[SOLVED] Wildcard SSL on Apache 2

Question

[SOLVED] Wildcard SSL on Apache 2

development

I am trying to enable a wildcard SSL certificate for my domain. I have some existing subdomains, but currently only have an SSL certificate for www.domain.com. Previous and new SSL certificates are from GoDaddy.

Apache is not restarting with my updated virtual hosts file, and to further complicate things, I am using a High Availability setup to run two Linodes to run Apache+PHP. If I revert to my old virtual hosts file everything works fine. With the new one for handling the wildcard SSL, Apache does not start.

My (probably too complicated) existing virtual hosts file with SSL for only www.domain.com is:

NameVirtualHost 12.34.56.78:80
 <virtualhost 12.34.56.78:80="">ServerAdmin help@domain.com
     ServerName www.domain.com
     ServerAlias domain.com
     DocumentRoot /srv/www/domain.com/public_html/
     ErrorLog /srv/www/domain.com/logs/error.log
     CustomLog /srv/www/domain.com/logs/access.log combined</virtualhost> 

 <ifmodule mod_ssl.c="">NameVirtualHost 12.34.56.78:443
 <virtualhost 12.34.56.78:443="">SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
     SSLCertificateKeyFile /etc/apache2/ssl/www.domain.com.key
     SSLCACertificateFile /etc/apache2/ssl/gd_bundle.crt

     ServerAdmin help@domain.com
     ServerName www.domain.com
     ServerAlias domain.com
     DocumentRoot /srv/www/domain.com/public_html/
     ErrorLog /srv/www/domain.com/logs/error.log
     CustomLog /srv/www/domain.com/logs/access.log combined</virtualhost></ifmodule> 

 <virtualhost 12.34.56.78:80="">ServerAdmin help@domain.com
     ServerName blog.domain.com
     DocumentRoot /srv/www/blog.domain.com/public_html/
     ErrorLog /srv/www/blog.domain.com/logs/error.log
     CustomLog /srv/www/blog.domain.com/logs/access.log combined</virtualhost> 

 <ifmodule mod_ssl.c="">NameVirtualHost 12.34.56.78:443
 <virtualhost 12.34.56.78:443="">SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
     SSLCertificateKeyFile /etc/apache2/ssl/www.domain.com.key
     SSLCACertificateFile /etc/apache2/ssl/gd_bundle.crt

     ServerAdmin help@domain.com
     ServerName blog.domain.com
     DocumentRoot /srv/www/blog.domain.com/public_html/
     ErrorLog /srv/www/blog.domain.com/logs/error.log
     CustomLog /srv/www/blog.domain.com/logs/access.log combined</virtualhost></ifmodule> 

 <virtualhost 12.34.56.78:80="">ServerAdmin help@domain.com
     ServerName www-staging.domain.com
     ServerAlias *.www-staging.domain.com
     DocumentRoot /srv/www/www-staging.domain.com/public_html/
     ErrorLog /srv/www/www-staging.domain.com/logs/error.log
     CustomLog /srv/www/www-staging.domain.com/logs/access.log combined</virtualhost> 

 <ifmodule mod_ssl.c="">NameVirtualHost 12.34.56.78:443
 <virtualhost 12.34.56.78:443="">SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
     SSLCertificateKeyFile /etc/apache2/ssl/www.domain.com.key
     SSLCACertificateFile /etc/apache2/ssl/gd_bundle.crt

     ServerAdmin help@domain.com
     ServerName www-staging.domain.com
     ServerAlias *.www-staging.domain.com
     DocumentRoot /srv/www/www-staging.domain.com/public_html/
     ErrorLog /srv/www/www-staging.domain.com/logs/error.log
     CustomLog /srv/www/www-staging.domain.com/logs/access.log combined</virtualhost></ifmodule> 

 <virtualhost 12.34.56.78:80="">ServerAdmin help@domain.com
     ServerName statistics.domain.com
     DocumentRoot /srv/www/statistics.domain.com/public_html/
     ErrorLog /srv/www/statistics.domain.com/logs/error.log
     CustomLog /srv/www/statistics.domain.com/logs/access.log combined</virtualhost> 

 <virtualhost 12.34.56.78:80="">ServerAdmin help@domain.com
     ServerName bugs.domain.com
     DocumentRoot /srv/www/bugs.domain.com/public_html/
     ErrorLog /srv/www/bugs.domain.com/logs/error.log
     CustomLog /srv/www/bugs.domain.com/logs/access.log combined</virtualhost>

The new simplified but malfunctioning virtual hosts file is:

