How to prevent other Apache 2.2 multiple VirtualHosts domains from accessing https (SSL_ERROR_BAD_CERT_DOMAIN) using SNI?

Question

I am running Apache 2.2 on Ubuntu 14.04.4 LTS on a Linode server. I have multiple domains hosted on this machine (with only 1 IP address).

I have a domain tbw.com hosted here for which I have an SSL certificate, and for which I want all http://tbw.com and http://www.tbw.com queries to be redirected to https://www.tbw.com (this is happening in the current configuration)

I also have rf.com and other sites which are working fine as http://rf.com and http://www.rf.com

However, when I try to access https://www.rf.com, it gives an error:

Your connection is not secure
...
www.rf.com uses an invalid security certificate. 

The certificate is only valid for the following names: www.tbw.com, tbw.com 
Error code: SSL_ERROR_BAD_CERT_DOMAIN

I don't want this to happen - I would rather it show the standard / expected "Secure Connection Failed" error for the non SSL domains.
Can I have other domains with SSL certs installed on the same machine (same IP address)?

I have looked at the following posts, but I think the answers are dated because SNI (Server Name Indication) now exists.

Multiple domains with SSL on same IP

How to prevent https:// being accessible from domains without a certificate?

My configuration files:

/etc/apache2/apache2.conf

...
<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>
...

/etc/apache2/ports.conf

NameVirtualHost *:80
NameVirtualHost *:443

Listen 80
...

/etc/apache2/sites-available/tbw.com.conf

<VirtualHost *:80>
   ServerName tbw.com
   ServerAlias www.tbw.com
   DocumentRoot /var/www/html/tbw.com/public_html
   Redirect permanent / https://www.tbw.com/
</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost www.tbw.com:443>
        ServerAdmin yo@tbw.com
        ServerName www.tbw.com
        DocumentRoot /var/www/html/tbw.com/public_html

        # Log file locations
        LogLevel warn
        ErrorLog  /var/www/html/tbw.com/log/error.log
        CustomLog /var/www/html/tbw.com/log/access.log combined

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/tbw.com/www_tbw_com.crt
        SSLCertificateKeyFile /etc/apache2/ssl/tbw.com/tbw.key
        SSLCertificateChainFile  /etc/apache2/ssl/tbw.com/www_tbw_com.ca-bundle
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>
</IfModule>

FYI, this is solved in Apache 2.4 and SNI, and it's very simple. It might be worth your time to move to Apache 2.4. — Stefan Lasiewski, Jul 15 '16 at 17:05

score 0 · Answer 1 · answered Jul 15 '16 at 16:55

I don't want this to happen - I would rather it show the standard / expected "Secure Connection Failed" error for the non SSL domains.

In this case you must configure apache to not accept any clients which don't support SNI, i.e. SSLStrictSNIVHostCheck on. In this case virtual hosts without a configured certificate should cause an error at the client, i.e something like invalid server name or handshake error (depending on the browser).

Can I have other domains with SSL certs installed on the same machine (same IP address)?

As long as the client uses SNI (which all modern browsers do) this should be possible.

How to prevent other Apache 2.2 multiple VirtualHosts domains from accessing https (SSL_ERROR_BAD_CERT_DOMAIN) using SNI?

1 Answers1