Jump to content

Applying multiple ssl's to one ip address, multiple websites


greenace92

Recommended Posts

I haven't gottent this to work.

 

One thing that I'm not sure about, the openssl.conf file has it's own SSL Protocol directive and I'm supposed to declare directives within the cirtual hosts, so should I remove/uncomment the directive in the openssl.conf file? I think I'm supposed to have two openssl.conf files with two websites protected by separate ssl certificates.

 

So far one website works, the other gives me a warning.

 

Can anyone shed some light on this.

 

Thanks

Link to comment
Share on other sites

I actually think I got it to work, I just wasn't sure.

 

There was a weird problem of one domain version working and not the other.

 

This is my virtual host setup at the moment and the two port 443's are identical yet the first one works, while the second one has problems. Specifically the form https://site2.com throws an error regarding ssl by the browser but the https://www.site2.com version is fine.

 

My SSL certificates cover both forms of domain www and non-www

<VirtualHost *:443>
ServerName https://www.site1.us
ServerAlias https://site1.us
DocumentRoot /var/www/html
# CustomLog
# ErrorLog
<IfModule mod_ssl.c>
SSLEngine on
# SSLStrictSNIVHostCheck on this is to redirect from second site not working to first site
SSLProtocol All -SSLv2 -SSLv3 +TLSv1 +TLSv1.1
SSLCertificateFile /etc/ssl/certs/www_site1_us.crt
SSLCertificateKeyFile /etc/ssl/certs/www_site1_us.key
SSLCACertificateFile /etc/ssl/certs/www_site1_us.ca-bundle
</IFModule>
</VirtualHost>

<VirtualHost *:443>
ServerName https://www.site2.com
ServerAlias https://site2.com
DocumentRoot /var/www/html/site2
# CustomLog
# ErrorLog
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/site2/site2_com.crt
SSLCertificateKeyFile /etc/ssl/certs/site2/site2_com.key
SSLCACertificateFile /etc/ssl/certs/site2/site2_com.ca-bundle
SSLProtocol All -SSLv2 -SSLv3 +TLSv1 +TLSv1.1
</IfModule>
</VirtualHost>
Edited by greenace92
Link to comment
Share on other sites

This is my virtual host setup at the moment and the two port 443's are identical yet the first one works, while the second one has problems. Specifically the form https://site2.com throws an error regarding ssl by the browser but the https://www.site2.com version is fine.

That would be because the "site2.com" hostname doesn't match the "www.site2.com" hostname in your certificate. You should be able to get a cert with both names in it. I don't remember the correct terminology but you specify one as the primary name and the other as a secondary name.

 

Fun fact: up until relatively recently (a couple years or so?) https://amazon.com would present the SSL warning. Someone else had that problem too, forget who it was.

Link to comment
Share on other sites

I get the standard "This connection is not trusted" in firefox, chrome says something regarding trust and https is in red and crossed out.

 

I have this under technical details which doesn't make sense?

 

site2.com uses an invalid security certificate. The certificate is only valid for the following names: www.site.us, site.us

 

Maybe I used the wrong chain file?

 

I'm not sure why one verison works and not the other perhaps I did put the wrong file in the certificate directory however the working version with www shows the right domain name when clicking on the green lock.

 

When I perform a curl test in ssh using curl -v -v -v https://site2.com not sure why three -v's

I get

SSL no atlernative certificate subject name matches site2.com

 

the https://www.site2.com version works and returns the index page.

 

 

I'm not sure why the SSL's would be different but if they are based on what I have indicated then I will ask the provider why they are different.

The ssl's I'm using are the $9.00 one's from namecheap.

 

How do I show the certificates to you?

Edited by greenace92
Link to comment
Share on other sites

I have this under technical details which doesn't make sense?

 

site2.com uses an invalid security certificate. The certificate is only valid for the following names: www.site.us, site.us

 

Maybe I used the wrong chain file?

The chain file connects your certificate to a trusted authority. You probably have the right chain file.

The problem is you're using a certificate for [www.]site.us when you need one for [www.]site2.com. Can't use the same cert for both domains.

 

I'm not sure why one verison works and not the other perhaps I did put the wrong file in the certificate directory however the working version with www shows the right domain name when clicking on the green lock.

You really sure you're using the same cert for both?

 

When I perform a curl test in ssh using curl -v -v -v https://site2.com not sure why three -v's

It's additive. One is a bit verbose, two is somewhat verbose, three is very verbose.

 

I get

SSL no atlernative certificate subject name matches site2.com

Yeah: the certificate does not cover site2.com. Like I said you're apparently using the site.us cert.

 

How do I show the certificates to you?

Are the sites accessible online? That's the easiest way.
Link to comment
Share on other sites

"Accessible online" as in "online somewhere that is accessible by me". A shorter way of saying "is this on a website somewhere that I can enter into my browser and visit in an attempt to look at the certificate myself so as to give you a straight answer instead of telling you various things to do".

Link to comment
Share on other sites

I redownloaded the site2 certificate, I still get that error message.

 

The error does say "server could not prove ... site2 ... certificate is from site 1" I'm not sure why that is?

 

I downloaded the file again, maybe it is the key file?

 

Can I place/specify a certificate outside of the directory /etc/ssl/certs?

 

Site1 uses /etc/ssl/certs but site2 uses /etc/ssl/certs/site2

 

Maybe it doesn't go the secondary folder?

 

I'll try to place it all in the same folder, as well as checking the key file.

 

Well, the keys are different and I moved the files to the /etc/ssl, I will now check if the certificates are the same.

 

I'll be danged, the chain files are the same, how did that happen?

 

So I was just old that since they are "positive ssl's" they both have the same chain file...?

 

At the moment still getting the same problem.

Link to comment
Share on other sites

So there's S.us, www.S.us, and www.PL.com. Those work. PL.com does not.

 

It's like I said: www.PL.com is using the right certificate which is why it works. However PL.com is using the [www.]S.us certificate. Using Chrome, I get the warning, click the "Advanced" link, and it says

This server could not prove that it is PL.com; its security certificate is from www.S.us. This may be caused by a misconfiguration or an attacker intercepting your connection.

Make the PL.com site use the exact same certificate information as the www.PL.com site.

 

Okay I don't want to get another warning point so I'll PM you if that is okay.

Telling us a site because it's having problems, and especially because someone asked for it, is not advertising :) It's more about posting links in places where they don't belong.
Link to comment
Share on other sites

I visually checked that the certificate files were different and they are. When I try to open the .crt certificate files, a window appears and each one is different. What part are they the same?

 

There is only one virtual host setup for each domain, I just set the alternative domain as a server alias.

 

When I reverse the names, the non-www works so maybe I will create independent hosts.

Edited by greenace92
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.