[SOLVED] VirtualHost SSL subdomains with Apache2 on Debian?

mwjones · 04-04-2012, 08:31 AM

I purchased a wildcard SSL cert through my DNS registrar, gandi.net. The cert works great on a straight domain (e.g. https://example.com); but I am having trouble setting up subdomains.

The subdomain I'm trying to set up is just x.example.com. The response from https://x.example.com in the web browser is host not found. But remember that https://example.com works perfectly.

Here is my config from the file /etc/apache2/sites-enabled/example.com:

Code:

NameVirtualHost *:80
NameVirtualHost *:443


<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com *.example.com
ServerAdmin mwjones@example.com
DocumentRoot /home/mwjones/www/example.com
<Directory />
        Options FollowSymLinks
        AllowOverride AuthConfig
</Directory>

<Directory /home/mwjones/www/example.com>
        Options -Indexes FollowSymLinks MultiViews
        AllowOverride Authconfig
        Order allow,deny
        allow from all
</Directory>

ErrorLog /var/log/apache2/example.com_error.log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog /var/log/apache2/example.com_access.log combined
ServerSignature On
</VirtualHost>

<VirtualHost *:443>
ServerName www.example.com
ServerAlias example.com *.example.com
ServerAdmin mwjones@example.com
DocumentRoot /home/mwjones/www/example.com
<Directory />
    Options FollowSymLinks
    AllowOverride AuthConfig
</Directory>

<Directory /home/mwjones/www/example.com>
    Options -Indexes FollowSymLinks MultiViews
    AllowOverride Authconfig
    Order allow,deny
    allow from all
</Directory>

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/cert-example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/mwjones.key
SSLCertificateChainFile /etc/apache2/ssl/GandiStandardSSLCA.pem
SSLVerifyClient None

ErrorLog /var/log/apache2/example.com-ssl_error.log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog /var/log/apache2/example.com-ssl_access.log combined
ServerSignature On
</VirtualHost>

<VirtualHost *:443>
ServerName x.example.com
DocumentRoot /home/mwjones/www/example.com/x

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/cert-example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.com.key
SSLCertificateChainFile /etc/apache2/ssl/GandiStandardSSLCA.pem
SSLVerifyClient None

ErrorLog /var/log/apache2/example.com_x-ssl_error.log
LogLevel debug
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog /var/log/apache2/example.com_x-ssl_access.log combined
ServerSignature On
</VirtualHost>

The access log is empty, but here are the contents of /var/log/apache2/example.com_x-ssl_error.log with its LogLevel set to debug:

Code:

[Wed Apr 04 09:25:12 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Apr 04 09:25:12 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Wed Apr 04 09:25:25 2012] [info] Configuring server for SSL protocol
[Wed Apr 04 09:25:25 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv3, TLSv1)
[Wed Apr 04 09:25:25 2012] [debug] ssl_engine_init.c(664): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Wed Apr 04 09:25:25 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Wed Apr 04 09:25:25 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Wed Apr 04 09:25:25 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Wed Apr 04 09:25:25 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key
[Wed Apr 04 09:25:25 2012] [info] Loading certificate & private key of SSL-aware server
[Wed Apr 04 09:25:25 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Wed Apr 04 09:25:25 2012] [info] Configuring server for SSL protocol
[Wed Apr 04 09:25:25 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv3, TLSv1)
[Wed Apr 04 09:25:25 2012] [debug] ssl_engine_init.c(664): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Wed Apr 04 09:25:25 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Wed Apr 04 09:25:25 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Wed Apr 04 09:25:25 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Wed Apr 04 09:25:25 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key

What am I missing and how do I fix this?

TenTenths · 04-04-2012, 09:41 AM

I've never done anything with wildcard domains but you could try defining your site x.example.com BEFORE your wildcarded *.example.com

mwjones · 04-04-2012, 10:27 AM

Thanks for the suggestion; unfortunately it had no effect. The results were the same.

TenTenths · 04-04-2012, 10:37 AM

Did you try temporarily taking out the *.domain.com ServerAlias? I'm also assuming that you have the correct DNS entry for x.domain.com in place?

mwjones · 04-04-2012, 10:55 AM

Thanks for mentioning that, it was a bind issue. I added the following record and it fixed the problem:

Code:

x       IN      A       1.2.3.4

Thanks again

TenTenths · 04-04-2012, 10:56 AM

Quote:

Originally Posted by mwjones

Thanks again

You're welcome, glad you got sorted.