Charles, No, you are completely incorrect. You should never define vhosts as <host>:<port>.
On Fri, 20 May 2022 at 13:09, Yehuda Katz <yeh...@ymkatz.net> wrote: > That is not correct. That causes httpd to try to look up the matching IP > address using DNS. Use only IP addresses or wildcards. > > - Y > > On Fri, May 20, 2022 at 1:06 PM Bender, Charles > <char...@beachcamera.com.invalid> wrote: > >> Your virtual host is defined wrong. Use the names not IP addresses >> >> <VirtualHost example2.com:443 <http://1.1.1.13:443/>> >> Servername example2.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample2.com&c=E,1,dcUCUjUb4LYF2QKtZR97YwwXQvScdoETUyYneNIzxrVPCY07TRsv343JxU2TC5RtNYHxyF97S7yA3AepHgKTSlaPMWipWynnIbri9ZFZlIJCfOISNr175hJJNl8,&typo=1> >> SSLEngine on >> SSLCertificateFile /etc/http/certs/example2.crt >> ... >> </VirtualHost> >> ------------------------------ >> *From:* frank picabia <fpica...@gmail.com> >> *Sent:* Friday, May 20, 2022 12:55 PM >> *To:* users@httpd.apache.org <users@httpd.apache.org> >> *Subject:* Re: [users@httpd] Re: Multi-domain with SSL - Virtualhost all >> need IPs? >> >> I'm trying hard to get the lay of the land logic here, and it isn't >> happening. I'm bouncing between what I read here, >> and what apache actually does, and it doesn't add up. >> >> In my case we tried to introduce a new domain, let's call it example2.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample2.com&c=E,1,6W_vM4KZBARFuk6DDpPWoNW12LzjGIFV8FRTADGmecW5MGLigif3cCg9i_upqN6olj_Qr7kWBGqNJu2EXeP8QeUVkPmMk1TYwQ1pcBTxx32XgAlhuKEDKcpL&typo=1> >> It will have a different set of cert files. I let it have an IP which >> nothing else shares. >> I'm keenly aware of this IP as I've set it up in DNS as well. >> >> <VirtualHost 1.1.1.13:443> >> Servername example2.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample2.com&c=E,1,dcUCUjUb4LYF2QKtZR97YwwXQvScdoETUyYneNIzxrVPCY07TRsv343JxU2TC5RtNYHxyF97S7yA3AepHgKTSlaPMWipWynnIbri9ZFZlIJCfOISNr175hJJNl8,&typo=1> >> SSLEngine on >> SSLCertificateFile /etc/http/certs/example2.crt >> ... >> </VirtualHost> >> >> Every other vhost had a different servername, and they used the >> cert for example1.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample1.com&c=E,1,hWtAIAcngoqDN67tYYh-JBMRsDu0loXxcOnLFfiTh0kkC73FcXss_uAVRLOtoJLqXOCEN9jyzjXqVBcPyZW7t70FdDG9MVq19wuX_0SAFBLk7qkKRSlWDw,,&typo=1> >> . They also had *:443 >> Only for example1.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample1.com&c=E,1,0PHWaifn8IWmWbVOrikm7fz8IiJtabA_5-R1x0XKMlFFo3oBud94pi8En8RPBR3KLTR3QenHwFjS7HQgJNY1qG-nQe_UmNGE2X8vrXjghYl5KQ,,&typo=1> >> do we have multiple aliases on the same IP. >> >> When visiting the example2.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample2.com&c=E,1,QZFYnaarDKwbI4UIuis6AUVr6M_IY5nT64iVqhrFOfC1SFad9Dq-LeBk2Prq7-LyNrzbvo_FfMN1PezvDeICv0bWAkLH1rCsEqr9d-W4KMjU_tMJ5hg,&typo=1> >> site, the web site shows apache has served a certificate for example1.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample1.com&c=E,1,T_cQOb_HmAeeARzztUhUpYrFdC-M2k8aEzqZWhQryiy784g3BQNmtSe51GNCXcXQIbgEUbfPVEl5zdNv7G3-cgN_D5iSOe-t-0dOr8s9Ogm_ZwvXlaaXXQJDP78,&typo=1> >> >> I had believed this was because we had used *:443 rather than explicitly >> show the IP >> for all our vhosts. It seemed the early conversation on SSL/TLS was >> matching a random >> vhost via this use of *:443 and that's how it got the cert for >> example1.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample1.com&c=E,1,Mz11UTCKtiWcGt6Y8IkJjBHQLSOD5JkAKituHpPrZu5-qa6kZmzAj0yKhiovnyiw6bX333zd9IKH73D6x3DQsfQOvC7ztgVXyiO7EUHWBXHjoys4q30,&typo=1> >> Since before this point all vhosts were on example1.