Apache issue with multiple SSL sites

Phunction · 05-09-2024, 06:34 PM

I am running an older apache 2.2.22 server.
There were 2 virtual host SSL sites that were working fine, but when I tried to add a 3rd I would start getting ERR_SSL_PROTOCOL_ERROR

Each site was in its own config file under sites-available
I moved them to a single file in default-ssl but still have the same issue, but now it does it with just 2 sites:

The strange thing, the first cert works, the second gives me an ERR_SSL_PROTOCOL_ERROR, but only on some systems.

This is what I am using now:

(
Site1 is fine, Site2 gives me the error.

I originally tried with NameVirtualHost *.443
And then <VirtualHost *.443>
But when I go to site2, it complains that the cert is invalid because it is using the cert from site1?
)

<IfModule mod_ssl.c>
NameVirtualHost 192.99.9.188:443

<VirtualHost www.site1.com:443>
ServerName www.site1.com
ServerAdmin webmaster@site1.com
DocumentRoot /home/httpd/sites/site1
<Directory /home/httpd/sites/site1>

Order allow,deny
Allow from all
</Directory>

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/ssl/site1.ca/server.crt
SSLCertificateKeyFile /etc/ssl/site1.ca/server.key
SSLCertificateChainFile /etc/ssl/site1.ca/bundle.crt
</VirtualHost>

<VirtualHost www.site2.com:443>
ServerName www.site2.com
ServerAdmin webmaster@site2.com
DocumentRoot /home/httpd/sites/site2
<Directory /home/httpd/sites/site2>

Order allow,deny
Allow from all
</Directory>

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/ssl/site2.ca/server.crt
SSLCertificateKeyFile /etc/ssl/site2.ca/server.key
SSLCertificateChainFile /etc/ssl/site2.ca/bundle.crt
</VirtualHost>
</IfModule mod_ssl.c>

Is it due to apache and openssl being too old? But it does not make sense that the first cert would be fine and give a perfectly valid cert in browsers.

scasey · 05-10-2024, 02:50 AM

NameVituralHost is deprecated in Apache 2.4, so I’ve not used it in awhile.

Code:

<VirtualHost _default_:443>

where _default_ picks up the IP listening on 443

Does site2 return the correct content? If not, suspect an issue with the resolution of the domain name(s) within apache.

site2.com, without the www, is not defined, so https;//site2.com would have site1 content served, because site1 is the default virtual host.

bathory · 05-10-2024, 04:09 AM

FYI apache-2.2 is EOL since 2018!!!
You should upgrade it along with openssl et all...

Anyway in your case, I thing that you have to use SNI, in order to run more than one SSL vhosts

Regards

TenTenths · 05-10-2024, 07:53 AM

Quote:

Originally Posted by Phunction

<VirtualHost www.site1.com:443>

This is wrong, it should be the IP address, not the hostname, or * to bind to all available interfaces. Try

Code:

<VirtualHost *:443>

The identification of the site is with the ServerName and ServerAlias directives.

Phunction · 05-10-2024, 10:33 AM

I set up each entry with <VirtualHost *:443> but when I do that, the second site will complain that the cert is for site1. So if I go to site2.com, I get a browser error that the cert is for site1. It will show me the content for site1.

I am not sure why the difference, my non ssl hosts, ie <VirtualHost *:80> all work fine, each site gives me the correct content, so why does it not work for <VirtualHost *:443>?

The Entries are
<VirtualHost *:443>
ServerName www.site1.com
....

<VirtualHost *:443>
ServerName www.site2.com
....

TenTenths · 05-10-2024, 10:49 AM

Quote:

Originally Posted by Phunction

I set up each entry with <VirtualHost *:443> but when I do that, the second site will complain that the cert is for site1. So if I go to site2.com, I get a browser error that the cert is for site1. It will show me the content for site1.

It's Apache 2.2.X you're using, so you'll still need a NameVirtualHost *:443 directive as well.

So try:

Code:

NameVirtualHost *:443

<VirtualHost *:443>
ServerName www.site1.com
....

<VirtualHost *:443>
ServerName www.site2.com
....

Phunction · 05-10-2024, 11:09 AM

I un-commented NameVirtualHost *:443 in ports.conf, now I am back to getting the ssl protocol error on the second site.

TenTenths · 05-10-2024, 11:12 AM

If these are public facing sites what does Qualys SSL Labs say about the three of them? https://www.ssllabs.com/ssltest/

TenTenths · 05-10-2024, 11:14 AM

Next steps would be to remove all three sites configs and then add them individually and test, then start stacking them.

Phunction · 05-10-2024, 11:39 AM

I actually ran those tests, they came back with a B due to the old server not supporting TLS 1.3 but everything else was fine.

I also tried each site individually, If I just have one site for SSL, they will work fine, as soon as I add a second entry, it will give the ssl protocol error, but only on sites 2,3 which is really weird. They all work fine on their own but not when trying to have more than one at a time.
It is weird, on some systems, I get the ssl protocol error, on two others I tried, no errors, on some other systems, I get ERR_CONNECTION_CLOSED instead of ERR_SSL_PROTOCOL_ERROR.

bathory · 05-10-2024, 02:57 PM

Quote:

Originally Posted by Phunction

I actually ran those tests, they came back with a B due to the old server not supporting TLS 1.3 but everything else was fine.

I also tried each site individually, If I just have one site for SSL, they will work fine, as soon as I add a second entry, it will give the ssl protocol error, but only on sites 2,3 which is really weird. They all work fine on their own but not when trying to have more than one at a time.
It is weird, on some systems, I get the ssl protocol error, on two others I tried, no errors, on some other systems, I get ERR_CONNECTION_CLOSED instead of ERR_SSL_PROTOCOL_ERROR.

Why don't you use SNI as in my post above.