Hello, is Apache 2.2 which is part of the CentOS distribution capable of SNI? I have troubles that are coming from server side (CentOS 6.8, Apache 2.2.15) just did 'yum update' in /etc/httpd/conf/httpd.conf I've the following NameVirtualHost ipaddr:443 Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf both 'vhost'-files are like this: <VirtualHost ipaddr:443> ServerAdmin webmaster at domain#.com ServerName vhost.domain#.com:443 ServerAlias box.domain#.com:443 ServerAlias calcbox.domain#.com:443 ServerAlias proxybox.domain#.com:443 ... SSLEngine on SSLStrictSNIVHostCheck on SSLCertificateFile /etc/httpd/conf/ssl.crt/domain#-host.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain#-host.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt ... </VirtualHost> only https://domain1.com/... works https://domain2.com/... results in a certificate CN mismatch ... what is missing in my config.? Thanks, Walter
It doesn't appear you have a ServerName or ServerAlias for the naked domains (sans subdomain), so they're both being answered by the first VirtualHost entry?> On Nov 20, 2016, at 9:24 AM, Walter H. <Walter.H at mathemainzel.info> wrote: > > Hello, > > is Apache 2.2 which is part of the CentOS distribution capable of SNI? > > I have troubles that are coming from server side (CentOS 6.8, Apache 2.2.15) > just did 'yum update' > > > in > /etc/httpd/conf/httpd.conf > > I've the following > > NameVirtualHost ipaddr:443 > > Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf > Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf > > both 'vhost'-files are like this: > > <VirtualHost ipaddr:443> > ServerAdmin webmaster at domain#.com > > ServerName vhost.domain#.com:443 > ServerAlias box.domain#.com:443 > ServerAlias calcbox.domain#.com:443 > ServerAlias proxybox.domain#.com:443 > > ... > SSLEngine on > > SSLStrictSNIVHostCheck on > > SSLCertificateFile /etc/httpd/conf/ssl.crt/domain#-host.crt > SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain#-host.key > SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt > > ... > </VirtualHost> > > only > https://domain1.com/... > works > https://domain2.com/... > results in a certificate CN mismatch ... > > what is missing in my config.? > > Thanks, > Walter > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
On 20.11.2016 18:33, David Nelson wrote:> It doesn't appear you have a ServerName or ServerAlias for the naked domains (sans subdomain), so they're both being answered by the first VirtualHost entry?this is not the problem meant https://box.domain1.com works but https://box.domain2.com results in 'Certificate name mismatch' Thanks, Walter>> On Nov 20, 2016, at 9:24 AM, Walter H.<Walter.H at mathemainzel.info> wrote: >> >> Hello, >> >> is Apache 2.2 which is part of the CentOS distribution capable of SNI? >> >> I have troubles that are coming from server side (CentOS 6.8, Apache 2.2.15) >> just did 'yum update' >> >> >> in >> /etc/httpd/conf/httpd.conf >> >> I've the following >> >> NameVirtualHost ipaddr:443 >> >> Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf >> Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf >> >> both 'vhost'-files are like this: >> >> <VirtualHost ipaddr:443> >> ServerAdmin webmaster at domain#.com >> >> ServerName vhost.domain#.com:443 >> ServerAlias box.domain#.com:443 >> ServerAlias calcbox.domain#.com:443 >> ServerAlias proxybox.domain#.com:443 >> >> ... >> SSLEngine on >> >> SSLStrictSNIVHostCheck on >> >> SSLCertificateFile /etc/httpd/conf/ssl.crt/domain#-host.crt >> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain#-host.key >> SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt >> >> ... >> </VirtualHost> >> >> only >> https://domain1.com/... >> works >> https://domain2.com/... >> results in a certificate CN mismatch ... >> >> what is missing in my config.? >> >> Thanks, >> Walter >>
It is solved, I don't know why but SNI works only with hosts that are declared with ServerName and not with ServerAlias so I did the following ... I made an include file that contained everything of the virtualhost except the ServerAdmin and ServerName declarations and did this: <VirtualHost ipaddr:443> ServerAdmin webmaster at domain#.com ServerName vhost.domain#.com:443 Include /etc/httpd/conf/vhosts/vhost-ssldom#-box.incl </VirtualHost> <VirtualHost ipaddr:443> ServerAdmin webmaster at domain#.com ServerName box.domain#.com:443 Include /etc/httpd/conf/vhosts/vhost-ssldom#-box.incl </VirtualHost> <VirtualHost ipaddr:443> ServerAdmin webmaster at domain#.com ServerName calcbox.domain#.com:443 Include /etc/httpd/conf/vhosts/vhost-ssldom#-box.incl </VirtualHost> ... Greetings, Walter On 20.11.2016 18:24, Walter H. wrote:> Hello, > > is Apache 2.2 which is part of the CentOS distribution capable of SNI? > > I have troubles that are coming from server side (CentOS 6.8, Apache > 2.2.15) > just did 'yum update' > > > in > /etc/httpd/conf/httpd.conf > > I've the following > > NameVirtualHost ipaddr:443 > > Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf > Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf > > both 'vhost'-files are like this: > > <VirtualHost ipaddr:443> > ServerAdmin webmaster at domain#.com > > ServerName vhost.domain#.com:443 > ServerAlias box.domain#.com:443 > ServerAlias calcbox.domain#.com:443 > ServerAlias proxybox.domain#.com:443 > > ... > SSLEngine on > > SSLStrictSNIVHostCheck on > > SSLCertificateFile /etc/httpd/conf/ssl.crt/domain#-host.crt > SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain#-host.key > SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt > > ... > </VirtualHost> > > only > https://domain1.com/... > works > https://domain2.com/... > results in a certificate CN mismatch ... > > what is missing in my config.? > > Thanks, > Walter >