Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Users
Re: {Disarmed} Re: [users@httpd] Multi-domain with SSL - Virtualhost all need IPs?
paul at scom
May 18, 2022, 2:01 PM
Post #1 of 3 (247 views)
Permalink
ok san is only useable if the cert is setup that way

i bought a proper *.scom.ca wildcard ssl cert for my domain

i then buy mail.xxx.com certs for the other domains

sni works well when configured this way.

granted san might or might not work (i never tries that) however san was
designed more for apache web servers vs email etc

san does allow adding domains but i more complicated to control what the
cert is doing (or not)

sound like what i did will work better for you situation

example sni.conf file (import this at the end of your main dovecot.conf file

using :

#Addition ssl config
!include sni.conf

please note that below i wront a python script to pull the cert from a
db table

getssl.cert

all it does it return the text for the ssl cert (key first then
certificate then both Intermediate certs)

you can point this to an ssl key file (the old way) formatted the same

either will work

note you need both the default cert setup AND the local name as well

a *. signifies a wildcard ssl cert

like *.scom.ca

note you need to do something similiar in postfix as well for this to
work across smtp + dovecot




# cat sni.conf
#sni.conf
ssl = yes
verbose_ssl = yes
ssl_dh =</usr/local/etc/dovecot/dh-4096.pem
ssl_prefer_server_ciphers = yes
#ssl_min_protocol = TLSv1.2

#Default *.scom.ca
ssl_key =</usr/local/etc/dovecot/scom.pem
ssl_cert =</usr/local/etc/dovecot/scom.pem
ssl_ca =</usr/local/etc/dovecot/scom.pem

local_name .scom.ca {
ssl_key = /programs/common/getssl.cert -c *.scom.ca -q yes
ssl_cert = /programs/common/getssl.cert -c *.scom.ca -q yes
ssl_ca = /programs/common/getssl.cert -c *.scom.ca -q yes
}


local_name mail.clancyca.com {
ssl_key = /programs/common/getssl.cert -c mail.clancyca.com -q yes
ssl_cert = /programs/common/getssl.cert -c mail.clancyca.com -q yes
ssl_ca = /programs/common/getssl.cert -c mail.clancyca.com -q yes
}

local_name secure.clancyca.com {
ssl_key = /programs/common/getssl.cert -c secure.clancyca.com -q yes
ssl_cert = /programs/common/getssl.cert -c secure.clancyca.com -q yes
ssl_ca = /programs/common/getssl.cert -c secure.clancyca.com -q yes
}

local_name mail.paulkudla.net {
ssl_key = /programs/common/getssl.cert -c mail.paulkudla.net -q yes
ssl_cert = /programs/common/getssl.cert -c mail.paulkudla.net -q yes
ssl_ca = /programs/common/getssl.cert -c mail.paulkudla.net -q yes
}

local_name mail.ekst.ca {
ssl_key = /programs/common/getssl.cert -c mail.ekst.ca -q yes
ssl_cert = /programs/common/getssl.cert -c mail.ekst.ca -q yes
ssl_ca = /programs/common/getssl.cert -c mail.ekst.ca -q yes
}

local_name mail.hamletdevelopments.ca {
ssl_key = /programs/common/getssl.cert -c mail.hamletdevelopments.ca
-q yes
ssl_cert = /programs/common/getssl.cert -c mail.hamletdevelopments.ca
-q yes
ssl_ca = /programs/common/getssl.cert -c mail.hamletdevelopments.ca
-q yes
}




Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266

On 5/18/2022 3:31 PM, Frank Gingras wrote:
> See if you can add a SAN to that wildcard certificate first.
>
> On Wed, 18 May 2022 at 15:21, frank picabia <fpicabia@gmail.com
> <mailto:fpicabia@gmail.com>> wrote:
>
>
> We have a server with over 300 vhosts on it.  Marketing/CMS madness
> I guess.
> All on the same domain name.  Many VirtualHosts are defined with *:443
> and then ServerName to rely on SNI.
> We have a wildcard cert for the domain and all the hosts use that.
>
> Now there is a different domain to add for SSL.  For some reason
> the first domain name's certificate is being found.  I've put the
> IP for our new comer domain so we have <VirtualHost *MailScanner
> warning: numerical links are often malicious:* 1.1.1.1:443
> <http://1.1.1.1:443> >
> but it is still finding the other cert.  This IP is uniquely assigned
> with the different domain, as you'd expect with DNS.  So it can't
> be a overlap of the IP used elsewhere.
>
> Researching this problem ("wrong cert loaded for vhost"),
> I read that in the initial SSL connection, it
> is talking to the IP, and whatever values we have for ServerName
> have no bearing until the page is being accessed.  If that's the case
> then it might have matched another vhost with *:443 first
> I tried putting my new domain at the top of ssl.conf but it made no
> difference.
>
> I'm thinking I need to edit each *:443 case and change it to the
> appropriate IP.
> That will be a lot of work, so I'm looking for affirmation that is
> likely to make the difference.
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re: {Disarmed} Re: [users@httpd] Multi-domain with SSL - Virtualhost all need IPs? [ In reply to ]
thumbs at apache
May 18, 2022, 2:52 PM
Post #2 of 3 (247 views)
Permalink
That does not look like valid httpd syntax.