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample1.com&c=E,1,8wXSzKIRaGVigrHUZoxWD8812IQ1_5RSU52jRZYKX7BQPnCQrAcHUwhw_BOV_E5zA1jMdtUHbqCd9jwXZ8HLFcDM7HcYG31scrYTMuAWMw,,&typo=1> >> the wildcard cert it >> found was always working while we had *:443 in use. >> >> What can we say about how multi-domain SSL works that we can rely on? >> I can find a dozen pages on google search from people who get the wrong >> certificate and they never get an answer. Some good hard rules on what >> is required would probably help a lot of people over the years. >> >> >> >> On Fri, May 20, 2022 at 11:59 AM Frank Gingras <thu...@apache.org> wrote: >> >> As mentioned, name-based vhosts will work with SNI and *:443 provided >> that you have the correct certificate assigned to each vhost. >> >> In rare cases, you can use IP:443 vhosts if you want specific handling >> based on the IP used to handle the request, such as https://IP1/ or >> https://IP2/. However, it is rarely needed by most servers. >> >> For now, you can use *:443, and run apachectl -S to make sure there is no >> overlap before restarting httpd. >> >> On Fri, 20 May 2022 at 07:04, frank picabia <fpica...@gmail.com> wrote: >> >> >> Sorry, that should not have said "top level domains". I meant domains. >> Like example.com, example.net >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample.net&c=E,1,Lf7WCUECY7EjPemnM7RAgRqLA_RtcGdzOib3lOf7AW0vkHA8LZPhA_Cyx4vxm2UkTXZdaO6ax9tCWnAP4NJ8QbZC7d6pFPimkBkaFwrXGA,,&typo=1> >> . >> >> >> On Fri, May 20, 2022 at 7:05 AM frank picabia <fpica...@gmail.com> wrote: >> >> >> It looks like there are two requirements for multiple top level domains >> with SSL >> on the same apache. >> >> 1. IP values must be used inside VirtualHost, not *:443 >> 2. All IP values must be unique, even on the same top level domain >> >> Is the above conjecture true? >> >> We have many setup like this example... >> >> <VirtualHost *:443 > >> ServerName s1.example1.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fs1.example1.com&c=E,1,wsz87BMMp2oMlSddl_CqoJGdX4XfnA4SBhZHzfihJZJUFFJolpRBPQ1tm6G08DwlDNVBTcY1p7ZsxfEAtdfJ59gsZRoDVQeNBtWtKHbD&typo=1> >> ... >> </VirtualHost> >> >> <VirtualHost *:443 > >> ServerName s2.example1.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fs2.example1.com&c=E,1,7pvCP6udZ3aZHoj-a0jz-AgOyf0BqRRLwQMOAtBCbrpGJX7So009M8zSgwIQRUxx3EB6zyyZKInj66oF7Td7UcJqi0h7gBdt_0zI0uL4PwM06AV6AQ,,&typo=1> >> ... >> </VirtualHost> >> >> where s1 and s2 are aliases on the same IP. It has worked like that for >> years. 330 vhosts on about 80 IPs. >> >> When I started to convert them to use the actual IP value rather than * >> >> <VirtualHost 1.1.1.1:443 > >> ServerName s1.example1.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fs1.example1.com&c=E,1,NvBi26pDh9IxdmyKgHLNK4p32Qv1cFQtyVXbIlC9HHOgiLAV95Pz_D8y_lWST789soOsTkxYjzJJJhMaqd4C8KT5RkVYHb73BPZZCPeWlhB7bt3Z6lPIEdWSe3Wd&typo=1> >> ... >> </VirtualHost> >> <VirtualHost 1.1.1.1:443 > >> ServerName s2.example1.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fs2.example1.com&c=E,1,8X1MRWLchBd0jtI-FkYh2nb2lyg0LtCgOeCkKgkA16Wdz7Q11brpocrr15c9F9_OqRnWEqwExVy6LEiVykh8JwIhtyIlb2Madiz9yfOano0,&typo=1> >> ... >> </VirtualHost> >> >> This had nothing to do with the example2.com >> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fexample2.com&c=E,1,ul_Sx0-1ZWGylDIVnZp9Xcqxf0r3cNY7JsJnUxT2ir53quY-0jVC5gTotkqGkJbvAzWE3tNI01fkJt3aoWuCI0MkdIM9ZPWyrJuBGzFiVA,,&typo=1> >> I also want to put in there >> but on a unique IP. I did a few conversions from *:443, saved it and >> restarted apache. >> Then vhosts I had not touched yet were getting pages for other >> vhosts. It was random chaos and I reverted to the previous ssl.conf copy >> >> >>
