Name-based setup with SSL defaulting to DocumentRoot "It Works"

molofishy · Jan 24, 2022

I've followed the instructions here.

The first step (setting up the virtual hosts) works; however as soon as I switch to the second step (the SSL part); both URLs show the default Apache text ("It works").

The contents of var/log/httpd-error.log shows:

Code:

[Mon Jan 24 16:53:54.739177 2022] [ssl:warn] [pid 4265] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Jan 24 16:53:54.740525 2022] [mpm_prefork:notice] [pid 4265] AH00163: Apache/2.4.48 (FreeBSD) OpenSSL/1.1.1k-freebsd configured -- resuming normal operations
[Mon Jan 24 16:53:54.740539 2022] [core:notice] [pid 4265] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'

apachectl -S:

Code:

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server www.example1.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:45)
         port 443 namevhost www.example1.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:45)
                 alias example1.com
         port 443 namevhost www.example2.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:57)
                 alias example2.com
ServerRoot: "/usr/local"
Main DocumentRoot: "/usr/local/www/apache24/data"
Main ErrorLog: "/var/log/httpd-error.log"
Mutex default: dir="/var/run/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www" id=80
Group: name="www" id=80

Do I need to port forward 443?

SirDice · Jan 24, 2022

DocumentRoot is set to the default website. You need to configure the SSL website completely, the same way you configured it for the non-SSL 'normal' website. It currently appears you only configured the certificates for that site but never configured the rest.

molofishy · Jan 24, 2022

This is the contents of httpd-vhosts.conf:

Code:

<VirtualHost *:443>
    ServerName www.example1.com
    ServerAlias example1.com
    DocumentRoot "/home/me/public_html/example1"
    ErrorLog "/var/log/dummy-host.example.com-error_log"
    CustomLog "/var/log/dummy-host.example.com-access_log" common
    SSLEngine on
    SSLCertificateFile /usr/local/etc/letsencrypt/live/www.example1.com/fullchain.pem
    SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/www.example1.com/privkey.pem
</VirtualHost>


<VirtualHost *:443>
    ServerName www.example2.com
    ServerAlias example2.com
    DocumentRoot "/home/me/public_html/example2"
    ErrorLog "/var/log/httpd-error.log"
    CustomLog "/var/log/httpd-ssl_request.log" combined
    SSLEngine on
    SSLCertificateFile /usr/local/etc/letsencrypt/live/www.example1.com/fullchain.pem
    SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/www.example1.com/privkey.pem
</VirtualHost>

Both ServerNames are reading from the same certificate files. Is that an issue?

SirDice · Jan 24, 2022

The CN in the certificate defines for which site it's used. You can have more than one URL on a certificate, so it's not wrong to configure it this way IF that certificate is indeed intended to be used on both sites. Doesn't explain why Apache thinks the webroot is /usr/local/www/apache24/data though. Did you restart Apache after making these changes?

Also note that you'll need to allow access to those /home/me/public_html/example2 and /home/me/public_html/example1 directories. By default Apache has locked down everything.

You're going to need to add something like this:

Code:

<Directory /home/me/public_html/example1>
  Require all granted
</Directory>

molofishy · Jan 24, 2022

No luck unfortunately, with:

Code:

<VirtualHost *:443>
    ServerName www.example1.com
    ServerAlias example1.com
    DocumentRoot "/home/me/public_html/example1"
    ErrorLog "/var/log/dummy-host.example.com-error_log"
    CustomLog "/var/log/dummy-host.example.com-access_log" common
    SSLEngine on
    SSLCertificateFile /usr/local/etc/letsencrypt/live/www.example1.com/fullchain.pem
    SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/www.example1.com/privkey.pem
<Directory /home/me/public_html/example1>
    Require all granted
</Directory>
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example2.com
    ServerAlias example2.com
    DocumentRoot "/home/me/public_html/example2"
    ErrorLog "/var/log/httpd-error.log"
    CustomLog "/var/log/httpd-ssl_request.log" common
    SSLEngine on
    SSLCertificateFile /usr/local/etc/letsencrypt/live/www.example1.com/fullchain.pem
    SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/www.example1.com/privkey.pem
<Directory /home/me/public_html/example2>
    Require all granted
</Directory>
</VirtualHost>

The output of apachectl -S is same as I posted about

Seems it may not be possible?

