2

I have a personal server and I use many sub-domains on it.
Each sub domain has its own unique SSL cert setup with LetsEncrypt.
Each sub domain has its own vhost file under /etc/apache/sites-available/
Each sub domain has its own A record and NS record that point to my server.

For some reason, if I disable one of my subdomains (e.g. sub1.domain.com) using the a2dissite command, and then try to go to that site in a web browser, I get an error saying:

sub1.domain.com uses an invalid security certificate.
The certificate is only valid for sub2.domain.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN

I have verified that the VHOST files do use their appropriate SSL files. And the VHOST files also have the appropriate server name, including the sub domain part.

If I add an exception to the above error, as is an option, I am presented with another one of my subdomains but the URL stays the same as the one that's disabled.

Why does my server point me to a completely different sub-domain when I disable the site? I would think that it would just say it can't be reached, but instead it redirects me to another one of my sub-domains and I'm not sure how to control that.

Frantumn
  • 121
  • 3

2 Answers2

2

First configured vhost has the highest priority and can be seen as the default or primary server. That means that if a request is received that does not match one of the specified ServerName directives, it will be served by this first .

https://httpd.apache.org/docs/2.4/vhosts/examples.html

In your case sub1.domain.com points to your web server, but web server has no vhost configured that would match the domain. Instead content and SSL cert for default domain are served.

  • Thank you, I was thinking it was probably a "feature". Is there a configuration to disable this and just have it show unavailable instead of serving the next in line? – Frantumn Jan 20 '18 at 18:34
  • @Frantumn Someone else has asked [that question](https://serverfault.com/q/444217/126632) here before. You may be interested to read it. – Michael Hampton Jan 20 '18 at 18:45
  • I would suggest the HTTP 403 approach over default Apache page: https://serverfault.com/questions/114931/how-to-disable-default-virtualhost-in-apache2 – NetworkMeister Jan 20 '18 at 19:52
  • So, do I make a new vhost file, put this in it ` Deny from all Options None ErrorDocument 403 Forbidden. ` and then enable it? – Frantumn Jan 20 '18 at 19:55
  • @Frantumn Why do you want to loose these visitors? You could redirect them to your website. – Fabian Jan 20 '18 at 20:02
  • I use my server for 99% personal reasons. I don't want visitors unless I share a URL specifically with friends / family. Right now, if I visit a subdomain that's disabled, it goes to the first subdomain in the list of my subdomains, which due to alphabetical ordering is analytics.mydomain.com and I don't really need people stumbling upon my Piwik installation haha – Frantumn Jan 20 '18 at 20:11
  • 1
    Oh, in that case redirect them to google :) ` ServerName analytics.mydomain.com Redirect / https://google.com ` – NetworkMeister Jan 21 '18 at 20:02
1

Name-based virtual hosts for the best-matching set of <virtualhost>s are processed in the order they appear in the configuration. The first matching ServerName or ServerAlias is used, with no different precedence for wildcards (nor for ServerName vs. ServerAlias).

source: Apache HTTP Server Version 2.4 - Using Name-based Virtual Hosts

Afaik it is not possible to change this sorting process without recompiling.

To change the order of your virtual hosts you could rename the *.conf-files in /etc/apache/sites-available/ like this:

/etc/apache/sites-available/000-default.conf
/etc/apache/sites-available/100-site-one.conf
/etc/apache/sites-available/200-site-two.conf

For Debian (Ubuntu should have similar syntax) I recommend to change from lets say old-site-three.conf to 300-site-three.conf in this order:

$ sudo a2dissite old-site-three.conf

$ sudo mv /etc/apache/sites-available/old-site-three.conf /etc/apache/sites-available/300-site-three.conf

$ sudo a2ensite 300-site-three.conf

$ sudo apache2ctl configtest

$ sudo systemctl restart apache2.service
Fabian
  • 335
  • 3
  • 16
  • Thanks. Other than having things in order of conf file names, is there a ways to disable this feature? – Frantumn Jan 20 '18 at 19:42