NameVirtualHost 12.34.56.78:80
NameVirtualHost 12.34.56.78:443

 <virtualhost 12.34.56.78:80="" 12.34.56.78:443="">ServerAdmin help@domain.com
     ServerName www.domain.com
     ServerAlias domain.com *.domain.com
     DocumentRoot /srv/www/domain.com/public_html/

     SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/wildcard.domain.com.crt
     SSLCertificateKeyFile /etc/apache2/ssl/wildcard.domain.com.key
     SSLCACertificateFile /etc/apache2/ssl/gd_bundle.crt

     ErrorLog /srv/www/domain.com/logs/error.log
     CustomLog /srv/www/domain.com/logs/access.log combined</virtualhost> 

 <virtualhost 12.34.56.78:80="">ServerAdmin help@domain.com
     ServerName blog.domain.com
     DocumentRoot /srv/www/blog.domain.com/public_html/
     ErrorLog /srv/www/blog.domain.com/logs/error.log
     CustomLog /srv/www/blog.domain.com/logs/access.log combined</virtualhost> 

 <virtualhost 12.34.56.78:80="">ServerAdmin help@domain.com
     ServerName www-staging.domain.com
     ServerAlias *.www-staging.domain.com
     DocumentRoot /srv/www/www-staging.domain.com/public_html/
     ErrorLog /srv/www/www-staging.domain.com/logs/error.log
     CustomLog /srv/www/www-staging.domain.com/logs/access.log combined</virtualhost> 

 <virtualhost 12.34.56.78:80="">ServerAdmin help@domain.com
     ServerName statistics.domain.com
     DocumentRoot /srv/www/statistics.domain.com/public_html/
     ErrorLog /srv/www/statistics.domain.com/logs/error.log
     CustomLog /srv/www/statistics.domain.com/logs/access.log combined</virtualhost> 

 <virtualhost 12.34.56.78:80="">ServerAdmin help@domain.com
     ServerName bugs.domain.com
     DocumentRoot /srv/www/bugs.domain.com/public_html/
     ErrorLog /srv/www/bugs.domain.com/logs/error.log
     CustomLog /srv/www/bugs.domain.com/logs/access.log combined</virtualhost>

My goal is to have all subdomains besides those listed above (www-staging, blog, bugs, statistics) be served from /srv/www/domain.com/public_html/. I have to this point been successful in setting this up, but accessing something like https://foo.domain.com/ gives an error in the browser because the SSL certificate is actually for www.domain.com.

In case this is helpful, the results from running crm_mon when switching virtual hosts files is:

============
Last updated: Tue Apr 12 22:51:25 2011
Stack: Heartbeat
Current DC: ha2 (57edf4bd-9450-42e3-80d0-5a185f693074) - partition with quorum
Version: 1.0.8-042548a451fce8400660f6031f4da6f0223dd5dd
2 Nodes configured, 1 expected votes
2 Resources configured.
============

Node ha1 (1854c494-070d-4862-9d4f-a005cc5a6202): standby
Online: [ ha2 ]

 Resource Group: WebServices
     ip1        (ocf::heartbeat:IPaddr2):       Started ha1
     ip1arp     (ocf::heartbeat:SendArp):       Started ha1
     fs_webfs   (ocf::heartbeat:Filesystem):    Started ha1
     apache2    (lsb:apache2):  Stopped
 Master/Slave Set: ms_drbd_webfs
     Masters: [ ha1 ]
     Slaves: [ ha2 ]

Failed actions:
    apache2_start_0 (node=ha2, call=31, rc=1, status=complete): unknown error
    apache2_start_0 (node=ha1, call=29, rc=1, status=complete): unknown error

Any suggestions or resources?

Thanks, Josh

5 Replies

forum:cburgess · Answer 1 · April 13, 2011, 10:23 a.m.

forum:cburgess 13 years, 7 months ago

Your not getting the actual apache error, crm_mon is eating the apache error.

With the new config in place run apachectl -t (run syntax check for config files) and paste what the actual apache error is. It will probably tell you something meaningful about your virtual host config being wrong.

Also your existing setup looks a bit strange with regard to trying to do named based virtual hosts with SSL. What does apachectl -S (dump vhost setting) show for your working config?

forum:jmargulis · Answer 2 · April 13, 2011, 7:13 p.m.

forum:jmargulis 13 years, 7 months ago

For the current Apache virtual hosts I get the following.

