Apache presents wrong certificate when accessed via load balancer

Question

I've got a server that has two SSL certificates set up, one for internal access where it is accessed along the lines of host.my-local.net and other for external access where it is accessed similar to 185.185.185.185 (this is not the actual IP address, but it is an IP address as there is no host name assigned to it). When accessed via the external address, the connection is going through a load balancer / firewall which I don't have any access to, all I know is that it translates incoming connections on a specific port into the internal address on the SSL port.

The problem is, when an external connection comes in, I get browser warning that the site is masquerading as host.my-local.net; it is presenting the certificate for host.my-local.net instead of 185.185.185.185. I have a virtual host set up for both names in my apache2 config file, so I assume that for some reason the server is having trouble distinguishing between an external connection and a LAN connection. I haven't had this problem with a simple NAT, so I don't know why it would make a difference if the load balancer is making the request look like it's coming from the LAN instead of internally.

I have verified that the browser I am using support SNI (Google Chrome) and Apache 2.4 apparently supports it out of the box without requiring the NameVirtualHost directive. However, the documentation says:

In 2.3.11 and later, any time an IP address and port combination is used in 
multiple virtual hosts, name-based virtual hosting is automatically enabled 
for that address.

However, it's not the same IP address used in the two different virtual hosts, one is the internal (LAN) IP address and one is the external (world visible) IP address, so does that apply here?

To clarify my configuration, I have two virtual hosts set up, like so:

<VirtualHost 185.185.185.185:443>
# here i specify the certificate for 185.185.185.185, e.g.
SSLCertificateFile /etc/ssl/private/185.185.185.185.crt
</VirtualHost>
<VirtualHost host.my-local.net:443>
# here i specify the certificate for host.my-local.net, e.g.
SSLCertificateFile /etc/ssl/private/host.my-local.net.crt
</VirtualHost>

@ceejayoz Yes, I have this. The internal and external IPs have separate certificates. — Michael, Nov 26 '14 at 19:37
@ceejayoz I'll see if any answers to that question address the problem I am having... — Michael, Nov 26 '14 at 19:38
@Michael It's not clear what your exact setup is - you said you have a virtual host set up for both names, but if that's the case, how and where do you have the second SSL certificate configured? — Shane Madden, Nov 26 '14 at 19:42
@ShaneMadden I've updated the question to try to address this. — Michael, Nov 26 '14 at 19:46
@ShaneMadden Ah I see... thanks to your question on closer examination I see the problem. — Michael, Nov 26 '14 at 19:50

score 1 · Answer 1 · answered Nov 26 '14 at 19:49

1

Thanks to a comment by @ShaneMadden I was able to figure this out.

This issue is that I need both VirtualHosts to specific the same IP using a wildcard. So my configuration needs to look like this:

<VirtualHost *:443>
# here i specify the certificate for 185.185.185.185, e.g.
SSLCertificateFile /etc/ssl/private/185.185.185.185.crt
ServerName 185.185.185.185
</VirtualHost>
<VirtualHost *:443>
# here i specify the certificate for host.my-local.net, e.g.
SSLCertificateFile /etc/ssl/private/host.my-local.net.crt
ServerName host.my-local.net
</VirtualHost>

answered Nov 26 '14 at 19:49

Michael

121
1
1
8

Yup - though note that this setup is using SNI, so there might be compatibility problems with crazy or really old browsers (notably IE on Windows XP) – Shane Madden Nov 26 '14 at 19:51
@ShaneMadden Good to know! Fortunately, we have control over what browsers our employees will use in either case. :) – Michael Nov 26 '14 at 19:55

Apache presents wrong certificate when accessed via load balancer

1 Answers1