Multiple SSL Namebased Multiple Virtual host on one ip address and Port

Question

I want to configure ssl on same ip and port using SNI or can be different port but i am unable to instruct apache to deliver the ssl certificate of the domain requested.

It delivers the default sites certificate. I am unable to debug the issue.

I access logs it shows the default domain name however request is of other domain..

E.g i ask site1.com then site1.com opens and it delivers site1.com, however if i ask site2.con it delivers ssl of site1.com and site2.com is redirected to site1.com

If i add domainname:443 instead of *:443 then browser give 241 redirect error and it is as follows

Misdirected Request The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.

I am listening on port 80 and 443 in /etc/apache2/ports.conf i have installed ssl mod using apt-get install libapache2-mod-ssl a2enmod ssl

i am using ubuntu server bionic (18) with latest apache2 version and openssl

i have concerned multiple sources however following these links did not resolved my problem

Digicert.com

memset.com

digitalocean.com

apache.org

Techrepublic

Tech-stuff.net

SSLStrictSNIVHostCheck on

<IfModule mod_ssl.c>

    <VirtualHost *:443>

            ServerAdmin [email protected]
            ServerName site1.com/
            ServerAlias www.site1.com/

            SSLEngine on
            SSLCertificateFile /etc/apache2/ssl/site1.com/certificate.crt
            SSLCertificateKeyFile /etc/apache2/ssl/site1.com/private.key
            SSLCertificateChainFile /etc/apache2/ssl/site1.com/ca_bundle.crt



            DocumentRoot /var/www/site1.com/public_html

            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>
</IfModule>




<VirtualHost *:80>

    ServerName site1.com

    ServerAlias www.site1.com

    DocumentRoot /var/www/site1.com/public_html

    Redirect permanent / https://site1.com/

</VirtualHost>


<IfModule mod_ssl.c>

    <VirtualHost *:443>

            ServerAdmin [email protected]
            ServerName site2.com/

            ServerAlias www.site2.com/

            SSLEngine on
            SSLCertificateFile /etc/apache2/ssl/site2.com/certificate.crt
            SSLCertificateKeyFile /etc/apache2/ssl/site2.com/private.key
            SSLCertificateChainFile /etc/apache2/ssl/site2.com/ca_bundle.crt



            DocumentRoot /var/www/site2.com/public_html

            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>
</IfModule>


< VirtualHost *:80>

    ServerName site2.com

    ServerAlias www.site2.com

    DocumentRoot /var/www/site2.com/public_html

    Redirect permanent / https://site2.com/

</VirtualHost>

Answer 1

In order to configure properly your apache server to have multiple SSL Virtual Hosts using the same public ip address you should follow these steps:

Edit your httpd.conf or apache2.conf file and check if you have the entries bellow:

NameVirtualHost *:80
NameVirtualhost *:443

Then for all your virtual hosts, replace

<VirtualHost *:80> with <VirtualHost YOUR_SERVER_PUBLIC_IP:80> 

and

<VirtualHost *:443> with <VirtualHost YOUR_SERVER_PUBLIC_IP:443>

Restart apache and you should be good to go!

Be sure that there is no other entry or config file with a <VirtualHost *:443> definition. All definitions should container the actual server ip address, otherwise you'll have exactly the same issue.

Answer 2

In VirtualHost domain_name:443 the IP of domain_name is matched with the source IP address of the incoming request. This is important to understand as the IP address of incoming request is different when the Apache server is standalone or behind a proxy server ! Behind a proxy server the IP address is the IP address of origin server.