Applying multiple ssl's to one ip address, multiple websites

[greenace92]

I haven't gottent this to work.

 

One thing that I'm not sure about, the openssl.conf file has it's own SSL Protocol directive and I'm supposed to declare directives within the cirtual hosts, so should I remove/uncomment the directive in the openssl.conf file? I think I'm supposed to have two openssl.conf files with two websites protected by separate ssl certificates.

 

So far one website works, the other gives me a warning.

 

Can anyone shed some light on this.

 

Thanks

[scootstah]

You need to use SNI. Are you doing that?

[greenace92]

I actually think I got it to work, I just wasn't sure.

 

There was a weird problem of one domain version working and not the other.

 

This is my virtual host setup at the moment and the two port 443's are identical yet the first one works, while the second one has problems. Specifically the form https://site2.com throws an error regarding ssl by the browser but the https://www.site2.com version is fine.

 

My SSL certificates cover both forms of domain www and non-www

<VirtualHost *:443>
ServerName https://www.site1.us
ServerAlias https://site1.us
DocumentRoot /var/www/html
# CustomLog
# ErrorLog
<IfModule mod_ssl.c>
SSLEngine on
# SSLStrictSNIVHostCheck on this is to redirect from second site not working to first site
SSLProtocol All -SSLv2 -SSLv3 +TLSv1 +TLSv1.1
SSLCertificateFile /etc/ssl/certs/www_site1_us.crt
SSLCertificateKeyFile /etc/ssl/certs/www_site1_us.key
SSLCACertificateFile /etc/ssl/certs/www_site1_us.ca-bundle
</IFModule>
</VirtualHost>

<VirtualHost *:443>
ServerName https://www.site2.com
ServerAlias https://site2.com
DocumentRoot /var/www/html/site2
# CustomLog
# ErrorLog
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/site2/site2_com.crt
SSLCertificateKeyFile /etc/ssl/certs/site2/site2_com.key
SSLCACertificateFile /etc/ssl/certs/site2/site2_com.ca-bundle
SSLProtocol All -SSLv2 -SSLv3 +TLSv1 +TLSv1.1
</IfModule>
</VirtualHost>

Edited November 18, 2015 by greenace92

[requinix]

This is my virtual host setup at the moment and the two port 443's are identical yet the first one works, while the second one has problems. Specifically the form https://site2.com throws an error regarding ssl by the browser but the https://www.site2.com version is fine.

That would be because the "site2.com" hostname doesn't match the "www.site2.com" hostname in your certificate. You should be able to get a cert with both names in it. I don't remember the correct terminology but you specify one as the primary name and the other as a secondary name.

 

Fun fact: up until relatively recently (a couple years or so?) https://amazon.com would present the SSL warning. Someone else had that problem too, forget who it was.

[greenace92]

but the first one that works for both domain variants has the same ssl type as the second one which doesn't work? How do you explain that?

Edited November 18, 2015 by greenace92

[requinix]

Check your certificates. Or if they're both online somewhere then we can see them.

 

You should probably clarify what exactly the "error regarding ssl by the browser" is.

[greenace92]

I get the standard "This connection is not trusted" in firefox, chrome says something regarding trust and https is in red and crossed out.

 

I have this under technical details which doesn't make sense?

 

site2.com uses an invalid security certificate. The certificate is only valid for the following names: www.site.us, site.us

 

Maybe I used the wrong chain file?

 

I'm not sure why one verison works and not the other perhaps I did put the wrong file in the certificate directory however the working version with www shows the right domain name when clicking on the green lock.

 

When I perform a curl test in ssh using curl -v -v -v https://site2.com not sure why three -v's

I get

SSL no atlernative certificate subject name matches site2.com

 

the https://www.site2.com version works and returns the index page.

 

 

I'm not sure why the SSL's would be different but if they are based on what I have indicated then I will ask the provider why they are different.

The ssl's I'm using are the $9.00 one's from namecheap.

 

How do I show the certificates to you?

Edited November 18, 2015 by greenace92

[requinix]

I have this under technical details which doesn't make sense?

 

site2.com uses an invalid security certificate. The certificate is only valid for the following names: www.site.us, site.us

 

Maybe I used the wrong chain file?

The chain file connects your certificate to a trusted authority. You probably have the right chain file.

The problem is you're using a certificate for [www.]site.us when you need one for [www.]site2.com. Can't use the same cert for both domains.

 

I'm not sure why one verison works and not the other perhaps I did put the wrong file in the certificate directory however the working version with www shows the right domain name when clicking on the green lock.

You really sure you're using the same cert for both?

 

When I perform a curl test in ssh using curl -v -v -v https://site2.com not sure why three -v's

It's additive. One is a bit verbose, two is somewhat verbose, three is very verbose.

 

I get

SSL no atlernative certificate subject name matches site2.com

Yeah: the certificate does not cover site2.com. Like I said you're apparently using the site.us cert.

 

How do I show the certificates to you?

Are the sites accessible online? That's the easiest way.

[greenace92]

I don't understand what you mean by "accessible online"?

 

I specified different directories for each ssl certificate/chain/key files will check again.

[requinix]

"Accessible online" as in "online somewhere that is accessible by me". A shorter way of saying "is this on a website somewhere that I can enter into my browser and visit in an attempt to look at the certificate myself so as to give you a straight answer instead of telling you various things to do".

[greenace92]

I redownloaded the site2 certificate, I still get that error message.

 

The error does say "server could not prove ... site2 ... certificate is from site 1" I'm not sure why that is?

 

I downloaded the file again, maybe it is the key file?

 

Can I place/specify a certificate outside of the directory /etc/ssl/certs?

 

Site1 uses /etc/ssl/certs but site2 uses /etc/ssl/certs/site2

 

Maybe it doesn't go the secondary folder?

 

I'll try to place it all in the same folder, as well as checking the key file.

 

Well, the keys are different and I moved the files to the /etc/ssl, I will now check if the certificates are the same.

 

I'll be danged, the chain files are the same, how did that happen?

 

So I was just old that since they are "positive ssl's" they both have the same chain file...?

 

At the moment still getting the same problem.

[greenace92]

Okay I don't want to get another warning point so I'll PM you if that is okay.

[requinix]

So there's S.us, www.S.us, and www.PL.com. Those work. PL.com does not.

 

It's like I said: www.PL.com is using the right certificate which is why it works. However PL.com is using the [www.]S.us certificate. Using Chrome, I get the warning, click the "Advanced" link, and it says

This server could not prove that it is PL.com; its security certificate is from www.S.us. This may be caused by a misconfiguration or an attacker intercepting your connection.

Make the PL.com site use the exact same certificate information as the www.PL.com site.

 

Okay I don't want to get another warning point so I'll PM you if that is okay.

Telling us a site because it's having problems, and especially because someone asked for it, is not advertising It's more about posting links in places where they don't belong.

[greenace92]

I tried it on sslchecker.com and for the second site it says "Hostnames don't match" but the first site says hostnames match... not sure what that means?

[greenace92]

I visually checked that the certificate files were different and they are. When I try to open the .crt certificate files, a window appears and each one is different. What part are they the same?

 

There is only one virtual host setup for each domain, I just set the alternative domain as a server alias.

 

When I reverse the names, the non-www works so maybe I will create independent hosts.

Edited November 19, 2015 by greenace92

[greenace92]

Okay so I guess it could be a domain mapping problem?

 

Now that I have created seperate hosts for the non-www and www versions of the https domain name, it works now for both cases.