Setup sample SSL subdomain site but keeps going to www
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I see you're using <VirtualHost *:443>.
Do you have other ssl vhosts defined along with subdomain.mydomain.com? If you have more than 1 ssl vhosts, then it looks like apache somehow does not read the config you've posted and it uses the default vhost, that I guess is www.mydomain.com. Also for multiple ssl vhosts you have to add:
Code:
NameVirtualHost *:443
If you have just one ssl vhost, then remove the <VirtualHost *:443> tag (and the closing </VirtualHost>), so there is only subdomain.mydomain.com defined as default ssl vhost.
If you don't have other ssl vhosts on that same apache, then remove the 2 tags (<VirtualHost *:443> and </VirtualHost>) as they are of no use here.
Also you can post httpd.conf, ssl.conf and any other config files that can be of help, so we can have a better look at your apache configuration.
<Directory "/var/www/manual">
Options Indexes
Order deny,allow
Deny from All
Allow from 192.168.0.0/24
Allow from 84.12.98.134
</Directory>
Alias /php-manual "/var/www/php_manual_last_update_16092011_1018/php-chunked-xhtml"
<Directory "/var/www/php_manual_last_update_16092011_1018/php-chunked-xhtml">
Order deny,allow
Deny from All
Allow from 192.168.0.0/24
Allow from 84.12.98.134
Options None
</Directory>
Alias /zend-documentation "/usr/share/Zend-Framework/documentation"
Alias /zend-manual "/usr/share/Zend-Framework/documentation"
<Directory "/usr/share/Zend-Framework/documentation">
Order deny,allow
Deny from All
Allow from 192.168.0.0/24
Allow from 84.12.98.134
Options +Indexes
</Directory>
Alias /phpmyadmin "/www/mydomain.co.uk/html/phpMyAdmin/"
<Directory "/www/mydomain.co.uk/html/phpMyAdmin/">
Order deny,allow
Deny from all
Allow from all
# Allow from 192.168.0.0/24
# Allow from 84.12.98.134
</Directory>
<Directory "/www/mydomain.co.uk/html/phpMyAdmin/libraries">
Order allow,deny
Deny from all
</Directory>
<Directory "/www/mydomain.co.uk/html/phpMyAdmin/scripts">
Order deny,allow
Deny from All
</Directory>
<Directory "/www/mydomain.co.uk/html/phpMyAdmin/setup">
order deny,allow
deny from all
# Allow from 192.168.0.0/24
# Allow from 84.12.98.134
</Directory>
Alias /xcart-test "/www/mydomain.co.uk/xcart-test"
<Directory "/www/mydomain.co.uk/xcart-test">
Order deny,allow
Deny from all
Allow from 192.168.0.0/24
Allow from 84.12.98.134
php_value register_long_arrays 1
</Directory>
This is my ssl config if you are interested in seeing if this is causing the problem:
Quote:
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
LoadModule ssl_module modules/mod_ssl.so
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex default
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
##
## SSL Virtual Host Context
##
#<VirtualHost _default_:443> (this was uncommented)
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
#ErrorLog logs/ssl_error_log (this was uncommented)
#TransferLog logs/ssl_access_log (this was uncommented)
#LogLevel warn (this was uncommented)
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
#SSLEngine on (this was uncommented)
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
#SSLProtocol all -SSLv2 (this was uncommented)
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW (this was uncommented)
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt (this was uncommented)
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key (this was uncommented)
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
#<Files ~ "\.(cgi|shtml|phtml|php3?)$"> (this was uncommented all Files lines)
# SSLOptions +StdEnvVars
#</Files>
#<Directory "/var/www/cgi-bin"> (this was uncommented all Directory lines)
# SSLOptions +StdEnvVars
#</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
#SetEnvIf User-Agent ".*MSIE.*" \ (this was uncommented all the 2 below lines aswell!)
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
#CustomLog logs/ssl_request_log \ (this was uncommented just the below line aswell and the ending VirtualHost tag!)
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#</VirtualHost>
# Trial for webmin (eventually get it to redirect to the https protocol when working!)
#<VirtualHost _default_:443>
#</VirtualHost>
The virtual hosts part is of course commented out, any advice is much appreciated,
Jeremy
As I said, since you have only one ssl (v)host, remove (or comment out) the 2 lines (<VirtualHost *:443> and </VirtualHost>) and restart apache. It's maybe better to move the rest into ssl.conf just to keep the ssl stuff together.
And you can run:
I get you when it comes to removing those <VirtualHost *:443> parts but there's now (not not (typo apologies)) an error with firefox say trying to connect to the section of the site.
