Single domain SSL presented for all domains on Shared IP

Question

I have a VPS running Apache/2.2.22 on Ubuntu Server 12.04 LTS.

I have successfully installed an SSL for domaina.com

Unfortunately if I visit https://domainb.com, https://domainc.com, etc… I am presented with certificate warnings as each domain is presenting domaina.com certificate.

How can I stop this?

Can I stop Apache sending the certificate for all sites sharing the same IP. Can I block port :443 access using ufw for a domain name? Something else?

Domain A configuration

<VirtualHost *:80>
    ServerName   domaina.com
    ServerAlias  www.domaina.com
    DocumentRoot /var/www/domaina.com/public
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName   domaina.com
    ServerAlias  www.domaina.com
    DocumentRoot /var/www/domaina.com/public
    SSLEngine on
    SSLCertificateFile      /etc/apache2/ssl/domaina.com.crt
    SSLCertificateKeyFile   /etc/apache2/ssl/domaina.key
    SSLCertificateChainFile /etc/apache2/ssl/domaina.com.ca-bundle
</VirtualHost>
</IfModule>

Domain B, C… configuration

<VirtualHost *:80>
    ServerName   domainb.com
    ServerAlias  www.domainb.com
    DocumentRoot /var/www/domainb.com/public
</VirtualHost>

Errors experienced

Browsing using Mac OS X Mountain Lion, latest version of Chrome, Safari, Firefox.

Chrome — This is probably not the site you are looking for! You attempted to reach www.domainb.com, but instead you actually reached a server identifying itself as www.domaina.com.

Firefox — This Connection is Untrusted. You have asked Firefox to connect securely to www.domainb.com, but we can't confirm that your connection is secure.

Safari — Safari can't verify the identity of the website "www.domainb.com".

How did you configure your virtual hosts? What browser and OS did you use? — Michael Hampton, May 23 '13 at 22:28
The first configuration is the SSL domain, the remaining Virtual Hosts mirror the second configuration. — esryl, May 23 '13 at 22:48
Right, but you're missing the SSL virtual hosts for your other domains! — Michael Hampton, May 23 '13 at 22:50
I do not want the other domains to even respond to SSL. I have tried setting an SSL Virtual Host for the other domains to turn SSL off, but it did not work. — esryl, May 23 '13 at 22:53

score 3 · Accepted Answer · answered May 23 '13 at 22:38

3

This is expected behavior. You have a couple options here - you can either use Subject Alternative Names in your SSL cert and serve the names for the other domains, you can get a new IP for the other domains, or you can force the other domains to be non-SSL. The last might not work very well, as you will likely end up using an Apache rewrite rule, which may only be recognized after the browser presents it's certificate warning.

answered May 23 '13 at 22:38

John

8,920
1
28
34

Do you know what alternatives are available for forcing non-SSL other than a rewrite rule. As you expected they are only recognised after the certificate warning. Thanks! – esryl May 23 '13 at 22:47
3

There are no alternatives. – Zoredache May 23 '13 at 22:58
1

YES THERE ARE [ALTERNATIVES!!!](https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI) – Marcel May 24 '13 at 00:57
@Marcel What are the alternatives? – esryl May 24 '13 at 09:06
1

@esryl, there is a link in my previous comment that lead to the documentation explaining how to setup what you're looking for. – Marcel May 24 '13 at 16:52

Single domain SSL presented for all domains on Shared IP

1 Answers1