If you can't use a SAN, then you need to configure all your vhosts as
IP:443, whereas one vhost uses a separate IP, and the remainder uses the
second IP.

On Wed, 18 May 2022 at 17:02, Paul Kudla (SCOM.CA Internet Services Inc.) <
paul@scom.ca> wrote:

>
> ok san is only useable if the cert is setup that way
>
> i bought a proper *.scom.ca wildcard ssl cert for my domain
>
> i then buy mail.xxx.com certs for the other domains
>
> sni works well when configured this way.
>
> granted san might or might not work (i never tries that) however san was
> designed more for apache web servers vs email etc
>
> san does allow adding domains but i more complicated to control what the
> cert is doing (or not)
>
> sound like what i did will work better for you situation
>
> example sni.conf file (import this at the end of your main dovecot.conf
> file
>
> using :
>
> #Addition ssl config
> !include sni.conf
>
> please note that below i wront a python script to pull the cert from a
> db table
>
> getssl.cert
>
> all it does it return the text for the ssl cert (key first then
> certificate then both Intermediate certs)
>
> you can point this to an ssl key file (the old way) formatted the same
>
> either will work
>
> note you need both the default cert setup AND the local name as well
>
> a *. signifies a wildcard ssl cert
>
> like *.scom.ca
>
> note you need to do something similiar in postfix as well for this to
> work across smtp + dovecot
>
>
>
>
> # cat sni.conf
> #sni.conf
> ssl = yes
> verbose_ssl = yes
> ssl_dh =</usr/local/etc/dovecot/dh-4096.pem
> ssl_prefer_server_ciphers = yes
> #ssl_min_protocol = TLSv1.2
>
> #Default *.scom.ca
> ssl_key =</usr/local/etc/dovecot/scom.pem
> ssl_cert =</usr/local/etc/dovecot/scom.pem
> ssl_ca =</usr/local/etc/dovecot/scom.pem
>
> local_name .scom.ca {
> ssl_key = /programs/common/getssl.cert -c *.scom.ca -q yes
> ssl_cert = /programs/common/getssl.cert -c *.scom.ca -q yes
> ssl_ca = /programs/common/getssl.cert -c *.scom.ca -q yes
> }
>
>
> local_name mail.clancyca.com {
> ssl_key = /programs/common/getssl.cert -c mail.clancyca.com -q yes
> ssl_cert = /programs/common/getssl.cert -c mail.clancyca.com -q yes
> ssl_ca = /programs/common/getssl.cert -c mail.clancyca.com -q yes
> }
>
> local_name secure.clancyca.com {
> ssl_key = /programs/common/getssl.cert -c secure.clancyca.com -q yes
> ssl_cert = /programs/common/getssl.cert -c secure.clancyca.com -q yes
> ssl_ca = /programs/common/getssl.cert -c secure.clancyca.com -q yes
> }
>
> local_name mail.paulkudla.net {
> ssl_key = /programs/common/getssl.cert -c mail.paulkudla.net -q yes
> ssl_cert = /programs/common/getssl.cert -c mail.paulkudla.net -q yes
> ssl_ca = /programs/common/getssl.cert -c mail.paulkudla.net -q yes
> }
>
> local_name mail.ekst.ca {
> ssl_key = /programs/common/getssl.cert -c mail.ekst.ca -q yes
> ssl_cert = /programs/common/getssl.cert -c mail.ekst.ca -q yes
> ssl_ca = /programs/common/getssl.cert -c mail.ekst.ca -q yes
> }
>
> local_name mail.hamletdevelopments.ca {
> ssl_key = /programs/common/getssl.cert -c mail.hamletdevelopments.ca
> -q yes
> ssl_cert = /programs/common/getssl.cert -c mail.hamletdevelopments.ca
> -q yes
> ssl_ca = /programs/common/getssl.cert -c mail.hamletdevelopments.ca
> -q yes
> }
>
>
>
>
> Happy Wednesday !!!
> Thanks - paul
>
> Paul Kudla
>
>
> Scom.ca Internet Services <http://www.scom.ca>
> 004-1009 Byron Street South
> Whitby, Ontario - Canada
> L1N 4S3
>
> Toronto 416.642.7266
> Main 1.866.411.7266
> Fax 1.888.892.7266
>
> On 5/18/2022 3:31 PM, Frank Gingras wrote:
> > See if you can add a SAN to that wildcard certificate first.
> >
> > On Wed, 18 May 2022 at 15:21, frank picabia <fpicabia@gmail.com
> > <mailto:fpicabia@gmail.com>> wrote:
> >
> >
> > We have a server with over 300 vhosts on it. Marketing/CMS madness
> > I guess.
> > All on the same domain name. Many VirtualHosts are defined with
> *:443
> > and then ServerName to rely on SNI.
> > We have a wildcard cert for the domain and all the hosts use that.
> >
> > Now there is a different domain to add for SSL. For some reason
> > the first domain name's certificate is being found. I've put the
> > IP for our new comer domain so we have <VirtualHost *MailScanner
> > warning: numerical links are often malicious:* 1.1.1.1:443
> > <http://1.1.1.1:443> >
> > but it is still finding the other cert. This IP is uniquely assigned
> > with the different domain, as you'd expect with DNS. So it can't
> > be a overlap of the IP used elsewhere.
> >
> > Researching this problem ("wrong cert loaded for vhost"),
> > I read that in the initial SSL connection, it
> > is talking to the IP, and whatever values we have for ServerName
> > have no bearing until the page is being accessed. If that's the case
> > then it might have matched another vhost with *:443 first
> > I tried putting my new domain at the top of ssl.conf but it made no
> > difference.
> >
> > I'm thinking I need to edit each *:443 case and change it to the
> > appropriate IP.
> > That will be a lot of work, so I'm looking for affirmation that is
> > likely to make the difference.
> >
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by *MailScanner* <http://www.mailscanner.info/>, and
> is
> > believed to be clean.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: {Disarmed} Re: [users@httpd] Multi-domain with SSL - Virtualhost all need IPs? [ In reply to ]
paul at scom
May 18, 2022, 4:31 PM
Post #3 of 3 (247 views)
Permalink
you need to set the cert files per virtual domain

