enterprise-support team mailing list archive

Thread
Date

Re: [Question #233966]: Clients cannot connect with SSL enabled in Apache2. Seems to be related to either Name Virtual hosts or SNI in Ubuntu 12.04

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: AD <question233966@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 13 Aug 2013 17:51:23 -0000
Reply-to: question233966@xxxxxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Question #233966 on apache2 in Ubuntu changed:
https://answers.launchpad.net/ubuntu/+source/apache2/+question/233966

Description changed to:
We are hosting a website for another company.  Our FQDN is something
like site5.company.com.  The other company also has their DNS pointing
to our IP for their users, something like site.othercompany.com.  Both
are A records.

They would like to enable SSL.  We would still like to be able to get to
the server without SSL (listening on both ports 80 and 443).  We would
like to use one SSL cert for all FQDN used to reach the server - so the
server should be reachable from site5.company.com and
site.othercompany.com, using the same cert.  We are okay with getting
browser warnings when going to site5.company.com.

We have the certificate requirements (key, chainfile, cert) installed
and working for MOST clients.  However, some clients cannot connect.  In
one test case, I was able to connect after adding "ServerAlias *" to the
*:443 virtual host, but I cannot tell why this is happening.  This was
not required in Ubuntu 10.04.

The test case I am using is Fiddler 2.4.4.5. I can connect to our test
server using Firefox alone but I can only connect using Fiddler when I
add "ServerAlias *" to the *:443 virtual host.  Here is the config file
for the virtual host on our test server:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/server.crt
        SSLCertificateKeyFile /etc/ssl/private/server.key
</VirtualHost>
</IfModule>

Adding the "ServerAlias *" directive directly under the VirtualHost
directive and reloading the config allows me to connect.

I cannot tell if I am doing something wrong or if something is wrong
inside Apache.  As I understand it, we shouldn't need to specify a
ServerName or ServerAlias because we want all names to get the default
servers, depending on the port (*:80 or *:443).  This sounds like IP
based virtual hosts, not named based.  And the configuration worked in
10.04.

Am I missing something?  What is the correct way to make this
configuration work in Ubuntu 12.04?

EDIT: On the test server where this is happening, the other Apache
config files are the defaults for Ubuntu 12.04.  This file, "default-
ssl", is the only one I modified.  The only changes I made were to strip
out all the extra directives and add the ServerAlias directive.

-- 
You received this question notification because you are a member of
Ubuntu Server/Client Support Team, which is an answer contact for
apache2 in Ubuntu.