Re: [users@httpd] Multi site SSL problems

Thu, 09 May 2024 16:11:45 -0700 

On Thu, May 9, 2024 at 6:54 PM Chris me <phunct...@hotmail.com> wrote:

> Hi, I am having an issue trying to get multiple sites with their own SSL
> cert. I purchased AlphaSSL certs for them.
>
> The strange thing, the first cert works, the second gives me an
> ERR_SSL_PROTOCOL_ERROR, but only on some systems.
>
>
>
> This is what I am using now:
>
>
>
> (
>
> Site1 is fine, Site2 gives me the error.
>
>
>
> I originally tried with NameVirtualHost *.443
>
> And then <VirtualHost *.443>
>
> But when I go to site2, it complains that the cert is invalid because it
> is using the cert from site1?
>
> )
>
>
>
>
>
> <IfModule mod_ssl.c>
>
> NameVirtualHost 192.99.9.188:443
>
>
>
> <VirtualHost www.site1.com:443>
>
> ServerName www.site1.com
>
> ServerAdmin webmas...@site1.com
>
> DocumentRoot /home/httpd/sites/site1
>
> <Directory /home/httpd/sites/site1>
>
>
>
>                         Order allow,deny
>
>                         Allow from all
>
>                 </Directory>
>
>
>
>         SSLEngine on
>
>         SSLProtocol all -SSLv2 -SSLv3
>
>         SSLCertificateFile    /etc/ssl/site1.ca/server.crt
>
>         SSLCertificateKeyFile /etc/ssl/site1.ca/server.key
>
>         SSLCertificateChainFile /etc/ssl/site1.ca/bundle.crt
>
> </VirtualHost>
>
>
>
> <VirtualHost www.site2.com:443>
>
> ServerName www.site2.com
>
> ServerAdmin webmas...@site2.com
>
> DocumentRoot /home/httpd/sites/site2
>
> <Directory /home/httpd/sites/site2>
>
>
>
>                         Order allow,deny
>
>                         Allow from all
>
>                 </Directory>
>
>
>
>         SSLEngine on
>
>         SSLProtocol all -SSLv2 -SSLv3
>
>         SSLCertificateFile    /etc/ssl/site2.ca/server.crt
>
>         SSLCertificateKeyFile /etc/ssl/site2.ca/server.key
>
>         SSLCertificateChainFile /etc/ssl/site2.ca/bundle.crt
>
> </VirtualHost>
>
> </IfModule mod_ssl.c>
>

So many red flags here:

- Always use *:PORT when defining a vhost, unless you know exactly what you
are doing
- Set the ServerName directive in every single vhost
- Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require
instead
- Unload the mod_access_compat module when apachectl configtest passes

Lastly, show the output from apachectl -S when the fixes are applied

Reply via email to