You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Reg <re...@seowebsales.com> on 2012/05/11 22:10:46 UTC
[users@httpd] Problem with Multiple VirtualHosts with SSL using Named Virtual Hosts (SNI)
I've setup Apache to handle named Virtual Hosts with SSL however there is something I am missing because it doesn't work. This is my first time trying multiple SSL hosting however I have had one SSL domain working for years on this server.
The certificates check out because if I comment out the section for domain1.com then domain2.com works perfectly in the browser, i.e.: no warning message and straight into https://www.domain2.com seamlessly. Of course domain1.com gives the "untrusted certificate" warning since it's the wrong certificate the browser is getting.
When I uncomment the lines for domain1.com then domain1.com will work seamlessly as domain2.com did but now domain2.com will give the "untrusted certificate" warning in the browser so Apache is defaulting the first certificate it finds to serve up the browser.
I can't find anymore to do to make this work so I'm hoping someone who has made this work could look at my Apache configuration and tell me what I am doing wrong.
I also checked the Apache log and I get this message:
[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
which from what I read means that Apache is properly setup for Named-based Virtual domains with SSL.
The software is:
openSUSE 11.4
Apache 2.2.17
openSSL 1.0.0c
FireFox 12.0 Linux & Windows, IE7 Vista
I've checked all of the above software versions and as far as I can see it is all new enough to work with SNI.
Any help really appreciated!
Reg
Relevant Apache configuration:
Listen 443
NameVirtualHost *:443
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 600
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<Directory "/srv/www/vhosts/live/m/multi-001/www">
Options none
AllowOverride all
Order allow,deny
Allow from all
</Directory>
# Old stuff we'll probably never use
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/srv/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
#
# www.domain1.com
#
# Live: live/www.domain1.com
<VirtualHost *:443>
DocumentRoot "/srv/www/vhosts/live/m/multi-7/www/"
ServerName domain1.com:443
ServerAlias www.domain1.com:443
ServerAdmin webmaster@domain1.com
<Directory "/srv/www/vhosts/live/m/multi-7/www">
Options none
AllowOverride all
Order allow,deny
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile /etc/ssl/private/crt/domain1.com.crt
SSLCertificateKeyFile /etc/ssl/private/key/domain1.com.key
SSLCertificateChainFile /etc/ssl/private/bundle/domain1.com.crt.bundle
CustomLog '/var/log/apache2/d/domain1.com_reqst' ssl_combined
ErrorLog '/var/log/apache2/d/domain1.com_error'
RewriteLog '/var/log/apache2/d/domain1.com_rewri'
</VirtualHost>
#
# www.domain2.com
#
# Live: live/www.domain2.com
<VirtualHost *:443>
DocumentRoot "/srv/www/vhosts/live/m/multi-7/www/"
ServerName domain2.com:443
ServerAlias www.domain2.com:443
ServerAdmin webmaster@domain2.com
<Directory "/srv/www/vhosts/live/m/multi-7/www">
Options none
AllowOverride All
Order allow,deny
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile /etc/ssl/private/crt/domain2.com.crt
SSLCertificateKeyFile /etc/ssl/private/key/domain2.com.key
SSLCertificateChainFile /etc/ssl/private/bundle/domain2.com.crt.bundle
CustomLog '/var/log/apache2/d/domain2.com_acces' ssl_combined
ErrorLog '/var/log/apache2/d/domain2.com_error'
RewriteLog '/var/log/apache2/d/domain2.com_rewri'
</VirtualHost>