Something along the lines of:
Quote:
An error occurred during a connection to webmail.mydomain.co.uk.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
This is the output of the VirtualHosts config check:
Quote:
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80 is a NameVirtualHost
default server www.mydomain.com (/etc/httpd/conf.d/mydomain.com.conf:1)
port 80 namevhost www.mydomain2.com (/etc/httpd/conf.d/mydomain2.com.conf:1)
port 80 namevhost www.mydomain3.co.uk (/etc/httpd/conf.d/mydomain3.co.uk.conf:1)
port 80 namevhost mailadmin.mydomain.co.uk (/etc/httpd/conf.d/mydomain.co.uk.conf:118)
port 80 namevhost www.mydomain.me.uk (/etc/httpd/conf.d/mydomain.me.uk.conf:1)
port 80 namevhost blog.mydomain.me.uk (/etc/httpd/conf.d/mydomain.me.uk.conf:53)
Syntax OK
As I feared that has not included it as a virtualhost the ssl part I mean this is the ssl.conf as it is now:
I got rid of allot of rubbish and took the old one out of the whole directory and started using the parts that do actually work:
The bizarre thing is the whole httpd service still runs even when the SSL site is not appearing at all the webmail I mean, which is what I wanted to start off encrypting.
Any helps much appreciated as usual,
Jeremy
Last edited by j.smith1981; 02-02-2012 at 09:25 AM.
Reason: typo error said not when I really meant now
I just wanted to add actually I have modifed the ssl.conf to:
Quote:
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80 is a NameVirtualHost
default server www.mydomain1.com (/etc/httpd/conf.d/cafdiscos.com.conf:1)
port 80 namevhost www.mydomain1.com (/etc/httpd/conf.d/cafdiscos.com.conf:1)
port 80 namevhost www.mydomain2.co.uk (/etc/httpd/conf.d/hsmedia.co.uk.conf:1)
port 80 namevhost mailadmin.mydomain2.co.uk (/etc/httpd/conf.d/hsmedia.co.uk.conf:118)
port 80 namevhost webmail.mydomain2.co.uk (/etc/httpd/conf.d/hsmedia.co.uk.conf:143)
port 80 namevhost www.mydomain3.me.uk (/etc/httpd/conf.d/jeremysmith.me.uk.conf:1)
port 80 namevhost blog.mydomain3.me.uk (/etc/httpd/conf.d/jeremysmith.me.uk.conf:53)
*:443 is a NameVirtualHost
default server webmail.mydomain2.co.uk (/etc/httpd/conf.d/ssl.conf:83)
port 443 namevhost webmail.mydomain2.co.uk (/etc/httpd/conf.d/ssl.conf:83)
Syntax OK
I added the tag NameVirtualHost to the ssl.conf but it's still leaking into the other subdomains is there anyway of stopping apache from doing this?
Thanks for your help, been trying myself but just can not work out a way of doing this.
Sorry changing something in this post actually if I change the order by which they appear in the configs I can get them to change which ssl cert to go for but I mean just doesn't make allot of sense
Jeremy
Last edited by j.smith1981; 02-02-2012 at 10:47 AM.
All I want to really logically is have different certs for different subdomains.
Say I had the name subdomain.mydomain and subdomaintest.mydomain.com just as a random example.
I would like to have 2 certificates for those 2 subdomains (if at all possible) and then having say different certs for other domains, I actually have 3 that go onto my sever you see.
It's really just a test to see if I can get SSL working something I have always been interested in getting working to be brutally honest, seen allot of work in freelance stuff and this is really good thank you for being so patient I truly appreciate it!
I look forward to your next reply, that's basically the result I would like (though I am interested in the SNI thing), going to have a look at that and compare the version of apache you mentioned with what's installed, it is though Centos 5.7 what I do actually run at the moment though I am not sure what version of apache it is at present.
Would it be suffice to use a command like rpm -q and http maybe or httpd (depending on which one actually works) to find out my version of apache? I have never queried the apache server on my node.
I actually have done httpd as the query on rpm and comes back as: httpd-2.2.3-53.el5.centos.3
Last edited by j.smith1981; 02-02-2012 at 05:52 PM.
All I want to really logically is have different certs for different subdomains.
Now you mention that you want to setup 2 ssl vhosts. Till now I was under the impression that you were trying to setup a single ssl subdomain.
Anyway, since your apache is quite dated, I'm afraid you cannot use SNI for multiple ssl vhosts. I guess you have to upgrade, starting from your distro that is also quite dated.
Yes that's what I wanted to try out to see if I can get working, start off with one and then go to another and see if I can get that working with respect to sub domains I mean eventually saying I have 2 subdomains for my first domain.
Then using a seperate Cert for both, then having another domain with their Certificate and so on, just as an example to myself for my own skill set, always been interested in network encryption.
Yea I keep meaning to upgrade might ask on the CentOS forums to see if that distro has been included infact might look through the repos to see if it is and if so make a plan perhaps tonight to upgrade it.
Yes this might mean a reason to actually upgrade it, kept putting it off and putting it off, or perhaps have a go at installing Apache myself, hmm thinking about it at least.
Never the less thank you ever so much for your help, I didn't realise how easy it is to setup SSL, was interested in what TLS meant but it's really about encrypting data sent across a network is not it? (please correct me if I am wrong).
Really interesting anyways, I mean I could use other work arounds if I look around on the web also, will see what I can do.
Thanks again,
Jeremy.
Last edited by j.smith1981; 02-03-2012 at 05:16 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.