NotionCommotion Posted May 25, 2017 Share Posted May 25, 2017 I obtained a ssl certificate from sslforfree for four domains provided in this order: example.com www.example.com api.example.com admin.example.com. When starting Apache, I get the following errors. Furthermore, https://example.com/ does not redirect, and the browser shows it as both not being secure and displays the default Apache test page. [Thu May 25 13:13:48.993879 2017] [ssl:warn] [pid 2817] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name [Thu May 25 13:13:49.022097 2017] [ssl:warn] [pid 2817] AH01909: RSA certificate configured for example.com:443 does NOT include an ID which matches the server name It is a brand new Apache 2.4 install with Centos7, and the only change to the config files is that I included IncludeOptional sites-enabled/*.conf in /etc/httpd/conf/httpd.conf. Please review my config file and let me know where I am going astray. Thank you [root@example sites-available]# hostname example.com [root@example sites-available]# openssl x509 -in /etc/pki/tls/certs/certificate.crt -noout -subject subject= /CN=example.com [root@example sites-available]# httpd -S VirtualHost configuration: *:80 is a NameVirtualHost default server example.com (/etc/httpd/sites-enabled/corperate.conf:1) port 80 namevhost example.com (/etc/httpd/sites-enabled/corperate.conf:1) alias www.example.com port 80 namevhost api.example.com (/etc/httpd/sites-enabled/api.conf:1) port 80 namevhost admin.example.com (/etc/httpd/sites-enabled/admin.conf:1) *:443 is a NameVirtualHost default server example.com (/etc/httpd/conf.d/ssl.conf:56) port 443 namevhost example.com (/etc/httpd/conf.d/ssl.conf:56) port 443 namevhost example.com (/etc/httpd/sites-enabled/corperate.conf:6) port 443 namevhost www.example.com (/etc/httpd/sites-enabled/corperate.conf:10) port 443 namevhost api.example.com (/etc/httpd/sites-enabled/api.conf:5) port 443 namevhost admin.example.com (/etc/httpd/sites-enabled/admin.conf:5) ServerRoot: "/etc/httpd" Main DocumentRoot: "/var/www/html" Main ErrorLog: "/etc/httpd/logs/error_log" Mutex authdigest-opaque: using_defaults Mutex proxy-balancer-shm: using_defaults Mutex rewrite-map: using_defaults Mutex authdigest-client: using_defaults Mutex ssl-stapling: using_defaults Mutex proxy: using_defaults Mutex authn-socache: using_defaults Mutex ssl-cache: using_defaults Mutex default: dir="/run/httpd/" mechanism=default Mutex mpm-accept: using_defaults PidFile: "/run/httpd/httpd.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG User: name="apache" id=48 Group: name="apache" id=48 [root@example sites-available]# ls -l total 12 -rw-r--r-- 1 root root 806 May 25 12:58 corperate.conf -rw-r--r-- 1 root root 678 May 25 12:42 admin.conf -rw-r--r-- 1 root root 1116 May 25 12:53 api.conf [root@example sites-available]# cat * <VirtualHost *:80> ServerName example.com ServerAlias www.example.com Redirect permanent / https://www.example.com/ </VirtualHost> <VirtualHost *:443> ServerName example.com Redirect permanent / https://www.example.com/ </VirtualHost> <VirtualHost *:443> ServerName www.example.com DocumentRoot /var/www/corperate/html SSLEngine on SSLCertificateFile "/etc/pki/tls/certs/certificate.crt" SSLCertificateKeyFile "/etc/pki/tls/private/private.key" SSLCACertificateFile "/etc/pki/tls/certs/ca_bundle.crt" <Directory "/var/www/corperate/html"> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all RewriteEngine On </Directory> </VirtualHost> <VirtualHost *:80> ServerName admin.example.com Redirect permanent / https://admin.example.com/ </VirtualHost> <VirtualHost *:443> ServerName admin.example.com DocumentRoot /var/www/admin/public SSLEngine on SSLCertificateFile "/etc/pki/tls/certs/certificate.crt" SSLCertificateKeyFile "/etc/pki/tls/private/private.key" SSLCACertificateFile "/etc/pki/tls/certs/ca_bundle.crt" <Directory "/var/www/admin/public"> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all RewriteEngine On </Directory> </VirtualHost> <VirtualHost *:80> ServerName api.example.com Redirect permanent / https://api.example.com/ </VirtualHost> <VirtualHost *:443> ServerName api.example.com DocumentRoot /var/www/api/public SSLEngine on SSLCertificateFile "/etc/pki/tls/certs/certificate.crt" SSLCertificateKeyFile "/etc/pki/tls/private/private.key" SSLCACertificateFile "/etc/pki/tls/certs/ca_bundle.crt" <Directory "/var/www/api/public"> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all RewriteEngine On Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" Header set Access-Control-Allow-Headers "X-Access-Key, Origin, X-Requested-With, Content-Type, Accept" #Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, Client-Security-Token, Accept-Encoding, x-test-header" </Directory> </VirtualHost> [root@example sites-available]# Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted May 25, 2017 Share Posted May 25, 2017 Where is the TLS configuration for example.com (not www.example.com)? I don't see any. The redirect happens after the TLS handshake, so it's not a replacement for a correct TLS configuration on this particular domain. Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted May 25, 2017 Author Share Posted May 25, 2017 Where is the TLS configuration for example.com (not www.example.com)? I don't see any. The redirect happens after the TLS handshake, so it's not a replacement for a correct TLS configuration on this particular domain. Good point. Made the changes, but no change. I think it has to do with having two virtual hosts defined. port 443 namevhost example.com (/etc/httpd/conf.d/ssl.conf:56) port 443 namevhost example.com (/etc/httpd/sites-enabled/corperate.conf:6) Quote Link to comment Share on other sites More sharing options...
benanamen Posted May 25, 2017 Share Posted May 25, 2017 Modify as needed. <VirtualHost example.com:80> DocumentRoot /home/example ServerName example.com ServerAlias *.example.com <Directory "/home/example"> Order Allow,Deny Allow from all AllowOverride all Options None Require all granted </Directory> RewriteEngine On RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} ^www\. [NC] RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC] RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301] </VirtualHost> <VirtualHost example.com:443> DocumentRoot /home/example ServerName example.com ServerAlias *.example.com <Directory "/home/example"> Order Allow,Deny Allow from all AllowOverride all Options None Require all granted </Directory> RewriteEngine On RewriteCond %{HTTP_HOST} ^www\.([^.]+\.[^.]+)$ [NC] RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301,NE] SSLEngine on SSLCertificateFile /home/example/.well-known/acme-challenge/certificate.crt SSLCertificateKeyFile /home/example/.well-known/acme-challenge/private.key SSLCACertificateFile /home/example/.well-known/acme-challenge/ca_bundle.crt </VirtualHost> Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted May 26, 2017 Author Share Posted May 26, 2017 Modify as needed. Thanks benanamen, I've done so in the post, but the following rather strongly states that one shouldn't use mod_rewrite. What do you think is with me have two virtual hosts defined where one is the default? https://httpd.apache.org/docs/2.4/rewrite/avoid.html Quote Link to comment Share on other sites More sharing options...
benanamen Posted May 26, 2017 Share Posted May 26, 2017 I am familiar with that. I think that is referring to the complexity of mod_rewrite, not that it is a problem if you use it. mod_rewrite is very powerful and can complicated to use but will work without issue once you have it right. What I previously posted should have easily got you up and running with SSL ending up at a non www URL no matter how the url is entered. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.