1

I have an apache server configured as a virtual host (name-based), suppose that the ip is 186.54.251.57, if I enter that ip address the apache home page will be displayed...

if I enter example1.com with either http or https it works fine as it has an R3 certificate (letsencrypt)

example2.com also works fine and so on (as long as the domains are set to apache2)

The problem is when I add a domain to my DNS servers, then the A record points to the address 186.54.251.57 but the domain example3.com is not yet configured in apache, if I enter the browser and type http://example3. com will take me to the apache home page, but the problem comes when I enter through https://example3.com, as the domain does not yet have an ssl certificate because it is not configured in apache, so it loads the content of example2.com because it associates the ssl certificate of the other page and consequently shows its content...

How can I prevent that? What if you have A record in the dns that points to the ip address of the apache server but if you don't have an ssl certificate then don't load another foreign page?

Andrés Alvarez
  • 11
  • 3
  • You need to make sure the default Apache VirtualHost is set up properly for both HTTP / HTTPS. – Tero Kilkanen Aug 30 '22 at 06:59
  • But that doesn't help me, I already know that it has to be well configured, I need more technical information – Andrés Alvarez Aug 30 '22 at 09:05
  • For both plain HTTP and HTTPS sites apache will display a ***default virtual host*** when apache httpd receives a request for a hostname that is not explicitly defined. See: https://httpd.apache.org/docs/2.4/vhosts/details.html For HTTPS requests it also uses the default (first) certificate as well. -_-_ You simply need to assure that none of your valid web sites becomes the effective default virtual host. You do that by explicitly creating and designating a default VirtualHost. https://serverfault.com/questions/114931/ – HBruijn Aug 30 '22 at 12:21
  • You can do nothing to prevent people from getting an "invalid certificate" warning when your webserver does offer https (for other sites) and they use a hostname which isn't configured at all or not with a valid certificate. – HBruijn Aug 30 '22 at 12:25
  • One thing is the "invalid certificate" but another thing is that the unconfigured domain shows a certificate from another domain and consequently loads the content of the other page – Andrés Alvarez Aug 30 '22 at 20:28

1 Answers1

0

I will leave the solution since it is something simple, but for those who do not know it it can be uncomfortable...

It turns out that apache reads the configuration files in alphabetical order, that's why the apache home page starts with 000-default, however the default ssl page does not have "000" at the beginning, only "default-ssl" so when a domain with alphabetical order with the letter "a, b or c" is created, it will become the default ssl website...

so basically what i did was renamed the "default-ssl" config file to "000-default-ssl" and the problem was solved.

Andrés Alvarez
  • 11
  • 3