SSL/TLS Strong Encryption: FAQ - Apache HTTP Server Version 2.2

But if not, I'm not sure what the first link I posted (here) was talking about...

anlashok · Jan 24, 2022

molofishy said:
Seems it may not be possible?
SSL/TLS Strong Encryption: FAQ - Apache HTTP Server Version 2.2 But if not, I'm not sure what the first link I posted (here) was talking about...

It might help if you look at the documentation for the version of Apache you are using, 2.4, not the much older 2.2 version.

molofishy · Jan 25, 2022

The documentation for Apache 2.4, says the same thing on this topic.
See "Why can't I use SSL with name-based/non-IP-based virtual hosts?"
and "Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?"

Seems I'll need to use Server Name Indication (SNI).

anlashok · Jan 25, 2022

Are you redirecting from the :80 to the :443 ports in your virtual host config?. I.e is it showing "It works" because its not redirecting example1.com:80 to example1.com:443

This config works for me.

Code:

<VirtualHost xxx.xxx.xxx.xxx:80>
    ServerName www.example1.com
    Redirect "/" "https://www.example1.com/"
</VirtualHost>
<VirtualHost xxx.xxx.xxx.xxx:443>
    ServerAdmin user@example1.com
    DocumentRoot "/usr/local/www/apache24/data/example1.com/htdocs/www/"
    ServerName www.example1.com
    SSLEngine on
    SSLCertificateFile /usr/local/etc/letsencrypt/live/example1.com/fullchain.pem
    SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/example1.com/privkey.pem
    <Directory "/usr/local/www/apache24/data/example1.com/htdocs/www/">
        Require all granted
    </Directory>
</VirtualHost>

<other example1.com virtualhost subdomains using the same cert file>

<VirtualHost xxx.xxx.xxx.xxx:80>
    ServerName www.example2.com
    Redirect permanent "/" "https://www.example2/"
</VirtualHost>
<VirtualHost xxx.xxx.xxx.xxx:443>
    ServerAdmin user@example2.com
    DocumentRoot "/usr/local/www/apache24/data/example2.com/htdocs/www/"
    ServerName www.example2.com
    SSLEngine on
    SSLCertificateFile /usr/local/etc/letsencrypt/live/example2.com/fullchain.pem
    SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/example2.com/privkey.pem
    <Directory "/usr/local/www/apache24/data/example2.com/htdocs/www/">
        require all granted
    </Directory>
</VirtualHost>

apachectl -S gives this output

Code:

VirtualHost configuration:
xxx.xxx.xxx.xxx:80     is a NameVirtualHost
         default server www.example1.com (/usr/local/etc/apache24/extra/example1.com.vhosts.conf:30)
         port 80 namevhost www.example1.com (/usr/local/etc/apache24/extra/example1.com.vhosts.conf:30)
         port 80 namevhost sub2.example1.com (/usr/local/etc/apache24/extra/example1.com.vhosts.conf:70)
         port 80 namevhost sub3.example1.com (/usr/local/etc/apache24/extra/example1.com.vhosts.conf:169
         port 80 namevhost www.example2.com (/usr/local/etc/apache24/extra/example2.vhosts.conf:34)
xxx.xxx.xxx.xxx:443    is a NameVirtualHost
         default server www.example1.com (/usr/local/etc/apache24/extra/example1.com.vhosts.conf:34)
         port 443 namevhost www.example1.com (/usr/local/etc/apache24/extra/example1.com.vhosts.conf:34)
                 alias example1.com
         port 443 namevhost sub2.example1.com (/usr/local/etc/apache24/extra/example1.com.vhosts.conf:74)
         port 443 namevhost sub3.example1.com (/usr/local/etc/apache24/extra/example1.com.vhosts.conf:173)
         port 443 namevhost www.example2.com (/usr/local/etc/apache24/extra/example2.com.vhosts.conf:38)
ServerRoot: "/usr/local"
Main DocumentRoot: "/usr/local/www/apache24/data/"
Main ErrorLog: "/var/log/httpd-error.log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/" mechanism=default
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
PidFile: "/var/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www" id=80
Group: name="www" id=80

From the Apache24 FAQ: Note that if you have a wildcard SSL certificate, or a certificate that has multiple hostnames on it using subjectAltName fields, you can use SSL on name-based virtual hosts without further workarounds.