example :

<VirtualHost *:443>
ServerName underconstruction.scom.ca
ServerAlias underconstruction.scom.ca
DocumentRoot /www/underconstruction.scom.ca
SSLEngine on
SSLProtocol all
SSLCertificateKeyFile /www/scom.ca/ssl/scom.ca.key
SSLCertificateFile /www/scom.ca/ssl/scom.ca.crt
SSLCertificateChainFile /www/scom.ca/ssl/scom.ca.chain
</VirtualHost>


<VirtualHost *:443>
ServerName ekst.ca
ServerAlias ekst.ca
ServerAlias www.ekst.ca
DocumentRoot /www/ekst.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile /www/ekst.ca/ssl/ekst.ca.crt
SSLCertificateKeyFile /www/ekst.ca/ssl/ekst.ca.key
SSLCertificateChainFile /www/ekst.ca/ssl/ekst.ca.chain
</VirtualHost>





Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266

On 5/18/2022 5:26 PM, frank picabia wrote:
> Sorry, different domain.
>
> 300 hosts like *.example1.com <http://example1.com>
> and now we have 1 example2.com <http://example2.com>
>
>
> On Wed, May 18, 2022 at 4:31 PM Frank Gingras <thumbs@apache.org
> <mailto:thumbs@apache.org>> wrote:
>
> See if you can add a SAN to that wildcard certificate first.
>
> On Wed, 18 May 2022 at 15:21, frank picabia <fpicabia@gmail.com
> <mailto:fpicabia@gmail.com>> wrote:
>
>
> We have a server with over 300 vhosts on it.  Marketing/CMS
> madness I guess.
> All on the same domain name.  Many VirtualHosts are defined with
> *:443
> and then ServerName to rely on SNI.
> We have a wildcard cert for the domain and all the hosts use that.
>
> Now there is a different domain to add for SSL.  For some reason
> the first domain name's certificate is being found.  I've put the
> IP for our new comer domain so we have <VirtualHost *MailScanner
> warning: numerical links are often malicious:* 1.1.1.1:443
> <http://1.1.1.1:443> >
> but it is still finding the other cert.  This IP is uniquely
> assigned
> with the different domain, as you'd expect with DNS.  So it can't
> be a overlap of the IP used elsewhere.
>
> Researching this problem ("wrong cert loaded for vhost"),
> I read that in the initial SSL connection, it
> is talking to the IP, and whatever values we have for ServerName
> have no bearing until the page is being accessed.  If that's the
> case
> then it might have matched another vhost with *:443 first
> I tried putting my new domain at the top of ssl.conf but it made
> no difference.
>
> I'm thinking I need to edit each *:443 case and change it to the
> appropriate IP.
> That will be a lot of work, so I'm looking for affirmation that
> is likely to make the difference.
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal