Apache - Multi SSL certs voiding each other

1

I have on one of our servers two SSL certs running for two projects, one of which is a wildcard SSL issued to that domain only, which I'll call domain2.com. domain1.com, the other domain has the domain issued to one subdomain only, called servers.

Due to domain2 allowing users on the project to create subdomains, it has a VirtualHost setup looking like this:

<VirtualHost *:443>
    <Directory /var/www/domain2>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Require all granted
    </Directory>
    #There's a SSL redirection here -
    #stackexchange network detected it as a URL shortener, so removed from question
    SSLEngine on
    SSLCertificateFile /app/domain2/certs/domain2.com.pem
    SSLCertificateKeyFile /app/domain2/certs/domain2.com.key
    SSLCertificateChainFile "/app/domain2/certs/fullchain.pem"
    SSLCACertificatePath "/app/domain2/certs/"
    SSLCACertificateFile "/app/domain2/certs/cacert.pem"
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/domain2
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

This works fine, however the servers.domain1.com SSL isn't working (which is issued on letsencrypt, domain2.com is issued with AlphaSSL

<VirtualHost servers.domain1.com:443>
    <Directory /app/corporate/mediaserver/public>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Require all granted
    </Directory>
    #There's a SSL redirection here -
    #stackexchange network detected it as a URL shortener, so removed from question
    SSLEngine on
    SSLCertificateFile /app/corporate/mediaserver/certs/[redacted]
    SSLCertificateKeyFile /app/corporate/mediaserver/certs/[redacted]
    SSLCACertificatePath /app/corporate/mediaserver/certs/[redacted]
    SSLCACertificateFile /app/corporate/mediaserver/certs/[redacted]
    ServerName servers.domain1.com
    ServerAdmin webmaster@localhost
    DocumentRoot /app/corporate/mediaserver/public
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

When I load servers.domain1.com it tries to load in the SSL from the wildcard, however if I set the <VirtualHost> to <VirtualHost domain1.com:443> and load domain1.com it loads the SSL from the correct one (servers.domain1.com virtualhost just gets ignored).

Loading servers.domain2.com (actual tld is .io)

Phil Gibson

Posted 2018-02-24T16:42:53.203

Reputation: 11

Do you have different IP addresses for each domain, or do they all share a single IP address? – user1686 – 2018-02-24T17:35:02.900

They share the same IP address @grawity – Phil Gibson – 2018-02-24T17:35:32.733

Well that's your problem. – user1686 – 2018-02-24T17:40:09.690

Answers

1

First: The parameter in <VirtualHost …> does not work this way. In "one IP per domain" systems, it is meant for specifying which IP address the webserver will bind to (that is, what address it will receive connections on) for that virtual host. It is not for selecting the virtual host based on HTTP "Host:" or TLS SNI.

However, you say in comments that you only have a single IP address (so you'll want to use TLS SNI). In that case all virtual host blocks should bind to the same * address, and the actual domain name should be specified as ServerName.

Second: In Apache configuration, the first matching VirtualHost block wins. If you have a wildcard ServerName above exact matches, it will always be chosen. So make sure your VirtualHosts are ordered correctly.

# The specific subdomains go first...

<VirtualHost *:443>
    ServerName servers.domain1.com
    DocumentRoot /app/corporate/mediaserver/public
    SSLEngine on
    SSLCertificateFile /app/corporate/mediaserver/certs/fullchain.pem
    SSLCertificateKeyFile /app/corporate/mediaserver/certs/privkey.pem
</VirtualHost>

# ...and the wildcard is last:

<VirtualHost *:443>
    ServerName domain1.com
    ServerAlias *.domain1.com
    DocumentRoot /var/www/domain2
    SSLEngine on
    SSLCertificateFile /app/domain2/certs/fullchain.pem
    SSLCertificateKeyFile /app/domain2/certs/domain2.com.key
</VirtualHost>

(The SSLCertificateChainFile setting is obsolete in Apache 2.4. The SSLCA* settings are for client authentication – if you don't use that, you do not need them either.)

user1686

Posted 2018-02-24T16:42:53.203

Reputation: 283 655

Asked: 2018-02-24T16:42:53.203

Viewed: 45 times

Active: 2018-02-24T17:51:36.107