views:

146

answers:

2

Hello,

I get a certificate from Gandi for a domain www.mondomaine.fr But for sql.mondomaine.fr I wanted to use a Self-Signed SSL certificate.

If I active sql.mondomaine.fr, the www.mondomaine.fr is using the self-signed certificate instead of the Gandiś one.

If I desactivate the sql. everything works fine.

How can I manage the use of different certificate ?

It seams that the first VirtualHost configuration is taking for every SSL VirtualHost.

Thank you for your help.

Here is my configuration :

For PHPMyAdmin :

<VirtualHost *:443>
    # Chemin vers les données web
    DocumentRoot /usr/share/phpmyadmin

    ServerName sql.mondomaine.fr

    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/phpmyadmin.pem
</VirtualHost>

For mondomaine.fr

<VirtualHost *:443>
    ServerName www.mondomaine.fr
    DocumentRoot /var/www/mondomaine/
    CustomLog /var/log/apache2/secure_access.log combined

    SSLEngine on
    SSLCertificateFile /etc/ssl/mondomaine.fr.crt
    SSLCertificateKeyFile /etc/ssl/mondomaine.fr.key
    SSLCACertificateFile /etc/ssl/GandiStandardSSLCA.pem
    SSLVerifyClient None
</VirtualHost>

The configuration is correct because if the first VirtualHost read is PHPMyAdmin.pem ModSSL use this one and if it is mondomaine.fr.crt the first VirtualHost, Apache use this one.

A: 

Its depens how you created your certificate. if you bought it only for the www subdomain wont work for sql. what you need to do is make it to allow any subdomain, but afaik those certificates are more expensive.

In the other hand you can use your own ceritificate, you only need to sure about what are you putting when you create your virtutalhost

<virtualhost XXX.XXX.XXX.XXX:443>
 serverName www.mondomaine.fr
 # Gandiś ceritificate
</virtualhost>

<virtualhost XXX.XXX.XXX.XXX:443>
 serverName sql.mondomaine.fr
 # your own certificate stuff
</virtualhost>
Gabriel Sosa
It is exactly what I did but it doesn't work.
Natim
+2  A: 

You're running up against a general problem with HTTP over SSL - when a client connects, it specifies which host it wants to connect to using the Host: HTTP header, but that only comes after the SSL handshake (when the certificate is presented) has completed. Recent versions of TLS support extensions (specified in RFC 4366) which allow the client to specify what host it is intending to connect to during the SSL handshake, with the specific intent of supporting vhosts; to quote the RFC:

""" TLS does not provide a mechanism for a client to tell a server the name of the server it is contacting. It may be desirable for clients to provide this information to facilitate secure connections to servers that host multiple 'virtual' servers at a single underlying network address. """

According to Wikipedia, recent versions of Firefox, Opera, IE, Chrome, and Safari support this extension; other clients would still not send the extension, and you're out of luck there. You also have to use at least TLS 1.1 to enable extensions support.

There is some documentation on how to set this up with Apache; you may have to rebuild OpenSSL and/or Apache with specific options, depending on your local setup.

Jack Lloyd
OMG !! It means that if you have two website on the same server, you cannot have one file for each of them ? Is it possible to concatenate many pem file in the same to send everything during the ssl handshake to let the browser choose the one ?
Natim
No; the SSL handshake only supports sending a single certificate regardless. However the SNI extension allows the server to figure out which one the client expects to get; otherwise, as you noticed, Apache will just always use the first certificate you set in the config file, because without SNI it has no way to figure it out at the point when the SSL handshake starts.
Jack Lloyd
We the SNI extension, it works well. Thank you.
Natim