0

Introduction

The problem is, in short, this. I've been using 'Virtualmin' for a while now, mainly becuse it works better (in my opinion & for my purposes) than VestaCP, Ajenti, Direct Admin (Evolution), CPanel, Sentora, and most of the 'ISP' series.

In doing this, I could already do just about everything via CLI / FTP, this was just a more coherent option for everyone to work together, and to where others could solve their own problems. Getting used to Virtualmin / Webmin didn't take long, but I've run into a problem that is, for lack of a better word, puzzling.

I run SSL certificates on all of my sites via a combination of 'Let's Encrypt' and sometimes Cloudflare, since I use it to manage DNS and mitigate DDOS attacks (when necessary to turn it on) anyway. In addition, I limit the TLS versions, set my own cipher via the global directives, and enabled HSTS.

Now however, I have a piece of software that, for some reason, can't connect to its REST API if the site is under a SSL layer and / or Proxy. So, I tried to disable the SSL certificate enforcement to temporarily rectify the problem. However, after removing it, I realized that with HSTS enabled, I could no longer travel to the normal 'HTTP' version of the site. I removed the HSTS line in the directives, but it's still persisting.

I'm also getting security warning because of a certificate mismatch happening with Virtualmin. For some reason, SSL certificates on other domains are applying to the current one. I've checked each individual site's .conf file, as well as each one's directives (and SSL Directives), as we as looking for anything that would do it in the global directives. The situation looks kind of like this.

Domains & Tiers

  • Example.com (Domain One)
  • --Analytics.Example.com (Sub-domain under the above One)
  • ExampleTwo.com (Different Domain, 'Domain Two')
  • --App.ExampleTwo.com (Sub-domain under above 'Two')

    • Essentially, the SSL certificate from Analytics is being pushed onto the App subdomain (That's under a different domain), in addition to App's own SSL certificate. When I shut off the SSL certificate for Analytics, and the one for App, the top layer's (Example.com) SSL certificate is then forced onto the 'App' sub-domain. I would've thought that this would've had to manifest in either the site directives, their SSL directives, or the SSL.Conf in the global directives, but there's nothing there. I have yet to find a fix for this.
Soujiro
  • 11
  • 2
  • It seems like either no one else is having this problem, or that people aren't sure what to make of it. – Soujiro Jun 10 '18 at 19:48
  • Did you check that you have setup _ServerAlias_ under virtual host? Apache can fall back to default domain name. – Ilia Ross Aug 09 '18 at 14:37

0 Answers0