0

I'm using ubuntu 16 LAMP stack. I currently have virtual host files setup for each domain with cloudflare dns pointing to the same IP for 2 Wordpress sites.

I'm using cloudflare to generate a free TLS certificate signed by Cloudflare to install on the server for each domain.

Host files look like this

domain1.conf

<VirtualHost *:443>
    ServerAdmin webmaster@domain1.com
    ServerName domain1.net
    ServerAlias www.domain1.net
    DocumentRoot /var/www/html/domain1
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine      on
    SSLCertificateFile      /etc/ssl/certs/domain1.crt
    SSLCertificateKeyFile   /etc/ssl/private/domain1.key
</VirtualHost>

domain2.conf

<VirtualHost ip:443>
    ServerAdmin webmaster@domain1.com
    ServerName domain2.net
    ServerAlias www.domain2.net
    DocumentRoot /var/www/html/domain2
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine      on
    SSLCertificateFile      /etc/ssl/certs/domain2.crt
    SSLCertificateKeyFile   /etc/ssl/private/domain2.key
</VirtualHost>

My cert and key files are not .pem files does that matter?

Do I need to edit my ports.conf file? From reading another suggestion I added the first two lines.

NameVirtualHost *:80

NameVirtualHost *:443

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>
Mike
  • 1
  • 1
  • 4

3 Answers3

1

You are discussing about SSL (default 443), but in your example, you use 80. I presume you also need to change from http to https.

I would use different files for different domains (following hierarchy is for Ubuntu, in RHEL/CentOS I use vhosts.d):

$ ls -1 sites-available/
domain1.net.conf
domain2.net.conf

I use something similar to the following, to redirect http to https.

<VirtualHost *:80>
        ServerAdmin webmaster@domain1.net
        ServerName domain1.net 

        RedirectMatch 301 ^(.*)$ https://domain1.net$1
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin webmaster@domain1.net
        ServerAdmin office@domain1.net
        ServerName domain1.net
        ServerAlias *.domain1.net
        ServerSignature Off

        SSLEngine On
        SSLCertificateFile /your/path/to/fullchain.pem
        SSLCertificateKeyFile /your/path/to/privkey.pem
        SSLCertificateChainFile /your/path/to/chain.pem

        # LogLevel debug ssl:debug rewrite:trace8
        # LogLevel info ssl:warn rewrite:trace8
        LogLevel info

        ErrorLog ${APACHE_LOG_DIR}/domain1.net.error.log
        CustomLog ${APACHE_LOG_DIR}/domain1.net.access.log combined

</VirtualHost>

Yes you need SSL enabled. If you use the same cert for all domains, make sure you have your cert using Subject Alternative Name ^1 / SNI as with all your domains. Also, you need the this field if you make calls to your service using the IP instead of the DN. Otherwise, if your calls use DN not IP, you don't need the specified field.

UPDATE: The file extension doesn't matter. The content is important. However, for maintenance reason, the best practice is to keep the extension convention based on what is the content of the file. More about certificate conversion ^2

UPDATE: To choose between SNI and SAN ^3 (also see @dave comments), please chose if you are going to use 1 cert or multiple certs. The consequence is the process of renewing the certs. If the certs come from different customers, sometimes is not possible.

azbarcea
  • 123
  • 4
  • I updated my questions and tried to make it a little more clear as to what I have setup now. Any help is appreciated. Thanks! – Mike Aug 15 '18 at 01:43
  • Subject Alt Name is **SAN** and is an extension in the cert. SNI is Server Name Indication and is part of ClientHello in the protocol. If you have one cert it needs SAN to contain multiple names but you don't need SNI to select it; if you have _multiple_ certs you do need SNI to select the right one. – dave_thompson_085 Aug 15 '18 at 09:06
  • [@dave](https://serverfault.com/users/216633/dave-thompson-085), thanks for clarification. I agree. Yes, it depends on how many certs it has, and if he really wants to consume the service based on DN or IP. – azbarcea Aug 15 '18 at 16:56
0

If you have different domains, you will need different certificates, one for each domain. In order for this to work, you need Server Name Indication, SNI. See Here

RalfFriedl
  • 3,008
  • 4
  • 12
  • 17
  • I updated my question to make it a little more clear on how I'm setting up the certs and where they are coming from. Thanks for the response! As far as I understand I have SNI setup. – Mike Aug 15 '18 at 01:44
0

My cert and key files are not .pem files does that matter?

It depends on what you mean by .pem files. If you mean the contents of the file is Base-64 encoded DER, it does matter. From mod_ssl documentation:

This directive points to a file with certificate data in PEM format.

If by .pem you simply mean the extension isn't .pem, while the contents are Base-64 encoded DER, you'll be fine - only Microsoft care about the file extension.

You'll know if they're in the wrong format as Apache will refuse to start.


Do I need to edit my ports.conf file?

If your ports.conf doesn't have an entry for port 443, you'll need to add it. Otherwise, no.

garethTheRed
  • 4,009
  • 13
  • 20
  • PEM is not just base64; it is base64 _with_ linebreaks _and_ header/trailer lines, and without both of those openssl and thus apache won't read them. Concur the file 'extension' doesn't matter. Or the name either; the PEM cert can be in a file named `flibbertygibbets.zowie` – dave_thompson_085 Aug 15 '18 at 09:12
  • @dave_thompson_085 - and PEM could (but doesn't necessarily have to) follow [RFC 7468](https://tools.ietf.org/html/rfc7468) if we want to split hairs. I think the point was whether the OP is using PEM or DER. I haven't heard of a Base-64 encoded DER file format that _doesn't_ have the PEM headers that is in common use - but I could be wrong :-) – garethTheRed Aug 15 '18 at 09:54
  • I was referring to the .pem extension. what I did was nano filename.crt and pasted my cert into it from cloudfalre and did the same with the .key file. Is that all I have to do? – Mike Aug 15 '18 at 16:08
  • I think you need to read that documentation I pointed you to. Namely [SSLCertificateFile](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile) and [SSLCertificateKeyFile](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatekeyfile). TLDR - the `SSLCertificateFile` has all your certificates - 1st your CloudFlare issued cert, followed by the issuer of that cert, followed by the issuer of that cert (if applicable) and so on, up to (but not including) the root CA cert. The `SSLCerificateKeyFile` has the private key. – garethTheRed Aug 15 '18 at 17:52
  • @garethTheRed: XMLDsig (thus SOAP, SAML, XAdES) uses DER cert in base64 that isn't PEM. S/MIME frequently, though not always, puts various CMS messages, which are all DER or BER, in base64 but not PEM. OTOH Microsoft often uses XML base64 of things that aren't DER, and PGP is usually base64 (_with_ header/trailer) but is not DER/BER, which you can't easily see manually looking at the base64. – dave_thompson_085 Aug 16 '18 at 00:34
  • @dave_thompson_085 - True enough - I'm sure Base-64 is used in many places. As this is an Apache question, I was thinking along the lines of storing plain old X509 certificates than anything else. I should have been clearer in my comment. – garethTheRed Aug 16 '18 at 06:31