LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 04-11-2018, 06:05 PM   #1
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,056

Rep: Reputation: 78
how to configure Apache with one SSL cert for primary domain, another wildcard cert for subdomains?


I'm working on a site that primarily operates in English. When folks visit the www.example.com, we have a mod_rewrite rule that redirects them to example.com. It also redirects plain old HTTP requests to HTTPS. We've got the server configured with a really nice extended validation (EV) cert that turns your browser address bar green -- it looks quite secure and trustworthy.

The issue is that we want to display other languages at other subdomains. E.g.:
* spanish at es.example.com
* german at de.example.com
* italian at it.example.com.

Our extended validation cert is not valid for these subdomains so we purchased a wildcard cert and we'd like to set up apache so that it uses the EV cert for example.com and the wildcard cert for all of the language subdomains.

I understand from this digicert support document and a serverfault post that Apache 2.4.18 should support using multiple SSL certs for different domains if the HTTPS connections are made using TSL but not if they are made using SSL. The digicert document suggests creating an entirely separate VirtualHost section, one for each cert, but I wonder if there are other subtleties I'm missing. Our current apache conf, for example, lacks a ServerName directive and I'm not sure if I would need to create a ServerAlias directive for every supported language or whether we might use a wildcard in these apache configurations? Additionally, the subdomains (en.example.com) are a super-string of the primary domain (example.com) -- I'm worried this might cause confusion when routing requests?

Currently, our only apache SSL conf at /etc/apache2/sites-available/default-ssl.conf looks like this when you take out all the comments:
Code:
<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost
		DocumentRoot /var/www/html
		ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/html/
		SetEnv CI_ENV testing
		<Directory /var/www/html>
			AllowOverride All
		</Directory>
		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined
		SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/ev-ssl-certificate.crt
                SSLCertificateKeyFile /etc/ssl/private/ev-private.key
                SSLCACertificateFile /etc/ssl/certs/ev-IntermediateCA.crt
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>
	</VirtualHost>
</IfModule>
Can anyone tell me what the best-practice approach would be in this situation? Ideally we'll replicate as little code as possible to get this working.
 
Old 04-11-2018, 06:45 PM   #2
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.8.2003
Posts: 5,475

Rep: Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100
On my server, I have different certs for different domains. To do this, each domain has a separate VirtualHost section with ServerName and the domain's cert specified.

I would think you'd be able to setup a single VirtualHost for your *.example.com sites using your wildcard cert and something like:
Code:
<VirtualHost _default_:443>
ServerName es.example.com:443
ServerAlias de.example.com:443
ServerAlias it.example.com:443
...
in the conf file to relate the cert to those domain names.

If you do it in it's own conf file, it's easy enough to hide it from apache if it doesn't work by adding .hide to the name. apache will (should) only include files ending with .conf:
Code:
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf
 
1 members found this post helpful.
Old 04-12-2018, 03:10 AM   #3
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,901

Rep: Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885
@OP
Quote:
Can anyone tell me what the best-practice approach would be in this situation? Ideally we'll replicate as little code as possible to get this working.
If I were you, I'd use:
Code:
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
# 1. Rewrite from www to non-www
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
# 2. Your stuff
	ServerAdmin webmaster@localhost
		DocumentRoot /var/www/html
		ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/html/
		SetEnv CI_ENV testing
		<Directory /var/www/html>
			AllowOverride All
		</Directory>
		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined
		SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/ev-ssl-certificate.crt
                SSLCertificateKeyFile /etc/ssl/private/ev-private.key
                SSLCACertificateFile /etc/ssl/certs/ev-IntermediateCA.crt
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>
</VirtualHost>

<VirtualHost *:443>
ServerAlias *.example.com
<snip>
SSLCertificateFile      /etc/ssl/certs/wildcard-ssl-certificate.crt
<-snip>
</VirtualHost>

Last edited by bathory; 04-12-2018 at 03:12 AM.
 
1 members found this post helpful.
Old 04-12-2018, 04:28 PM   #4
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.8.2003
Posts: 5,475

Rep: Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100Reputation: 2100
^^ Yes. I wasn't sure if the ServerAlias could be wildcarded...
 
1 members found this post helpful.
Old 05-07-2018, 04:07 PM   #5
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,056

Original Poster
Rep: Reputation: 78
For my own future reference and for the sake of clarity I'm posting my configuration here, which works great. The ServerName and ServerAlias directives are critical for providing the right cert for the correct domains. Also, if I'm not mistaken, this sort of multi-cert configuration won't work if your server is accessed via SSL instead of TLS because SSL only supports one cert per IP/port combination. TLS supports SNI.

I'm wondering if I might eliminate all those extra ServerAlias entries in the first virtualhost and just have one ServerAlias *.example.com? Would I need to move the wildcard virtualhost after the other one?

Code:
	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost
		ServerName es.example.com
		ServerAlias fr.example.com
		ServerAlias de.example.com
		ServerAlias it.example.com
		ServerAlias ru.example.com
		ServerAlias pl.example.com
		ServerAlias pt.example.com
		ServerAlias ar.example.com
		ServerAlias zh.example.com
		ServerAlias ja.example.com

		DocumentRoot /var/www/html

		ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/html/

		<Directory /var/www/html>
			AllowOverride All
		</Directory>

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		SSLEngine on
		SSLCertificateFile /etc/ssl/certs/wildcard.crt
		SSLCertificateKeyFile /etc/ssl/private/wildcard-private.key
		SSLCACertificateFile /etc/ssl/certs/wildcard-DigiCertCA.crt

		<FilesMatch "\.(cgi|shtml|phtml|php)$">
			SSLOptions +StdEnvVars
		</FilesMatch>

		<Directory /usr/lib/cgi-bin>
			SSLOptions +StdEnvVars
		</Directory>

	</VirtualHost>

	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost
		ServerName example.com
		ServerAlias www.example.com
		DocumentRoot /var/www/html

		ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/html/

		<Directory /var/www/html>
			AllowOverride All
		</Directory>

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/ev-ssl-certificate.crt
                SSLCertificateKeyFile /etc/ssl/private/ev-private.key
                SSLCACertificateFile /etc/ssl/certs/ev-IntermediateCA.crt

		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>

		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>
	</VirtualHost>
 
Old 05-08-2018, 01:36 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,901

Rep: Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885Reputation: 1885
Quote:
I'm wondering if I might eliminate all those extra ServerAlias entries in the first virtualhost and just have one ServerAlias *.example.com? Would I need to move the wildcard virtualhost after the other one?
Exactly.
Put the www vhost first and then the *.example.com. See my post above.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
the art of installing ssl cert for apache on ubuntu sneakyimp Linux - Server 2 03-17-2018 01:24 PM
concat server SSL cert and chain cert LYC Linux - Newbie 2 07-20-2015 08:08 AM
SSL Cert and Apache ajburch Linux - Server 1 05-13-2014 04:15 PM
SSL Cert - Domain Name Mismatch RangerRick1 Linux - Server 1 12-21-2007 04:39 AM
trying to install SSL cert on apache 2.0 sneakyimp Linux - Security 6 07-23-2006 06:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration