apache name virtual host – two domains and SSL

Question 1

I’m trying to setup Apache(2.2.3) to run two websites with SSL using both different domains and IP addresses. Both websites run fine on port 80 but when I tried to enable SSL for website2 I get a ssl_error_bad_cert_domain error; website2 picks up the SSL cert for website1.

Here is my setup in httpd.conf:

# Website1
NameVirtualHost 192.168.10.1:80

<VirtualHost 192.168.10.1:80>
DocumentRoot /var/www/html
ServerName www.website1.org
</VirtualHost>

NameVirtualHost 192.168.10.1:443

<VirtualHost 192.168.10.1:443>
SSLEngine On
SSLCertificateFile conf/ssl/website1.cer
SSLCertificateKeyFile conf/ssl/website1.key
</VirtualHost>

# Website2
NameVirtualHost 192.168.10.2:80

<VirtualHost 192.168.10.2:80>
DocumentRoot /var/www/html/chart
ServerName www.website2.org
</VirtualHost>

NameVirtualHost 192.168.10.2:443

<VirtualHost 192.168.10.2:443>
SSLEngine On
SSLCertificateFile conf/ssl/website2.cer
SSLCertificateKeyFile conf/ssl/website2.key
</VirtualHost>

Update:
In answer to Shane (this wouldn’t fit in comment box) here is the output from apachectl -S:

VirtualHost configuration:
192.168.10.2:80       is a NameVirtualHost
         default server www.website2.org (/etc/httpd/conf/httpd.conf:1033)
         port 80 namevhost www.website2.org (/etc/httpd/conf/httpd.conf:1033)

192.168.10.2:443      is a NameVirtualHost
         default server bogus_host_without_reverse_dns (/etc/httpd/conf/httpd.conf:1040)
         port 443 namevhost bogus_host_without_reverse_dns (/etc/httpd/conf/httpd.conf:1040)

192.168.10.1:80       is a NameVirtualHost
         default server www.website1.org (/etc/httpd/conf/httpd.conf:1017)
         port 80 namevhost www.website1.org (/etc/httpd/conf/httpd.conf:1017)

192.168.10.1:443      is a NameVirtualHost
         default server bogus_host_without_reverse_dns (/etc/httpd/conf/httpd.conf:1024)
         port 443 namevhost bogus_host_without_reverse_dns (/etc/httpd/conf/httpd.conf:1024)

wildcard NameVirtualHosts and _default_ servers:
_default_:443          192.168.10.1 (/etc/httpd/conf.d/ssl.conf:81)
Syntax OK

Question 2

SSL vhosts are not NameVirtualHosts – they’re IP-based vhosts.

Remove the NameVirtualHost *:443 from your config.

Question 3

Please remove

NameVirtualHost 192.168.10.1:443

and

NameVirtualHost 192.168.10.2:443

It doesn’t make sense to activate the name based virtual hosting stuff of Apache for SSL/TLS connections or you’d like to use the SNI extension.

Question 4

Here is how I got it working. I had to move the ssl configuration out of httpd.conf and setup two virtualhosts in ssl.conf.

httpd.conf

# Website1
<VirtualHost 192.168.10.1:80>
DocumentRoot /var/www/html
ServerName www.website1.org
</VirtualHost>

# Website2
<VirtualHost 192.168.10.2:80>
DocumentRoot /var/www/html/chart
ServerName www.website2.org
</VirtualHost>

ssl.conf

<VirtualHost 192.168.10.1:443>
DocumentRoot "/var/www/html/"
ServerAdmin you@your-site.com
ServerName www.website1.org
SSLEngine On
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:
+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/website1.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/website1.key
SetEnvIf User-Agent ".*MSIE.*" 
nokeepalive ssl-unclean-shutdown 
downgrade-1.0 force-response-1.0
</VirtualHost>

<VirtualHost 192.168.10.2:443>
DocumentRoot "/var/www/html/chart/"
ServerAdmin you@your-site.com
ServerName www.website2.org
SSLEngine On
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:
+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/website2.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/website2.key
SetEnvIf User-Agent ".*MSIE.*" 
nokeepalive ssl-unclean-shutdown 
downgrade-1.0 force-response-1.0
</VirtualHost>

Question 5

Try removing or commenting out the <VirtualHost _default_:443> block in /etc/httpd/conf.d/ssl.conf.

Share this:

Related posts:

Leave a Reply Cancel reply