Ok thanks. We've gotten away with the *:443 shorthand for a long time
because
no one wanted to pony up the money for a cert for the other handful of
hobby domains.
On Wed, May 18, 2022 at 6:54 PM Frank Gingras <thu...@apache.org> wrote:
> Not sure if you saw the other answer on the other email:
>
> // If you can't use a SAN, then you need to configure all your vhosts as
> IP:443, whereas one vhost uses a separate IP, and the remainder uses the
> second IP.
>
> On Wed, 18 May 2022 at 17:26, frank picabia <fpica...@gmail.com> wrote:
>
>> Sorry, different domain.
>>
>> 300 hosts like *.example1.com
>> and now we have 1 example2.com
>>
>>
>> On Wed, May 18, 2022 at 4:31 PM Frank Gingras <thu...@apache.org> wrote:
>>
>>> See if you can add a SAN to that wildcard certificate first.
>>>
>>> On Wed, 18 May 2022 at 15:21, frank picabia <fpica...@gmail.com> wrote:
>>>
>>>>
>>>> We have a server with over 300 vhosts on it. Marketing/CMS madness I
>>>> guess.
>>>> All on the same domain name. Many VirtualHosts are defined with *:443
>>>> and then ServerName to rely on SNI.
>>>> We have a wildcard cert for the domain and all the hosts use that.
>>>>
>>>> Now there is a different domain to add for SSL. For some reason
>>>> the first domain name's certificate is being found. I've put the
>>>> IP for our new comer domain so we have <VirtualHost 1.1.1.1:443 >
>>>> but it is still finding the other cert. This IP is uniquely assigned
>>>> with the different domain, as you'd expect with DNS. So it can't
>>>> be a overlap of the IP used elsewhere.
>>>>
>>>> Researching this problem ("wrong cert loaded for vhost"),
>>>> I read that in the initial SSL connection, it
>>>> is talking to the IP, and whatever values we have for ServerName
>>>> have no bearing until the page is being accessed. If that's the case
>>>> then it might have matched another vhost with *:443 first
>>>> I tried putting my new domain at the top of ssl.conf but it made no
>>>> difference.
>>>>
>>>> I'm thinking I need to edit each *:443 case and change it to the
>>>> appropriate IP.
>>>> That will be a lot of work, so I'm looking for affirmation that is
>>>> likely to make the difference.
>>>>
>>>>
>>>>
