hosting multiple SSL certs on apache

2019-04-04 05:24发布

I hope someone can give me a hand with this. I have 2 IPs that I can use to do this and need to host 2 different secure (SSL) domains on the same Apache server. I've read that as of Apache 2.2.something that a single IP can be used, using some sort of add-in but I want to keep this as simple as possible and am willing to use both IPs to accomplish this task. I already have the 2 signed certificates for the domains.

This setup that I am posting here, works, but the issue I am having is that when I go to domain2.net, I receive a browser warning telling me that the cert does not match the domain but matches domain1.com

I'm using CentOS 5 and Apache 2.2.3. CentOS has a ssl.conf file and these lines are what I believe are giving me trouble:

SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key

I was under the impression that I could override these values in the virtual host containers and reference the keys that I need but it doesn't appear that way. When I comment these two lines out in the ssl.conf file, Apache won't restart. The ssl_log hints: SSLCertificateKeyFile

These are my virtual containers:

<VirtualHost 2.2.2.2:443>
   SSLEngine on
   SSLCertificateFile /etc/pki/tls/certs/domain2.net.crt
   SSLCertificateKeyFile /etc/pki/tls/private/domain2.net.key

  DocumentRoot "/var/www/domain2"
   ServerName domain2.net
   ServerAlias domain2.net
   DirectoryIndex "index.php"

   <Directory /var/www/html/domain2>
     Options -Indexes FollowSymLinks
     AllowOverride All
     Order allow,deny
     Allow from all
   </Directory>
</VirtualHost>


<VirtualHost 1.1.1.1:444>
   SSLEngine on
   SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt
   SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key

  DocumentRoot "/var/www/html"
   ServerName domain1.com
   ServerAlias domain1.com
   DirectoryIndex "index.php"

   <Directory /var/www/html>
     Options -Indexes FollowSymLinks
     AllowOverride All
     Order allow,deny
     Allow from all
   </Directory>
</VirtualHost>

How can I get these two domains to work using SSL? I've also tried to use the same port for the different IPs but again, Apache won't restart.

I'm truly lost on this so if someone could lend a hand, I'd really appreciate it.

标签: ssl apache2
2条回答
神经病院院长
2楼-- · 2019-04-04 05:54

You don't need a separate ssl.config file, but if you want to use one, then put your SSL <VirtualHost XXX:443> containers in your ssl.conf file rather than in your httpd,conf file.

The other option which we use on our site is to put the settings from the ssl.conf file in our httpd.conf file and rename the ssl.conf file to something like ssl.conf.bak (to keep it for reference).

查看更多
淡お忘
3楼-- · 2019-04-04 06:10

Great question!

I was able to get two SSL certificates working on the same server. You should be able to do what you are trying to do.

The things in your configuration that stand out as odd to me:

  1. I'd suggest using port 443 for both SSL-protected sites. You should have a specific instruction in apache's conf files somewhere for listening on port 443. For me it is located in /etc/apache2/ports.conf

    Listen 443
    

    .

  2. It seems odd that you have ServerName and ServerAlias both using the same domain per virtual host. Try making the ServerAlias different or leaving it out:

    ServerName domain1.com
    ServerAlias www.domain1.com
    

    .

  3. I am assuming that you replaced your IPs and domains in your posted conf. Even if they are not the actual IPs you are using, you might want to double check that they can get you to the right place outside of SSL (since obviously SSL is not working).

.

Check the apache2 error log for more information. For me the log is located at: /var/log/apache2/error.log . You can set it with: ErrorLog /var/log/apache2/error.log

And finally, for your reference here is my ssl-default (ssl.conf). I replaced my domains and IPs with the ones you used in your example conf. I have multiple subdomains working with NameVirtualHost since I have a wildcard cert:

<IfModule mod_ssl.c>
<Directory />
  Options FollowSymLinks
  AllowOverride All
</Directory>
<Directory /var/www/>
  Options  FollowSymLinks MultiViews
  AllowOverride All
  Order allow,deny
  allow from all
</Directory>

NameVirtualHost 1.1.1.1:443
NameVirtualHost 2.2.2.2:443

ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/ssl_access.log combined

<FilesMatch "\.(cgi|shtml|phtml|php)$">
  SSLOptions +StdEnvVars
</FilesMatch>

# 1.1.1.1 = domain1.com

<VirtualHost 1.1.1.1:443>
  ServerName www.domain1.com

  ServerAdmin admin@domain1.com

  SSLEngine on
  SSLCertificateKeyFile /var/www/ssl/domain1.key
  SSLCertificateFile /var/www/ssl/wildcard.domain1.crt

  BrowserMatch ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

  DocumentRoot /var/www/domain1/www.domain1.com/web
  DirectoryIndex index.php index.html
</VirtualHost>

<VirtualHost 1.1.1.1:443>
  ServerName secure.domain1.com

  ServerAdmin admin@domain1.com

  SSLEngine on
  SSLCertificateKeyFile /var/www/ssl/domain1.key
  SSLCertificateFile /var/www/ssl/wildcard.domain1.crt

  BrowserMatch ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

  DocumentRoot /var/www/domain1/secure.domain1.com/
  DirectoryIndex index.php index.html
</VirtualHost>


# 2.2.2.2 = *.domain2.com

<VirtualHost 2.2.2.2:443>
  ServerName admin.domain2.com

  ServerAdmin admin@domain2.com

  SSLEngine on
  SSLCertificateKeyFile /var/www/ssl/domain2.key
  SSLCertificateFile /var/www/ssl/domain2.crt

  BrowserMatch ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

  LogLevel warn
  CustomLog /var/log/apache2/access.log combined
  ErrorLog /var/log/apache2/error.log

  DocumentRoot /var/www/domain2/secure.domain2.com/web
  DirectoryIndex index.php index.html

  php_flag display_errors on
  php_value error_reporting 7
</VirtualHost>

</IfModule>

I hope this helps!!

查看更多
登录 后发表回答