0

I have a LAMP server running CentOS Stream 8 and Apache 2.4.37. On this I have three domains (let's call them example.com, example.net & example.org). I have SSL certificates for each domain + the www subdomain.

They share the same codebase (the only difference being the defalt langauge) so they share the same /var/html/www folder and there is no specific domain level configuration in the /etc/httpd/conf/httpd.conf file - the ServerName is example.org:80

I do have a specific configuration in the /etc/httpd/conf.d/ssl.conf file. Here following is the relevant excerpt - there's a <VirtualHost *:443> part for each domain.

NameVirtualHost *:443 <VirtualHost *:443> DocumentRoot "/var/www/html" ServerName example.com:443 ErrorLog logs/ssl_example_com_error_log TransferLog logs/ssl_example_com_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/example_com.crt SSLCertificateKeyFile /etc/pki/tls/private/example_com.key SSLCACertificateFile /etc/pki/tls/certs/example_com.ca-bundle </VirtualHost>

The SSL certificate for each domain works for the main domain, but only works for the www subdomain of example (which is the first listed) in the ssl.conf file. So if I try to access https://www.example.net or https://www.example.org, I get a Connection not secure and Warning: Potential Security Risk Ahead from the browser.

What works:
https://example.com
https://example.net
https://example.org
https://www.example.com

What doesn't work:
https://www.example.net
https://www.example.org

I cannot find any hint as to what could be happening in the logs. Does anybody have an idea where I could be looking?

I've tested and whatever domain's VirtualHost section is listed first is the one for which the www SSL works.

Improve this question
4
  • 1
    Have you check the CN (Common Name) of certificate itself? Commented Jun 25, 2023 at 8:10
  • @RomeoNinov Sorry, I don't understand what you mean Commented Jun 25, 2023 at 8:45
  • Thank you for the edit, @EsaJokinen Commented Jun 25, 2023 at 8:47
  • 2
    @RomeoNinov Common Name (CN) won't have both the apex and www covered at the same time, so checking it isn't quite helpful. It's the Subject Alternative Name (SAN) extension that matters. Commented Jun 25, 2023 at 8:59

1 Answer 1

Reset to default
1

Assuming the certificates are correct, there certainly is a detail in your configuration that explains this behaviour. From Apache Virtual Host Matching, the emphasis is mine:

If the connection is using SSL, the server supports Server Name Indication, and the SSL client handshake includes the TLS extension with the requested hostname, then that hostname is used below just like the Host: header would be used on a non-SSL connection. Otherwise, the first name-based vhost whose [IP] address matched is used for SSL connections. This is significant because the vhost determines which certificate the server will use for the connection.

Your <VirtualHost *:443> blocks are missing ServerAlias directives for the www subdomains. Therefore, the first VirtualHost is used as a default name based virtual host, instead.

Furthermore, the ServerName could be used without the optional [:port] as there is no need to distinguish the virtual hosts by ports.

Also notice that SSLCACertificateFile is for client authentication:

This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with. These are used for Client Authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of preference.

The filename example_com.ca-bundle suggests you might have confused this with (deprecated) SSLCertificateChainFile; since 2.4.8 the SSLCertificateFile

may also include intermediate CA certificates, sorted from leaf to root.

An example with a macro that can reduce the copy-paste configuration as well as handle the redirects from HTTP to HTTPS:

NameVirtualHost *:80 NameVirtualHost *:443 <Macro VHost $domain $tld> <VirtualHost *:80> ServerName $domain.$tld ServerAlias www.$domain.$tld Redirect permanent / https://$domain.$tld/ </VirtualHost> <VirtualHost *:443> ServerName $domain.$tld ServerAlias www.$domain.$tld DocumentRoot "/var/www/html" ErrorLog logs/ssl_$domain_$tld_error_log TransferLog logs/ssl_$domain_$tld_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/$domain_$tld.crt SSLCertificateKeyFile /etc/pki/tls/private/$domain_$tld.key </VirtualHost> </Macro> Use VHost example com Use VHost example net Use VHost example org
Improve this answer
2
  • Brilliant, this worked. Thank you very much! Commented Jun 25, 2023 at 8:53
  • 1
    I noticed another potential problem and updated my answer to cover it. Commented Jun 25, 2023 at 8:53

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.