Hello,
is Apache 2.2 which is part of the CentOS distribution capable of SNI?
I have troubles that are coming from server side (CentOS 6.8, Apache 2.2.15) just did 'yum update'
in /etc/httpd/conf/httpd.conf
I've the following
NameVirtualHost ipaddr:443
Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf
both 'vhost'-files are like this:
<VirtualHost ipaddr:443> ServerAdmin webmaster@domain#.com
ServerName vhost.domain#.com:443 ServerAlias box.domain#.com:443 ServerAlias calcbox.domain#.com:443 ServerAlias proxybox.domain#.com:443
... SSLEngine on
SSLStrictSNIVHostCheck on
SSLCertificateFile /etc/httpd/conf/ssl.crt/domain#-host.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain#-host.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt
... </VirtualHost>
only https://domain1.com/... works https://domain2.com/... results in a certificate CN mismatch ...
what is missing in my config.?
Thanks, Walter
It doesn't appear you have a ServerName or ServerAlias for the naked domains (sans subdomain), so they're both being answered by the first VirtualHost entry?
On Nov 20, 2016, at 9:24 AM, Walter H. Walter.H@mathemainzel.info wrote:
Hello,
is Apache 2.2 which is part of the CentOS distribution capable of SNI?
I have troubles that are coming from server side (CentOS 6.8, Apache 2.2.15) just did 'yum update'
in /etc/httpd/conf/httpd.conf
I've the following
NameVirtualHost ipaddr:443
Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf
both 'vhost'-files are like this:
<VirtualHost ipaddr:443> ServerAdmin webmaster@domain#.com
ServerName vhost.domain#.com:443 ServerAlias box.domain#.com:443 ServerAlias calcbox.domain#.com:443 ServerAlias proxybox.domain#.com:443
... SSLEngine on
SSLStrictSNIVHostCheck on
SSLCertificateFile /etc/httpd/conf/ssl.crt/domain#-host.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain#-host.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt
...
</VirtualHost>
only https://domain1.com/... works https://domain2.com/... results in a certificate CN mismatch ...
what is missing in my config.?
Thanks, Walter
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 20.11.2016 18:33, David Nelson wrote:
It doesn't appear you have a ServerName or ServerAlias for the naked domains (sans subdomain), so they're both being answered by the first VirtualHost entry?
this is not the problem
meant
https://box.domain1.com works but https://box.domain2.com results in 'Certificate name mismatch'
Thanks, Walter
On Nov 20, 2016, at 9:24 AM, Walter H.Walter.H@mathemainzel.info wrote:
Hello,
is Apache 2.2 which is part of the CentOS distribution capable of SNI?
I have troubles that are coming from server side (CentOS 6.8, Apache 2.2.15) just did 'yum update'
in /etc/httpd/conf/httpd.conf
I've the following
NameVirtualHost ipaddr:443
Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf
both 'vhost'-files are like this:
<VirtualHost ipaddr:443> ServerAdmin webmaster@domain#.com
ServerName vhost.domain#.com:443 ServerAlias box.domain#.com:443 ServerAlias calcbox.domain#.com:443 ServerAlias proxybox.domain#.com:443
... SSLEngine on
SSLStrictSNIVHostCheck on
SSLCertificateFile /etc/httpd/conf/ssl.crt/domain#-host.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain#-host.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt
...
</VirtualHost>
only https://domain1.com/... works https://domain2.com/... results in a certificate CN mismatch ...
what is missing in my config.?
Thanks, Walter
It is solved, I don't know why but SNI works only with hosts that are declared with ServerName and not with ServerAlias
so I did the following ...
I made an include file that contained everything of the virtualhost except the ServerAdmin and ServerName declarations and did this:
<VirtualHost ipaddr:443> ServerAdmin webmaster@domain#.com ServerName vhost.domain#.com:443 Include /etc/httpd/conf/vhosts/vhost-ssldom#-box.incl </VirtualHost>
<VirtualHost ipaddr:443> ServerAdmin webmaster@domain#.com ServerName box.domain#.com:443 Include /etc/httpd/conf/vhosts/vhost-ssldom#-box.incl </VirtualHost>
<VirtualHost ipaddr:443> ServerAdmin webmaster@domain#.com ServerName calcbox.domain#.com:443 Include /etc/httpd/conf/vhosts/vhost-ssldom#-box.incl </VirtualHost>
...
Greetings, Walter
On 20.11.2016 18:24, Walter H. wrote:
Hello,
is Apache 2.2 which is part of the CentOS distribution capable of SNI?
I have troubles that are coming from server side (CentOS 6.8, Apache 2.2.15) just did 'yum update'
in /etc/httpd/conf/httpd.conf
I've the following
NameVirtualHost ipaddr:443
Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf
both 'vhost'-files are like this:
<VirtualHost ipaddr:443> ServerAdmin webmaster@domain#.com
ServerName vhost.domain#.com:443 ServerAlias box.domain#.com:443 ServerAlias calcbox.domain#.com:443 ServerAlias proxybox.domain#.com:443
... SSLEngine on
SSLStrictSNIVHostCheck on
SSLCertificateFile /etc/httpd/conf/ssl.crt/domain#-host.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain#-host.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt
...
</VirtualHost>
only https://domain1.com/... works https://domain2.com/... results in a certificate CN mismatch ...
what is missing in my config.?
Thanks, Walter
-
David Nelson -
Walter H.