LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   how to configure Apache with one SSL cert for primary domain, another wildcard cert for subdomains? (https://www.linuxquestions.org/questions/linux-server-73/how-to-configure-apache-with-one-ssl-cert-for-primary-domain-another-wildcard-cert-for-subdomains-4175627473/)

sneakyimp 04-11-2018 06:05 PM

how to configure Apache with one SSL cert for primary domain, another wildcard cert for subdomains?
 
I'm working on a site that primarily operates in English. When folks visit the www.example.com, we have a mod_rewrite rule that redirects them to example.com. It also redirects plain old HTTP requests to HTTPS. We've got the server configured with a really nice extended validation (EV) cert that turns your browser address bar green -- it looks quite secure and trustworthy.

The issue is that we want to display other languages at other subdomains. E.g.:
* spanish at es.example.com
* german at de.example.com
* italian at it.example.com.

Our extended validation cert is not valid for these subdomains so we purchased a wildcard cert and we'd like to set up apache so that it uses the EV cert for example.com and the wildcard cert for all of the language subdomains.

I understand from this digicert support document and a serverfault post that Apache 2.4.18 should support using multiple SSL certs for different domains if the HTTPS connections are made using TSL but not if they are made using SSL. The digicert document suggests creating an entirely separate VirtualHost section, one for each cert, but I wonder if there are other subtleties I'm missing. Our current apache conf, for example, lacks a ServerName directive and I'm not sure if I would need to create a ServerAlias directive for every supported language or whether we might use a wildcard in these apache configurations? Additionally, the subdomains (en.example.com) are a super-string of the primary domain (example.com) -- I'm worried this might cause confusion when routing requests?

Currently, our only apache SSL conf at /etc/apache2/sites-available/default-ssl.conf looks like this when you take out all the comments:
Code:

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost
                DocumentRoot /var/www/html
                ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/html/
                SetEnv CI_ENV testing
                <Directory /var/www/html>
                        AllowOverride All
                </Directory>
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
                SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/ev-ssl-certificate.crt
                SSLCertificateKeyFile /etc/ssl/private/ev-private.key
                SSLCACertificateFile /etc/ssl/certs/ev-IntermediateCA.crt
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
        </VirtualHost>
</IfModule>

Can anyone tell me what the best-practice approach would be in this situation? Ideally we'll replicate as little code as possible to get this working.

scasey 04-11-2018 06:45 PM

On my server, I have different certs for different domains. To do this, each domain has a separate VirtualHost section with ServerName and the domain's cert specified.

I would think you'd be able to setup a single VirtualHost for your *.example.com sites using your wildcard cert and something like:
Code:

<VirtualHost _default_:443>
ServerName es.example.com:443
ServerAlias de.example.com:443
ServerAlias it.example.com:443
...

in the conf file to relate the cert to those domain names.

If you do it in it's own conf file, it's easy enough to hide it from apache if it doesn't work by adding .hide to the name. apache will (should) only include files ending with .conf:
Code:

# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf


bathory 04-12-2018 03:10 AM

@OP
Quote:

Can anyone tell me what the best-practice approach would be in this situation? Ideally we'll replicate as little code as possible to get this working.
If I were you, I'd use:
Code:

<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
# 1. Rewrite from www to non-www
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
# 2. Your stuff
        ServerAdmin webmaster@localhost
                DocumentRoot /var/www/html
                ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/html/
                SetEnv CI_ENV testing
                <Directory /var/www/html>
                        AllowOverride All
                </Directory>
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
                SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/ev-ssl-certificate.crt
                SSLCertificateKeyFile /etc/ssl/private/ev-private.key
                SSLCACertificateFile /etc/ssl/certs/ev-IntermediateCA.crt
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
</VirtualHost>

<VirtualHost *:443>
ServerAlias *.example.com
<snip>
SSLCertificateFile      /etc/ssl/certs/wildcard-ssl-certificate.crt
<-snip>
</VirtualHost>


scasey 04-12-2018 04:28 PM

^^ Yes. I wasn't sure if the ServerAlias could be wildcarded...

sneakyimp 05-07-2018 04:07 PM

For my own future reference and for the sake of clarity I'm posting my configuration here, which works great. The ServerName and ServerAlias directives are critical for providing the right cert for the correct domains. Also, if I'm not mistaken, this sort of multi-cert configuration won't work if your server is accessed via SSL instead of TLS because SSL only supports one cert per IP/port combination. TLS supports SNI.

I'm wondering if I might eliminate all those extra ServerAlias entries in the first virtualhost and just have one ServerAlias *.example.com? Would I need to move the wildcard virtualhost after the other one?

Code:

        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost
                ServerName es.example.com
                ServerAlias fr.example.com
                ServerAlias de.example.com
                ServerAlias it.example.com
                ServerAlias ru.example.com
                ServerAlias pl.example.com
                ServerAlias pt.example.com
                ServerAlias ar.example.com
                ServerAlias zh.example.com
                ServerAlias ja.example.com

                DocumentRoot /var/www/html

                ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/html/

                <Directory /var/www/html>
                        AllowOverride All
                </Directory>

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on
                SSLCertificateFile /etc/ssl/certs/wildcard.crt
                SSLCertificateKeyFile /etc/ssl/private/wildcard-private.key
                SSLCACertificateFile /etc/ssl/certs/wildcard-DigiCertCA.crt

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
                </FilesMatch>

                <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
                </Directory>

        </VirtualHost>

        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost
                ServerName example.com
                ServerAlias www.example.com
                DocumentRoot /var/www/html

                ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/html/

                <Directory /var/www/html>
                        AllowOverride All
                </Directory>

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/ev-ssl-certificate.crt
                SSLCertificateKeyFile /etc/ssl/private/ev-private.key
                SSLCACertificateFile /etc/ssl/certs/ev-IntermediateCA.crt

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>

                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
        </VirtualHost>


bathory 05-08-2018 01:36 AM

Quote:

I'm wondering if I might eliminate all those extra ServerAlias entries in the first virtualhost and just have one ServerAlias *.example.com? Would I need to move the wildcard virtualhost after the other one?
Exactly.
Put the www vhost first and then the *.example.com. See my post above.


All times are GMT -5. The time now is 07:59 PM.