Your virtual host is defined wrong. Use the names not IP addresses <VirtualHost example2.com:443<http://1.1.1.13:443/>> Servername example2.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample2.com&c=E,1,dcUCUjUb4LYF2QKtZR97YwwXQvScdoETUyYneNIzxrVPCY07TRsv343JxU2TC5RtNYHxyF97S7yA3AepHgKTSlaPMWipWynnIbri9ZFZlIJCfOISNr175hJJNl8,&typo=1> SSLEngine on SSLCertificateFile /etc/http/certs/example2.crt ... </VirtualHost> ________________________________ From: frank picabia <fpica...@gmail.com> Sent: Friday, May 20, 2022 12:55 PM To: users@httpd.apache.org <users@httpd.apache.org> Subject: Re: [users@httpd] Re: Multi-domain with SSL - Virtualhost all need IPs?
I'm trying hard to get the lay of the land logic here, and it isn't happening. I'm bouncing between what I read here, and what apache actually does, and it doesn't add up. In my case we tried to introduce a new domain, let's call it example2.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample2.com&c=E,1,6W_vM4KZBARFuk6DDpPWoNW12LzjGIFV8FRTADGmecW5MGLigif3cCg9i_upqN6olj_Qr7kWBGqNJu2EXeP8QeUVkPmMk1TYwQ1pcBTxx32XgAlhuKEDKcpL&typo=1> It will have a different set of cert files. I let it have an IP which nothing else shares. I'm keenly aware of this IP as I've set it up in DNS as well. <VirtualHost 1.1.1.13:443<http://1.1.1.13:443>> Servername example2.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample2.com&c=E,1,dcUCUjUb4LYF2QKtZR97YwwXQvScdoETUyYneNIzxrVPCY07TRsv343JxU2TC5RtNYHxyF97S7yA3AepHgKTSlaPMWipWynnIbri9ZFZlIJCfOISNr175hJJNl8,&typo=1> SSLEngine on SSLCertificateFile /etc/http/certs/example2.crt ... </VirtualHost> Every other vhost had a different servername, and they used the cert for example1.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample1.com&c=E,1,hWtAIAcngoqDN67tYYh-JBMRsDu0loXxcOnLFfiTh0kkC73FcXss_uAVRLOtoJLqXOCEN9jyzjXqVBcPyZW7t70FdDG9MVq19wuX_0SAFBLk7qkKRSlWDw,,&typo=1> . They also had *:443 Only for example1.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample1.com&c=E,1,0PHWaifn8IWmWbVOrikm7fz8IiJtabA_5-R1x0XKMlFFo3oBud94pi8En8RPBR3KLTR3QenHwFjS7HQgJNY1qG-nQe_UmNGE2X8vrXjghYl5KQ,,&typo=1> do we have multiple aliases on the same IP. When visiting the example2.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample2.com&c=E,1,QZFYnaarDKwbI4UIuis6AUVr6M_IY5nT64iVqhrFOfC1SFad9Dq-LeBk2Prq7-LyNrzbvo_FfMN1PezvDeICv0bWAkLH1rCsEqr9d-W4KMjU_tMJ5hg,&typo=1> site, the web site shows apache has served a certificate for example1.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample1.com&c=E,1,T_cQOb_HmAeeARzztUhUpYrFdC-M2k8aEzqZWhQryiy784g3BQNmtSe51GNCXcXQIbgEUbfPVEl5zdNv7G3-cgN_D5iSOe-t-0dOr8s9Ogm_ZwvXlaaXXQJDP78,&typo=1> I had believed this was because we had used *:443 rather than explicitly show the IP for all our vhosts. It seemed the early conversation on SSL/TLS was matching a random vhost via this use of *:443 and that's how it got the cert for example1.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample1.com&c=E,1,Mz11UTCKtiWcGt6Y8IkJjBHQLSOD5JkAKituHpPrZu5-qa6kZmzAj0yKhiovnyiw6bX333zd9IKH73D6x3DQsfQOvC7ztgVXyiO7EUHWBXHjoys4q30,&typo=1> Since before this point all vhosts were on example1.