[SOLVED] Apache 2.4.10 - Fedora 20 Virtualhost not accepting SSL
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Apache 2.4.10 - Fedora 20 Virtualhost not accepting SSL
Hi.
I'm playing with Apache on Fedora 20, which comes with v2.4.10. I've got the server up and running just fine and the default site works with and without SSL.
Now, I want to set up a Virtualhost. This Virtualhost works fine. But when I go to set it up for SSL, I get no config errors or any feedback and the default site appears under https.
Yes, https://mysite.net does work - but it doesn't go to https://mysite.net. It displays the default web page for the server. When I first installed apache, I commented out the contents of welcome.conf and made the default page /var/www/html/index.html.
I set up my certificate and tested this via url. At this point, both http://mysite.net and https://mysite.net both displayed /var/www/html/index.html.
Then, I added a line to the bottom of httpd.conf to include virtualhost files: IncludeOptional conf/*.vhost
and then created mysite.vhost in the conf directory. The pastebin link I posted is the contents of mysite.vhost. Then, I reloaded the config file - and even restarted the server several times just to be sure. Now, http://mysite.net hits the desired page. https://mysite.net hits /var/www/html/index.html.
I didn't stop there because I'm going to have more virtualhosts. This isn't working the way I expect it to. The base page defined in httpd.conf should be separate from my first virtualhost. That's the problem.
Also, http://localhost should display /var/www/html/index.html. But it displays /web/mysite.
I set up httpd.conf to display /var/www/html/index.html. I confirmed that it did, even with SSL. Then, I wanted to add virtual hosts. It's not acting in any way like it should.
The problem with using named virtual hosts over SSL is that named virtual hosts rely on knowing what hostname is being requested, and the request can't be read until the SSL connection is established. The ordinary behavior, then, is that the SSL connection is set up using the configuration in the default virtual host for the address where the connection was received.
While Apache can renegotiate the SSL connection later after seeing the hostname in the request (and does), that's too late to pick the right server certificate to use to match the request hostname during the initial handshake, resulting in browser warnings/errors about certificates having the wrong hostname in them.
And while it's possible to put multiple hostnames in a modern certificate and just use that one certificate in the default vhost, there are many hosting providers who are hosting far too many sites on a single address for that to be practical for them.
Quote:
As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port. This is because Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer. But the name of the host being requested is contained only in the HTTP request headers, which are part of the encrypted content. It is therefore not available until after the encryption is already negotiated. This means that the correct certificate cannot be selected, and clients will receive certificate mismatch warnings and be vulnerable to man-in-the-middle attacks.
In reality, Apache will allow you to configure name-based SSL virtual hosts, but it will always use the configuration from the first-listed virtual host (on the selected IP address and port) to setup the encryption layer. In certain specific circumstances, it is acceptable to use a single SSL configuration for several virtual hosts. In particular, this will work if the SSL certificate applies to all the virtual hosts. For example, this will work if:
All the VirtualHosts are within the same domain, eg: one.example.com and two.example.com.
You have a wildcard SSL certificate for that domain (one where the Common Name begins with an asterix: i.e *.example.com)
Also, http://localhost should display /var/www/html/index.html. But it displays /web/mysite.
I set up httpd.conf to display /var/www/html/index.html. I confirmed that it did, even with SSL. Then, I wanted to add virtual hosts. It's not acting in any way like it should.
When virtual hosts are set, httpd reads and matches them before the defined host in main config, see:
Quote:
A ServerName should be specified inside each <VirtualHost> block. If it is absent, the ServerName from the "main" server configuration will be inherited.
When a request is received, the server first maps it to the best matching <VirtualHost> based on the local IP address and port combination only. Non-wildcards have a higher precedence. If no match based on IP and port occurs at all, the "main" server configuration is used.
If multiple virtual hosts contain the best matching IP address and port, the server selects from these virtual hosts the best match based on the requested hostname. If no matching name-based virtual host is found, then the first listed virtual host that matched the IP address will be used. As a consequence, the first listed virtual host for a given IP address and port combination is default virtual host for that IP and port combination.
Sorry - I replied too hastily and needed to go through all of those links with a fine-toothed comb. I had run across them before, but I figured they didn't apply to me because everything had worked before in Apache 2.2.
I still don't know what I'm doing wrong.
Ok, one step at a time. In http.conf, I have a line: "Listen *:80"
When I added "Listen *:443" and then restarted, apache wouldn't start. "systemctl -l status httpd.service" says "(98)Address already in use...could not bind to address [::]:443". When "Listen *:443" is removed - I can reach the base site in http.conf via https. I guess that is unrelated.
I've tried adding "SSLStrictSNIVHostCheck" on and off in httpd.conf and that didn't seem to change anything. I really don't know what I'm missing.
Ok, one step at a time. In http.conf, I have a line: "Listen *:80"
When I added "Listen *:443" and then restarted, apache wouldn't start. "systemctl -l status httpd.service" says "(98)Address already in use...could not bind to address [::]:443". When "Listen *:443" is removed - I can reach the base site in http.conf via https. I guess that is unrelated.
I don't think you can use wildcard for Listen directive
(didn't see this ability in apache docs)
You either set Listen to a specific port like "Listen 80" or one IP and port like "Listen 192.168.0.1:80"
When you added *:443 in main config, the virtual host with *:443 was set?
Quote:
Multiple Listen directives for the same ip address and port will result in an Address already in use error message.
Ok, I've got it working. Sorry it took me so long to reply - real-life you know...
Anyway, it basically boiled down to virtualhost configuration. I haven't checked, but Centos 6.5 must be shipping with significantly newer versions of Apache. I had originally installed CentOS 6.2 on my old machine and got it up and running years ago and updated to 6.5 over time. Now, I'm installing 6.5 fresh - and there's probably where the problem was. I'm not exactly sure what the problem actually was, but I'll post my results in case it might help someone.
SNI is installed/configured/used by default. Just install PHP and mod_ssl and you're good to go. At this point, there have been some significant configuration syntax changes which broke my previous config file and vhost definitions. So, I started from scratch and added things in, one feature at a time.
First thing, I commented out welcome.conf. In http.conf, I left the default document root alone. Then, I added any ports to be listened to like so:
Code:
Listen 80
Since SSL is already installed and configured, port 443 does not need to be referenced here. Maybe someone more knowledgable knows just why. I also added ports for any IP virtual hosts I wanted to use. While troubleshooting, I set ServerName to "localhost". I don't know if this made any difference.
At the bottom of httpd.conf, I added the following lines:
Code:
NameVirtualHost *:80
NameVirtualHost *:443
SSLStrictSNIVhostCheck off
And finally, just to automatically add vhost files I dump in there:
Code:
Include conf/vhost_*
Now, comes the virtual host definitions. This definition includes using SSL:
I've placed the virtual host definitions in their own files, so there's no other directives required above. Finally, this is what my IP virtual hosts look like:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
