[users@httpd] Help with wilcards SSL certificates and virtual hosts

[Quentin CHARRAUT <qu...@inova-software.com>]

Hi all,

I really need help to understand what I'm doing wrong and how to solve my problems.
Let me first explain the situation.

We have an Apache webserver (Linux), in front of a Jboss application server which hosts many different application.
Apache is configured to redirect clients based on virtual hosts definitions (depends on client URLs). Note that all applications are available with an URL like https://x.example.com, where x is the client name.
We also own a valid SSL wildcard certificate for *.example.com installed on the Apache server and mod_ssl enable.

Actually, all the configuration is correct for defined virtual hosts : for example, when the client toto try to access his application, he use the URL toto.example.com and Apache see that the corresponding virtual host exists.
For non-defined virtual hosts, for example, if he client tata try to access his application, the default virtual host (*.example.com) handle the request correctly and make some redirection.

Now, for development reasons, we decided to "reproduce" the production environment. We decided to simulate client with URL like https://x.dev.example.com. So we bought the associated wildcard certificate (*.dev.example.com) and installed hit on the same Apache server.

Now, here comes the issues.
First, I added a virtual host for *.dev.example.com placed after the vhost *.example.com, and when I tried to access https://titi.dev.example.com with a browser, it give a "ssl_error_bad_cert_domain" error. Note that there is no errors if I define a specific vhost for titi.dev.example.com but it's not sufficient for our needs.
Then, I made a test by putting the *.dev.example vhost before *.example.com, and then the URL https://titi.dev.example.com is available without certificates errors. But now, the https://toto.example.com URL give me a "ssl_error_bad_cert_domain" error.

My question is, how can I have both *.example.com and *.rc.example.com vhost working together without any bad certificate errors ?
Maybe I missed something ? or maybe it's not possible ?

Here my Apache configuration :

*         ssl.conf :


NameVirtualHost 192.168.0.10:443

# Virtual host for *.example.com
<VirtualHost 192.168.0.10:443>
DocumentRoot "/var/www/html"
ServerName *.example.com:443

ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"

SSLEngine on

SSLCertificateFile "/etc/httpd/conf/ssl/all.example.com.crt"
SSLCertificateKeyFile "/etc/httpd/conf/ssl/ all.example.com.key"
SSLCertificateChainFile "/etc/httpd/conf/ssl/CA.pem"
</VirtualHost>

# Virtual host for *.dev.example.com
<VirtualHost 192.168.0.10:443>
DocumentRoot "/var/www/html"
ServerName *.dev.example.com:443

ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"

SSLEngine on

SSLCertificateFile "/etc/httpd/conf/ssl/ all.dev.example.com.crt"
SSLCertificateKeyFile "/etc/httpd/conf/ssl/ all.dev.example.com.key"
SSLCertificateChainFile "/etc/httpd/conf/ssl/CA.pem"

# Some others directive

</VirtualHost>

# Include for all others virtual hosts
Include /etc/httpd/conf.d/virtualhosts/*.conf


*         One of the "others" vhost :

<VirtualHost 172.17.0.11:443>

DocumentRoot "/var/www/html"
ServerName https://toto.example.com:443

ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"

SSLEngine on

SSLCertificateFile "/etc/httpd/conf/ssl/all.example.com.crt"
SSLCertificateKeyFile "/etc/httpd/conf/ssl/ all.example.com.key"
SSLCertificateChainFile "/etc/httpd/conf/ssl/CA.pem"

# Some others directive

</VirtualHost>

Please let me know if you need more information.

Many thanks for your time and help, many thanks in advance for your reply, and have a good day,

Quentin Charraut

Re: [users@httpd] Help with wilcards SSL certificates and virtual hosts

[Yann Ylavic <yl...@gmail.com>]

Hi Quentin,

On Thu, Mar 12, 2015 at 3:51 PM, Quentin CHARRAUT
<qu...@inova-software.com> wrote:
>
> My question is, how can I have both *.example.com and *.rc.example.com vhost
> working together without any bad certificate errors ?
>
> Maybe I missed something ? or maybe it’s not possible ?

I think you missed ServerAlias, wildcards are not valid ServerNames
(though legal in 2.2.x, not anymore in 2.4.x).

Your configuation should look like:

<VirtualHost 192.168.0.10:443>
    ServerName example.com:443
    ServerAlias *.example.com:443
    ...
</VirtualHost>

<VirtualHost 192.168.0.10:443>
    ServerName dev.example.com:443
    ServerAlias *.dev.example.com:443
    ...
</VirtualHost>

<...>

Please also note that the vhosts above are the "defaults" for requests
on 192.168.0.10:443 only (firsts on that IP:port), and hence requests
on 172.17.0.11:443 may still reach:
<VirtualHost 172.17.0.11:443>
   ServerName toto.example.com:443
   ...
</VirtualHost>
if this is the first one on that IP:port (and the requested host is
not a declared vhost).
Moreover requests for toto.example.com on 192.168.0.10:443 have no
chance to reach this vhost.

So I think you should declare all the "related" vhosts on the same
IP:port (and the selection will be based on the SNI given by the
client), otherwise you'll have to declare a default for each IP:port.

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Help with wilcards SSL certificates and virtual hosts

[Dennis Jacobfeuerborn <de...@conversis.de>]

On 12.03.2015 15:51, Quentin CHARRAUT wrote:
> Hi all,
> 
> I really need help to understand what I'm doing wrong and how to solve my problems.
> Let me first explain the situation.
> 
> We have an Apache webserver (Linux), in front of a Jboss application server which hosts many different application.
> Apache is configured to redirect clients based on virtual hosts definitions (depends on client URLs). Note that all applications are available with an URL like https://x.example.com, where x is the client name.
> We also own a valid SSL wildcard certificate for *.example.com installed on the Apache server and mod_ssl enable.
> 
> Actually, all the configuration is correct for defined virtual hosts : for example, when the client toto try to access his application, he use the URL toto.example.com and Apache see that the corresponding virtual host exists.
> For non-defined virtual hosts, for example, if he client tata try to access his application, the default virtual host (*.example.com) handle the request correctly and make some redirection.
> 
> Now, for development reasons, we decided to "reproduce" the production environment. We decided to simulate client with URL like https://x.dev.example.com. So we bought the associated wildcard certificate (*.dev.example.com) and installed hit on the same Apache server.
> 
> Now, here comes the issues.
> First, I added a virtual host for *.dev.example.com placed after the vhost *.example.com, and when I tried to access https://titi.dev.example.com with a browser, it give a "ssl_error_bad_cert_domain" error. Note that there is no errors if I define a specific vhost for titi.dev.example.com but it's not sufficient for our needs.
> Then, I made a test by putting the *.dev.example vhost before *.example.com, and then the URL https://titi.dev.example.com is available without certificates errors. But now, the https://toto.example.com URL give me a "ssl_error_bad_cert_domain" error.
> 
> My question is, how can I have both *.example.com and *.rc.example.com vhost working together without any bad certificate errors ?
> Maybe I missed something ? or maybe it's not possible ?

The wildcard only works on one level so you'll need two certificates for
this one for *.example.com and one for *.rc.example.com.

Regards,
  Dennis


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org