2

I have searched and searched but I cannot find a solution to my issue, so apologies if this sounds familiar, but I am at a loss.

I have:

  • Windows environment
  • Apache 2.4.2
  • OpenSSL 1.0.2e
  • one IP address (development box: 127.0.0.1)
  • multiple virtual hosts (www.site.co.uk, sub.site.co.uk, etc. )
  • Genuine domain validated wildcard certificate from Comodo

I need to use the wildcard certificate for all of my virtual hosts.

I have tested the site/certificate using openssl and it verified it OK.

All the sites work fine when using the standard http over port 80.

When I enable httpd-ssl.conf, I start to get into trouble.

I have seen and tried several examples of http-ssl.conf configurations but all result in intermittent connection failures, i.e. Firefox: "Secure Connection Failed", IE11: "This page cannot be displayed". However, if I refresh the page (in each browser) the page displays and I can see that the certificate is valid.

From what I've read, it points to incorrect configuration of the http-ssl.conf, but I've tried the Mozilla SSL Configuration Generator (https://mozilla.github.io/server-side-tls/ssl-config-generator/), many stackoverflow answers, but still no joy.

This is my current httpd-ssl.conf file:

Listen 443 https SSLStrictSNIVHostCheck off SSLPassPhraseDialog builtin SSLSessionCache "shmcb:C:/Apache2.4/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS <VirtualHost 127.0.0.1:443> ServerName www.site.co.uk ServerAlias www.site.co.uk DocumentRoot C:\WebServer\Apache2.4\htdocs\www.site.co.uk SSLEngine On SSLCertificateFile "C:\WebServer\Apache2.4\conf\extra\ssl\site_wildcard.crt" SSLCertificateKeyFile "C:\WebServer\Apache2.4\conf\extra\ssl\site_wildcard.key" SSLCertificateChainFile "C:\WebServer\Apache2.4\conf\extra\ssl\site_wildcard.ca-bundle" SSLCACertificateFile "C:\WebServer\Apache2.4\conf\extra\ssl\addtrustexternalcaroot.crt" </VirtualHost> <VirtualHost 127.0.0.1:443> ServerName sub.site.co.uk ServerAlias sub.site.co.uk DocumentRoot C:\WebServer\Apache2.4\htdocs\sub.site.co.uk </VirtualHost>
Improve this question
1

2 Answers 2

Reset to default
1

After a lot of testing, my original comment did not solve the problem.

The certificate was configured correctly.

When running tests, on websites like ssllabs.com, the protocol and handshake results would randomly differ, even though no configuration change had taken place.

Testing/Verfiying with OpenSSL, sporadically produced the correct result, but the majority of time resulted in:

ssl handshake failed

It turns out the culprit was that I had this in my httpd.conf file:

AcceptFilter https none

After commenting it out, it solved the problem:

#AcceptFilter https none
Improve this answer
0

when I interprete the config right, you set your V-Hosts to the local interface. When you want to serve the pages properly you need to set the hosts to accessible IPs:

<VirtualHost 0.0.0.0:443> ServerName www.site.co.uk ServerAlias www.site.co.uk ... </VirtualHost>

or to your servers IP (i.e. 192.168.23.4)

<VirtualHost 192.168.23.4:443> ServerName www.site.co.uk ServerAlias www.site.co.uk ... </VirtualHost>

Maybe this fixes your issues.

Update: My config looks like this (linux system)

<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin [email protected] ServerName www.foo.bar.com ServerAlias foo.bar.com DocumentRoot /var/www/foo SSLEngine on SSLProtocol TLSv1 SSLHonorCipherOrder On SSLCipherSuite RC4-SHA:HIGH:!ADH SSLCertificateChainFile /etc/apache2/ssl/2015/intermediate.crt SSLCertificateFile /etc/apache2/ssl/2015/public.crt SSLCertificateKeyFile /etc/apache2/ssl/private.open.key </VirtualHost> <VirtualHost *:443> ServerAdmin [email protected] ServerName www.bar.com ServerAlias bar.com DocumentRoot /var/www/bar SSLEngine on SSLProtocol TLSv1 SSLHonorCipherOrder On SSLCipherSuite RC4-SHA:HIGH:!ADH SSLCertificateChainFile /etc/apache2/ssl/2015/intermediate.crt SSLCertificateFile /etc/apache2/ssl/2015/public.crt SSLCertificateKeyFile /etc/apache2/ssl/private.open.key ... </VirtualHost> </IfModule>
Improve this answer
6
  • Yes, on my development box, I'm editing the Windows hosts file to associate my www.site.co.uk & sub.site.co.uk to 127.0.0.1. On my live server, the actual server IP address will be used. I'm getting the errors on both. Commented Mar 24, 2016 at 12:17
  • Have you tried to enter the SSL Settings in both V-Host config sections? My setup here has mutliple vhosts configured and each <VirtualHost /> section has it's own SSLCertificate* entry pointing to the same certificates Commented Mar 24, 2016 at 12:34
  • Yes, tried loads of different combinations, including the same wildcard certificate settings in all V-hosts. The problem even occurs if I use just one V-host. Commented Mar 24, 2016 at 13:21
  • is there a reverse-proxy or security software that might manipulate the traffic between client and server?Is tehre any security software installed on the client? Commented Mar 30, 2016 at 12:15
  • the development box is the server and client and has McAfee installed. I am currently looking into DNS/router issues as a possible cause. Commented Mar 31, 2016 at 7:23

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.