:/srv/www$ sudo apache2ctl -S
[Wed Apr 13 16:05:19 2011] [warn] NameVirtualHost 12.34.56.78:80 has no VirtualHosts
[Wed Apr 13 16:05:19 2011] [warn] NameVirtualHost 12.34.56.78:443 has no VirtualHosts
[Wed Apr 13 16:05:19 2011] [warn] NameVirtualHost 12.34.56.78:443 has no VirtualHosts
[Wed Apr 13 16:05:19 2011] [warn] NameVirtualHost 12.34.56.78:443 has no VirtualHosts
VirtualHost configuration:
12.34.56.78:80      is a NameVirtualHost
         default server www.domain.com (/etc/apache2/sites-enabled/www.domain.com:2)
         port 80 namevhost www.domain.com (/etc/apache2/sites-enabled/www.domain.com:2)
         port 80 namevhost blog.domain.com (/etc/apache2/sites-enabled/www.domain.com:28)
         port 80 namevhost www-staging.domain.com (/etc/apache2/sites-enabled/www.domain.com:52)
         port 80 namevhost statistics.domain.com (/etc/apache2/sites-enabled/www.domain.com:78)
         port 80 namevhost bugs.domain.com (/etc/apache2/sites-enabled/www.domain.com:86)
12.34.56.78:443     is a NameVirtualHost
         default server www.domain.com (/etc/apache2/sites-enabled/www.domain.com:13)
         port 443 namevhost www.domain.com (/etc/apache2/sites-enabled/www.domain.com:13)
         port 443 namevhost blog.domain.com (/etc/apache2/sites-enabled/www.domain.com:38)
         port 443 namevhost www-staging.domain.com (/etc/apache2/sites-enabled/www.domain.com:63)
wildcard NameVirtualHosts and _default_ servers:
*:80                   ha1.domain.com (/etc/apache2/sites-enabled/000-default:1)
Syntax OK

For the non-functioning Apache virtual hosts I get the following.

:/srv/www$ sudo apache2ctl -S
[Wed Apr 13 16:11:32 2011] [warn] NameVirtualHost 12.34.56.78:80 has no VirtualHosts
[Wed Apr 13 16:11:32 2011] [warn] NameVirtualHost 12.34.56.78:443 has no VirtualHosts
VirtualHost configuration:
12.34.56.78:80      is a NameVirtualHost
         default server www.domain.com (/etc/apache2/sites-enabled/www.domain.com:4)
         port 80 namevhost www.domain.com (/etc/apache2/sites-enabled/www.domain.com:4)
         port 80 namevhost blog.domain.com (/etc/apache2/sites-enabled/www.domain.com:19)
         port 80 namevhost www-staging.domain.com (/etc/apache2/sites-enabled/www.domain.com:27)
         port 80 namevhost statistics.domain.com (/etc/apache2/sites-enabled/www.domain.com:36)
         port 80 namevhost bugs.domain.com (/etc/apache2/sites-enabled/www.domain.com:44)
12.34.56.78:443     is a NameVirtualHost
         default server www.domain.com (/etc/apache2/sites-enabled/www.domain.com:4)
         port 443 namevhost www.domain.com (/etc/apache2/sites-enabled/www.domain.com:4)
wildcard NameVirtualHosts and _default_ servers:
*:80                   ha1.domain.com (/etc/apache2/sites-enabled/000-default:1)
Syntax OK

If you think my vhost should be different, please let me know what you think it should be. Any other suggestions are welcome.

forum:jmargulis · Answer 3 · April 18, 2011, 2:54 p.m.

forum:jmargulis 13 years, 7 months ago

Anyone have suggestions? More information I should provide?

forum:otherbbs · Answer 4 · April 22, 2011, 12:57 p.m.

forum:otherbbs 13 years, 7 months ago

<virtualhost 12.34.56.78:80="" 12.34.56.78:443=""></virtualhost>
While I'm no expert in this area, this doesn't look correct to me.

–

Travis

forum:jmargulis · Answer 5 · April 25, 2011, 2:52 a.m.

forum:jmargulis 13 years, 7 months ago

Figured it out by trying out a fresh Linode and installing the Wildcard SSL cert and VHosts definitions.

The problem was that my SSL Key file was encrypted with a pass phrase. I was able to decrypt the key and refer to this new file in my VHosts.

sudo openssl rsa -in server.key -out server.key.insecure

Without this step, Apache asks for a passphrase every time it (re)starts.

Compute

Storage

Networking

Databases

Services

Developer Tools

Industries

Pricing

Community

Engage With Us

[SOLVED] Wildcard SSL on Apache 2

5 Replies

Reply

Tips: