How to use on the same Apache2 Server 2 differents Certificates using VirtualHost?

StackOverflow https://stackoverflow.com/questions/1548288

  •  20-09-2019
  •  | 
  •  

Question

I get a certificate from Gandi for a domain www.mondomaine.fr But for sql.mondomaine.fr I wanted to use a Self-Signed SSL certificate.

If I active sql.mondomaine.fr, the www.mondomaine.fr is using the self-signed certificate instead of the Gandiś one.

If I desactivate the sql. everything works fine.

How can I manage the use of different certificate ?

It seams that the first VirtualHost configuration is taking for every SSL VirtualHost.

Thank you for your help.

Here is my configuration :

For PHPMyAdmin :

<VirtualHost *:443>
    # Chemin vers les données web
    DocumentRoot /usr/share/phpmyadmin

    ServerName sql.mondomaine.fr

    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/phpmyadmin.pem
</VirtualHost>

For mondomaine.fr

<VirtualHost *:443>
    ServerName www.mondomaine.fr
    DocumentRoot /var/www/mondomaine/
    CustomLog /var/log/apache2/secure_access.log combined

    SSLEngine on
    SSLCertificateFile /etc/ssl/mondomaine.fr.crt
    SSLCertificateKeyFile /etc/ssl/mondomaine.fr.key
    SSLCACertificateFile /etc/ssl/GandiStandardSSLCA.pem
    SSLVerifyClient None
</VirtualHost>

The configuration is correct because if the first VirtualHost read is PHPMyAdmin.pem ModSSL use this one and if it is mondomaine.fr.crt the first VirtualHost, Apache use this one.

Was it helpful?

Solution

You're running up against a general problem with HTTP over SSL - when a client connects, it specifies which host it wants to connect to using the Host: HTTP header, but that only comes after the SSL handshake (when the certificate is presented) has completed. Recent versions of TLS support extensions (specified in RFC 4366) which allow the client to specify what host it is intending to connect to during the SSL handshake, with the specific intent of supporting vhosts; to quote the RFC:

""" TLS does not provide a mechanism for a client to tell a server the name of the server it is contacting. It may be desirable for clients to provide this information to facilitate secure connections to servers that host multiple 'virtual' servers at a single underlying network address. """

According to Wikipedia, recent versions of Firefox, Opera, IE, Chrome, and Safari support this extension; other clients would still not send the extension, and you're out of luck there. You also have to use at least TLS 1.1 to enable extensions support.

There is some documentation on how to set this up with Apache; you may have to rebuild OpenSSL and/or Apache with specific options, depending on your local setup.

OTHER TIPS

Its depens how you created your certificate. if you bought it only for the www subdomain wont work for sql. what you need to do is make it to allow any subdomain, but afaik those certificates are more expensive.

In the other hand you can use your own ceritificate, you only need to sure about what are you putting when you create your virtutalhost

<virtualhost XXX.XXX.XXX.XXX:443>
 serverName www.mondomaine.fr
 # Gandiś ceritificate
</virtualhost>

<virtualhost XXX.XXX.XXX.XXX:443>
 serverName sql.mondomaine.fr
 # your own certificate stuff
</virtualhost>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top