHost>

Note that I have the following settings in /etc/httpd/conf.d/ssl.conf:

#Following certificate is good for example.com and *.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCACertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
user1032531
  • 24,767
  • 68
  • 217
  • 387

1 Answers1

0

Your VHOST's are not setup correctly. You have both pointing to ServerName example.com

They both should have different specific ServerName and different document roots. Then apache will know where to send the request to the correct vhost and you won't get that error.

You can see more configuration help here. Multiple Certs using SNI

Since they are two different certs, your vhosts should look something like this. 

<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example/html_sites
    SSLEngine on
    SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
    SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
    #Following certificate is good for example.com and *.example.com
    SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
    SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
    <Directory "/var/www/example/html_sites">
        ErrorDocument 404 /error-404.html
        allow from all
        Options +Indexes
        RewriteEngine on
        RewriteRule .* https://www.example.com%{REQUEST_URI} [NE,R,L]
    </Directory>
</VirtualHost>

<VirtualHost *:443>
    ServerName bla.sites.example.com
    ServerAlias *.sites.example.com
    DocumentRoot /var/www/example2/html_sites
    SSLEngine on
    SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
    SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
    #Following certificate is good for example.com, sites.example.com and *.sites.example.com
    SSLCertificateFile /etc/pki/tls/certs/example_startssl_sites_class2.crt
    SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
    <Directory "/var/www/example2/html_sites">
        allow from all
        Options +Indexes
    </Directory>
</VirtualHost>

Also to remember to restart apache when making changes.

Panama Jack
  • 24,158
  • 10
  • 63
  • 95
  • Thanks Panama, I believe you are correct in that I should have used different server names. Guess I incorrectly thought that the first one would never be hit if the url was bla.sites.example.com. – user1032531 Feb 02 '15 at 18:35