SSL site not using the correct IP in Apache and Ubuntu
I've set this on on my servers by adjusting the /etc/apache2/ports.conf file as follows:
<IfModule mod_ssl.c>
NameVirtualHost *:443
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
NameVirtualHost *:443
Listen 443
</IfModule>
You should then be able to use by editing /etc/apache2/sites-enabled/mysite.com (some code omitted to shorten the example):
<VirtualHost *:443>
ServerName mysite1.com
SSLCertificateFile /etc/ssl/localcerts/www.mysite1.com.crt
SSLCertificateKeyFile /etc/ssl/localcerts/www.mysite1.com.pem
</VirtualHost>
<VirtualHost *:443>
ServerName mysite2.com
SSLCertificateFile /etc/ssl/localcerts/www.mysite2.com.crt
SSLCertificateKeyFile /etc/ssl/localcerts/www.mysite2.com.pem
</VirtualHost>
For as many vhosts as you like.
Edit: NEED A SECOND OPINION? GO HERE: http://forum.slicehost.com/comments.php?DiscussionID=3244
Related videos on Youtube
Comments
-
John over 1 year
I'm trying to set up an apache-ubuntu-php webserver. My webserver will host multiple SSL sites, each SSL site will have it's own IP address (unless there's a better way to do this).
So I suppose the first step is to get apache to recognize at least two different IP addresses. Right now, I have an SSL and non-SSL version of a website which are http://mysite.com and https://mysite.com. Although both are currently running on my server, I can't get both to use different IP addresses. Right now, both are using the IP 1.1.1.1. I purchased a second IP address 2.2.2.2 but the https://mysite.com won't accept it and firefox complains with the error "ssl_error_rx_record_too_long". Here's a look at my 2 vhost files
/etc/apache2/site-enabled/000-default
#NameVirtualHost 1.1.1.1:80 #<VirtualHost 1.1.1.1:80> <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost>
/etc/apache2/site-enabled/mysite.com
<VirtualHost 1.1.1.1:80> ServerAdmin [email protected] ServerName mysite.com ServerAlias www.mysite.com DocumentRoot /srv/www/mysite.com/public_html/ ErrorLog /srv/www/mysite.com/logs/error.log CustomLog /srv/www/mysite.com/logs/access.log combined </VirtualHost> <IfModule mod_ssl.c> #<VirtualHost 2.2.2.2:443> <VirtualHost *:443> ServerAdmin [email protected] ServerName mysite.com ServerAlias www.mysite.com DocumentRoot /srv/www/mysite.com/public_html/ ErrorLog /srv/www/mysite.com/logs/error.log CustomLog /srv/www/mysite.com/logs/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/localcerts/www.mysite.com.crt SSLCertificateKeyFile /etc/ssl/localcerts/www.mysite.com.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost> </IfModule>
In mysite.com, if I replace <VirtualHost *:443> with <VirtualHost 2.2.2.2:443>, Firefox complains with the error "ssl_error_rx_record_too_long".
So when I try to create and enable a /etc/apache2/site-enabled/mysite2.com with another SSL certificate on a third IP address, Apache complains about an "overlap" problem.
Can someone tell me how to get up my server so that I can host multiple SSL websites on different domains? I want the SSL certificate to work for IE 7+, FF, and Safari on the popular OS such as WinXP, Vista, Win7 and OSX.
-
John over 14 yearsoh, it worked...and each of the websites is using the same 1.1.1.1 IP address. So does this mean I don't need the 2.2.2.2 IP address anymore? I don't need a unique IP for each SSL domain?
-
Patrick R over 14 yearsYou are not required to use a unique IP for each SSL domain.
-
Josh over 14 yearsPlease explain why you don't need a separate IP for each domain. This goes against everything I understand about SSL...
-
Patrick R over 14 yearsI'm not sure what to say other than that I've used multiple wildcards certs on servers with one IP. As long as the CommonName matches the ServerName you'll be fine. Now if you're in a shared hosting environment then this may allow others to use your cert. If it worked for johnlai2004 and me... well then, what's the issue?
-
Josh over 14 yearsvoretaq7 explained the reasoning on serverfault.com/questions/109800/… -- This is TSL, not SSL. SSL does require a 1:1 relationship between IP addresses and certificates. TLS does not. I just wasn't aware TLS could be used for HTTPS (yet)
-
Patrick R over 14 yearsI can show you how to use multiple IP's on the same server but you'll have to use different ports (ie 443, 442, 441, etc). Won't be as nice for you end users.
-
Patrick R over 14 years@josh/johnlai2004 - so will my answer/example work for you? if not I obviously didn't understand the end result you were looking for. thought you might be looking for a way to avoid multiple ip addresses.
-
John over 14 yearsAh ok. This is all so unusual. The certificate works fine for all browsers on all OS except for IE on WinXP. It even works for IE on Win Vista. How do I get this to work for IE on WinXP?
-
John over 14 yearsIn the end, I just want valid ssl certificates to work for each website when viewed through IE and FF on Windows XP and Vista and Safari on Mac OSX.
-
CallMeLaNN over 12 yearsDoes the answer is about TLS? Where is the fix in the code? do you mean the
*:443
in theVirtualHost
? -
Richard Salts almost 11 yearsYou can see what it will use with apachectl -t -D DUMP_VHOSTS. The order is first to last.