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample1.com&c=E,1,8wXSzKIRaGVigrHUZoxWD8812IQ1_5RSU52jRZYKX7BQPnCQrAcHUwhw_BOV_E5zA1jMdtUHbqCd9jwXZ8HLFcDM7HcYG31scrYTMuAWMw,,&typo=1> the wildcard cert it found was always working while we had *:443 in use. What can we say about how multi-domain SSL works that we can rely on? I can find a dozen pages on google search from people who get the wrong certificate and they never get an answer. Some good hard rules on what is required would probably help a lot of people over the years. On Fri, May 20, 2022 at 11:59 AM Frank Gingras <thu...@apache.org<mailto:thu...@apache.org>> wrote: As mentioned, name-based vhosts will work with SNI and *:443 provided that you have the correct certificate assigned to each vhost. In rare cases, you can use IP:443 vhosts if you want specific handling based on the IP used to handle the request, such as https://IP1/ or https://IP2/. However, it is rarely needed by most servers. For now, you can use *:443, and run apachectl -S to make sure there is no overlap before restarting httpd. On Fri, 20 May 2022 at 07:04, frank picabia <fpica...@gmail.com<mailto:fpica...@gmail.com>> wrote: Sorry, that should not have said "top level domains". I meant domains. Like example.com<http://example.com>, example.net<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample.net&c=E,1,Lf7WCUECY7EjPemnM7RAgRqLA_RtcGdzOib3lOf7AW0vkHA8LZPhA_Cyx4vxm2UkTXZdaO6ax9tCWnAP4NJ8QbZC7d6pFPimkBkaFwrXGA,,&typo=1>. On Fri, May 20, 2022 at 7:05 AM frank picabia <fpica...@gmail.com<mailto:fpica...@gmail.com>> wrote: It looks like there are two requirements for multiple top level domains with SSL on the same apache. 1. IP values must be used inside VirtualHost, not *:443 2. All IP values must be unique, even on the same top level domain Is the above conjecture true? We have many setup like this example... <VirtualHost *:443 > ServerName s1.example1.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fs1.example1.com&c=E,1,wsz87BMMp2oMlSddl_CqoJGdX4XfnA4SBhZHzfihJZJUFFJolpRBPQ1tm6G08DwlDNVBTcY1p7ZsxfEAtdfJ59gsZRoDVQeNBtWtKHbD&typo=1> ... </VirtualHost> <VirtualHost *:443 > ServerName s2.example1.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fs2.example1.com&c=E,1,7pvCP6udZ3aZHoj-a0jz-AgOyf0BqRRLwQMOAtBCbrpGJX7So009M8zSgwIQRUxx3EB6zyyZKInj66oF7Td7UcJqi0h7gBdt_0zI0uL4PwM06AV6AQ,,&typo=1> ... </VirtualHost> where s1 and s2 are aliases on the same IP. It has worked like that for years. 330 vhosts on about 80 IPs. When I started to convert them to use the actual IP value rather than * <VirtualHost 1.1.1.1:443<http://1.1.1.1:443> > ServerName s1.example1.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fs1.example1.com&c=E,1,NvBi26pDh9IxdmyKgHLNK4p32Qv1cFQtyVXbIlC9HHOgiLAV95Pz_D8y_lWST789soOsTkxYjzJJJhMaqd4C8KT5RkVYHb73BPZZCPeWlhB7bt3Z6lPIEdWSe3Wd&typo=1> ... </VirtualHost> <VirtualHost 1.1.1.1:443<http://1.1.1.1:443> > ServerName s2.example1.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fs2.example1.com&c=E,1,8X1MRWLchBd0jtI-FkYh2nb2lyg0LtCgOeCkKgkA16Wdz7Q11brpocrr15c9F9_OqRnWEqwExVy6LEiVykh8JwIhtyIlb2Madiz9yfOano0,&typo=1> ... </VirtualHost> This had nothing to do with the example2.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample2.com&c=E,1,ul_Sx0-1ZWGylDIVnZp9Xcqxf0r3cNY7JsJnUxT2ir53quY-0jVC5gTotkqGkJbvAzWE3tNI01fkJt3aoWuCI0MkdIM9ZPWyrJuBGzFiVA,,&typo=1> I also want to put in there but on a unique IP. I did a few conversions from *:443, saved it and restarted apache. Then vhosts I had not touched yet were getting pages for other vhosts. It was random chaos and I reverted to the previous ssl.conf copy
