[solved] How set up per-IP SSL certificates correctly (i.e., no SNI)?

[donnerstag]

Hi all,

 

I have trouble setting up multiple SSL websites (vhosts) using froxlor.

 

I deliberately want to use unique IP addresses (so it works with each and every browser). That's why I don't want to use apache's

SNI feature (that would allow per-domain certificates).

 

Now my problem seems to boil down to this:

 

No matter if I check the "Create NameVirtualHost statement" option "in IPs and Ports" or not, froxlor will always generate

files like:

 

/etc/apache2/sites-enabled/10_froxlor_ipandport_ww.xx.yy.zz.443.conf

 

containing:

 

<VirtualHost ww.xx.yy.zz:443>

 ServerName default.server.name <= this is the default hostname, as set on the "Settings" page, not associated with the IP address ww.xx.yy.zz
 SSLEngine On
 SSLCertificateFile /etc/ssl/certs/apache/foobar.crt <= this is the certificate set up in "IPs and Ports" for this very IP address

</VirtualHost>

 

When I uncheck "create nameVirtualHost statement", then this file will cause an apache warning:

[warn] VirtualHost #:443 overlaps with VirtualHost #:443, the first has precedence, perhaps you need a NameVirtualHost directive

 

When I check "create nameVirtualHost statement", then non-SNI aware browsers will load the wrong certificate and warn about that.

 

How can I stop froxlor creating VirtualHost containers for the default server name and the SSL specific IPs?

 

I started a similar thread on debianforum.de and received useful answers, but got kind of stuck at this point. I will summarize on both forums.

 

Thanks all!

do.

[d00p]

The trick is:

 

- add separat IP Address

- check "create virtual host"

- uncheck "create servername"

- put "ServerName your-ssl-domain.tld" in custom vhost content.

 

Voil?

[donnerstag]

Dankesch?n! Now I get the proper certificate for each Domain/IP combination. Only now, the document roots are not correct anymore, i.e., firefox browser will load the default server page (/var/www/default) for each site.

 

I assume I have a mischievous misconfig in some other place, let me list it all:

 

Let the two ssl websites be

A. ssl.wibble.org (IP: 11.22.33.44)

B. fred.wobble.org (IP: 11.22.33.45)

 

Domains menu -- this is what I configured there:

a. for wibble.org:

Domain: wibble.org

Alias for: None
This domain is subdomain: No subdomain
Associated: 2 Alias domains (other tlds, i.e., wibble.com, wibble.net)
Document root: /var/customers/webs/wibble/
IP/Port: 11.22.33.10
SSL: no
SSL Redirect: no
SSL IP/Port: 11.22.33.44:443
Add a www. ServerAlias: yes
Apply specialsettings to *: yes

b. for ssl.wibble.org:

Domain: ssl.wibble.org
Alias for: None
This domain is subdomain: No subdomain
Associated: 0 Alias domains
Document root: /var/customers/webs/wibble/
IP/Port: 11.22.33.44:80
SSL: yes
SSL Redirect: yes
SSL IP/Port: 11.22.33.44:443
Add a www. ServerAlias: no
Apply specialsettings to *: yes

c. for fred.wobble.org (I serve only this subdomain, hence no configuration for wobble.org):

Domain: fred.wobble.org
Alias for: None
This domain is subdomain: No subdomain
Associated: 0 Alias domains
Document root: /var/customers/webs/wobble/
IP/Port: 11.22.33.10
SSL: yes
SSL Redirect: yes
SSL IP/Port: 11.22.33.45:443
Add a www. ServerAlias: yes
Apply specialsettings to *: yes

 

IPs and Ports menu:

IP: 11.22.33.44
Port: 443
Create Listen statement: no
Create NameVirtualHost statement: yes
Create vHost container: yes
Custom docroot: None
Own vHost settings: ServerName ssl.wibble.org
Create ServerName statement: no
Is this an SSL Port: yes

IP: 11.22.33.44
Port: 80
Create Listen statement: no
Create NameVirtualHost statement: yes
Create vHost container: yes
Custom docroot: None
Own vHost settings:
Create ServerName statement: yes
Is this an SSL Port: no

I spare you 11.22.33.45 (they are exact copies of the above)

The certificate paths are configured here (in IPs and Ports, for each IP:443).

 

To summarize, this configuration gives me

- correct certificates on all browsers, also non-SNI

- If I set the "create NameVirtualHost statement" to "no", apache warnings like this:

[warn] VirtualHost 11.22.33.44:443 overlaps with VirtualHost 11.22.33.44:443, the first has precedence, perhaps you need a NameVirtualHost directive

- all browsers show only the default website ("It works!")

 

 

Can you help with that? Thanks for any hints or pointers.

do.

[donnerstag]

Let me add, I have a solution that works:

 

Using the above configuration, but adding the same docroot entry from "Domains" also as "custom document root" on "IPs and Ports", will play everything cool.

Firefox and wget/libcurl, no certificate warnings, correct websites loaded.

 

Can I mark the thread as solved already? I'm open for all kinds of suggestions on how to do it better or more easily.

 

thanks all, thanks d00p,

donnerstag

[d00p]

I think, currently that's the best way to do it with froxlor

[donnerstag]

OK thanks!

 

I'll cross-summarize to this thread on debianforum.de:

http://debianforum.de/forum/viewtopic.php?f=8&t=149262

 

tsch?s,

do.