My certificate files do make use of subjectAltName fields, and both domains are served from the same ip address

SirDice · Jan 25, 2022

anlashok said:
My certificate files do make use of subjectAltName fields

This needs to always be set nowadays, even if you don't use alternate names. At the very least it has to contain the same hostname as the CN of the certificate.

FAQ/subjectAltName - CAcert Wiki

molofishy · Jan 25, 2022

anlashok - I feel like we're getting closer.
I've redirected.

httpd-vhosts.conf:

Code:

Listen 443
<VirtualHost *:80>
    ServerName www.example1.com
    Redirect "/" "https://www.example1.com/"
</VirtualHost>
<VirtualHost *:443>
    ServerName www.example1.com
    ServerAlias example1.com
    DocumentRoot "/home/me/public_html/example1"
    ErrorLog "/var/log/dummy-host.example.com-error_log"
    CustomLog "/var/log/dummy-host.example.com-access_log" common
    SSLEngine on
    SSLCertificateFile /usr/local/etc/letsencrypt/live/www.example1.com/fullchain.pem
    SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/www.example1.com/privkey.pem
<Directory "/home/me/public_html/example1">
    Require all granted
    Options All
    AllowOverride All
</Directory>
</VirtualHost>


<VirtualHost *:80>
    ServerName www.example2.com
    Redirect "/" "https://www.example2.com/"
</VirtualHost>
<VirtualHost *:443>
    ServerName www.example2.com
    ServerAlias example2.com
    DocumentRoot "/home/me/public_html/test_html"
    ErrorLog "/var/log/httpd-error.log"
    CustomLog "/var/log/httpd-ssl_request.log" common
    SSLEngine on
    SSLCertificateFile /usr/local/etc/letsencrypt/live/www.example1.com/fullchain.pem
    SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/www.example1.com/privkey.pem
<Directory "/home/me/public_html/example2">
    Require all granted
    Options All
    AllowOverride All
</Directory>
</VirtualHost>

apachectl -S:

Code:

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server www.example1.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:43)
         port 80 namevhost www.example1.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:43)
         port 80 namevhost www.example2.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:64)
*:443                  is a NameVirtualHost
         default server www.example1.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:47)
         port 443 namevhost www.example1.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:47)
                 alias example1.com
         port 443 namevhost www.example2.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:68)
                 alias example2.com
ServerRoot: "/usr/local"
Main DocumentRoot: "/usr/local/www/apache24/data"
Main ErrorLog: "/var/log/httpd-error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www" id=80
Group: name="www" id=80

However when I navigate to the sites in my browser, I see "This site can’t be reached. www.example1.com took too long to respond"

anlashok · Jan 25, 2022

Do you get the same timeout error if you go to https://www.example.com:80 and https://www.example.com:443 ?

What shows up the various Apache error and access logs now, it should have something to show that your page request was received in access.log and any errors dealing with the request in the other one. I assume you have something in those directories to be served.

edit:
and any firewall rules are set to allow both http and https ports to be forwarded

molofishy · Jan 26, 2022

The error from https://www.example1.com:80 is:

Code:

This site can’t provide a secure connection
www.example1.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

The error from https://www.example1.com:443 and https://www.example1.com is:

Code:

This site can’t be reached
www.example1.com took too long to respond.
Try:
Checking the connection
Checking the proxy and the firewall

ERR_CONNECTION_TIMED_OUT

Multiple devices get the same result, using different browsers.

EDIT: Looks like my port 443 is closed on my IP. Yours must be open? You can check here.
EDIT - Finally works. Just needed to forward port 443 on my router - now I've got the lock symbol (https) on my site!

Name-based setup with SSL defaulting to DocumentRoot "It Works"

molofishy

SirDice

Administrator

molofishy

SirDice

Administrator

molofishy

anlashok

molofishy

anlashok

SirDice

Administrator

molofishy

anlashok

molofishy