Jump to content

Recommended Posts

I obtained a ssl certificate from sslforfree for four domains provided in this order: example.com www.example.com api.example.com admin.example.com.

 

When starting Apache, I get the following errors.  Furthermore, https://example.com/ does not redirect, and the browser shows it as both not being secure and displays the default Apache test page.

[Thu May 25 13:13:48.993879 2017] [ssl:warn] [pid 2817] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name
[Thu May 25 13:13:49.022097 2017] [ssl:warn] [pid 2817] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name

It is a brand new Apache 2.4 install with Centos7, and the only change to the config files is that I included IncludeOptional sites-enabled/*.conf in /etc/httpd/conf/httpd.conf.

 

Please review my config file and let me know where I am going astray.

 

Thank you

[root@example sites-available]# hostname
example.com
[root@example sites-available]# openssl x509 -in /etc/pki/tls/certs/certificate.crt -noout -subject
subject= /CN=example.com
[root@example sites-available]# httpd -S
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server example.com (/etc/httpd/sites-enabled/corperate.conf:1)
         port 80 namevhost example.com (/etc/httpd/sites-enabled/corperate.conf:1)
                 alias www.example.com
         port 80 namevhost api.example.com (/etc/httpd/sites-enabled/api.conf:1)
         port 80 namevhost admin.example.com (/etc/httpd/sites-enabled/admin.conf:1)
*:443                  is a NameVirtualHost
         default server example.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost example.com (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost example.com (/etc/httpd/sites-enabled/corperate.conf:6)
         port 443 namevhost www.example.com (/etc/httpd/sites-enabled/corperate.conf:10)
         port 443 namevhost api.example.com (/etc/httpd/sites-enabled/api.conf:5)
         port 443 namevhost admin.example.com (/etc/httpd/sites-enabled/admin.conf:5)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
[root@example sites-available]# ls -l
total 12
-rw-r--r-- 1 root root  806 May 25 12:58 corperate.conf
-rw-r--r-- 1 root root  678 May 25 12:42 admin.conf
-rw-r--r-- 1 root root 1116 May 25 12:53 api.conf
[root@example sites-available]# cat *
<VirtualHost *:80>
        ServerName example.com
        ServerAlias www.example.com
        Redirect permanent / https://www.example.com/
</VirtualHost>
<VirtualHost *:443>
        ServerName example.com
        Redirect permanent / https://www.example.com/
</VirtualHost>
<VirtualHost *:443>
    ServerName www.example.com
    DocumentRoot /var/www/corperate/html
    SSLEngine on
    SSLCertificateFile "/etc/pki/tls/certs/certificate.crt"
    SSLCertificateKeyFile "/etc/pki/tls/private/private.key"
    SSLCACertificateFile "/etc/pki/tls/certs/ca_bundle.crt"
    <Directory "/var/www/corperate/html">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
        RewriteEngine On
    </Directory>
</VirtualHost>
<VirtualHost *:80>
        ServerName admin.example.com
        Redirect permanent / https://admin.example.com/
</VirtualHost>
<VirtualHost *:443>
    ServerName admin.example.com
    DocumentRoot /var/www/admin/public
    SSLEngine on
    SSLCertificateFile "/etc/pki/tls/certs/certificate.crt"
    SSLCertificateKeyFile "/etc/pki/tls/private/private.key"
    SSLCACertificateFile "/etc/pki/tls/certs/ca_bundle.crt"
    <Directory "/var/www/admin/public">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
        RewriteEngine On
    </Directory>
</VirtualHost>
<VirtualHost *:80>
        ServerName api.example.com
        Redirect permanent / https://api.example.com/
</VirtualHost>
<VirtualHost *:443>
    ServerName api.example.com
    DocumentRoot /var/www/api/public
    SSLEngine on
    SSLCertificateFile "/etc/pki/tls/certs/certificate.crt"
    SSLCertificateKeyFile "/etc/pki/tls/private/private.key"
    SSLCACertificateFile "/etc/pki/tls/certs/ca_bundle.crt"
    <Directory "/var/www/api/public">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
        RewriteEngine On
        Header set Access-Control-Allow-Origin "*"
        Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
        Header set Access-Control-Allow-Headers "X-Access-Key, Origin, X-Requested-With, Content-Type, Accept"
        #Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, Client-Security-Token, Accept-Encoding, x-test-header"
    </Directory>
</VirtualHost>
[root@example sites-available]#

 

Where is the TLS configuration for example.com (not www.example.com)? I don't see any. The redirect happens after the TLS handshake, so it's not a replacement for a correct TLS configuration on this particular domain.

 

Good point.

 

Made the changes, but no change.

 

I think it has to do with having two virtual hosts defined.

 

port 443 namevhost example.com (/etc/httpd/conf.d/ssl.conf:56)

port 443 namevhost example.com (/etc/httpd/sites-enabled/corperate.conf:6)

Modify as needed.

<VirtualHost example.com:80>
DocumentRoot /home/example
ServerName example.com
ServerAlias *.example.com
<Directory "/home/example">
Order Allow,Deny
Allow from all
AllowOverride all
Options None
Require all granted
</Directory>

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
</VirtualHost>
<VirtualHost example.com:443>
DocumentRoot /home/example
ServerName example.com
ServerAlias *.example.com
<Directory "/home/example">
Order Allow,Deny
Allow from all
AllowOverride all
Options None
Require all granted

</Directory>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.([^.]+\.[^.]+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301,NE]

SSLEngine on
SSLCertificateFile /home/example/.well-known/acme-challenge/certificate.crt
SSLCertificateKeyFile /home/example/.well-known/acme-challenge/private.key
SSLCACertificateFile /home/example/.well-known/acme-challenge/ca_bundle.crt
</VirtualHost>

 

Modify as needed.

 

Thanks benanamen,

 

I've done so in the post, but the following rather strongly states that one shouldn't use mod_rewrite.  What do you think is with me have two virtual hosts defined where one is the default?

 

https://httpd.apache.org/docs/2.4/rewrite/avoid.html

I am familiar with that. I think that is referring to the complexity of mod_rewrite, not that it is a problem if you use it. mod_rewrite is very powerful and can complicated to use but will work without issue once you have it right.

 

What I previously posted should have easily got you up and running with SSL ending up at a non www URL no matter how the url is entered.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.