httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rich.gre...@hushmail.com
Subject Re: [users@httpd] LetsEncrypt.org with Virtual Hosting
Date Wed, 15 Jun 2016 08:42:18 GMT


On 6/14/2016 at 9:39 PM, "Christopher Schultz" <chris@christopherschultz.net> wrote:
>
>Filipe,
>
>On 6/14/16 3:15 PM, Filipe Cifali wrote:
>> Your are probably hitting the wrong cert file, check with:
>> 
>> |openssl s_client -connect example.info:443
>> <http://example.info:443>|
>> 
>> You can also try to disable the first SSL and check if you hit 
>the
>> right one after.
>
>You may have to do this:
>
>$ openssl s_client -connect ip_addr:443 -servername 'example.info'
>
>This will allow you to connect to a local test machine and still 
>tell
>the server that you are trying to connect to example.info.

I did this and had nearly identical results, sparing for the later parts that are specific
for that session.

>
>Rich,
>
>Why are you using example.info instead of your actual domain name?
>

Because the TLD of one site ends in .info as it is domain1.info and the other one is domain2.info.
 I do not want a domain name of mine to exist in a world-readable forum for security reasons.
 I'm not a world class expert in security and am not prepared to deal with that right now.
 That's one of the reasons why example.TLD exists in the first place.

>-chris
>
>> On Tue, Jun 14, 2016 at 4:08 PM, <rich.greder@hushmail.com 
>> <mailto:rich.greder@hushmail.com>> wrote:
>> 
>> For some time, I have been hosting about 10 sites unencrypted.
>> But since people other than just myself will be using my
>> squirrelmail, I decided to encrypt my server.  I had delayed it
>> simply because keys are too expensive to buy, but now I learned
>> about LetsEncrypt.org and have been working in that direction.
>> 
>> So far, I moved two websites over to this server, example.com 
>> <http://example.com> and example.info <http://example.info>.  My 
>> first test of the LetsEncrypt software was of the form of:
>> 
>> # letsencrypt-auto -apache -d example.com <http://example.com>
>> 
>> but I ran into a caveat with www.example.com 
>> <http://www.example.com> not being accepted.  I decided to re-
>run 
>> with the other domain included as well, so I did the remaining
>> three combinations:
>> 
>> #letsencrypt-auto -apache -d www.example.com 
>> <http://www.example.com> -d example.info <http://example.info> -
>d 
>> www.example.info <http://www.example.info>
>> 
>> The conf files for the sites are fairly straight-forward in my 
>> mind.  There are four of them:
>> 
>> #/etc/apache2/sites-available/80-example.com
>> <http://80-example.com> <IfModule mod_ssl.c> <VirtualHost *:80>

>> ServerAdmin webmaster@localhost DocumentRoot
>> /var/www/example.com/public_html/ 
>> <http://example.com/public_html/> ErrorLog
>> ${APACHE_LOG_DIR}/error.log CustomLog 
>${APACHE_LOG_DIR}/access.log
>> combined ServerName example.com <http://example.com> ServerAlias
>> www.example.com <http://www.example.com> </VirtualHost> 
>> </IfModule>
>> 
>> #/etc/apache2/sites-available/443-example.com
>> <http://443-example.com> <IfModule mod_ssl.c> <VirtualHost 
>*:443> 
>> ServerAdmin webmaster@example.com <mailto:webmaster@example.com> 
>> DocumentRoot /var/www/example.com/public_html/ 
>> <http://example.com/public_html/> ErrorLog
>> ${APACHE_LOG_DIR}/error.log CustomLog 
>${APACHE_LOG_DIR}/access.log
>> combined SSLCertificateFile
>> /etc/letsencrypt/live/example.com/fullchain.pem 
>> <http://example.com/fullchain.pem> SSLCertificateKeyFile
>> /etc/letsencrypt/live/example.com/privkey.pem 
>> <http://example.com/privkey.pem> Include
>> /etc/letsencrypt/options-ssl-apache.conf ServerName example.com
>> <http://example.com> ServerAlias www.example.com
>> <http://www.example.com> </VirtualHost> </IfModule>
>> 
>> #/etc/apache2/sites-available/80-example.info
>> <http://80-example.info> <IfModule mod_ssl.c> <VirtualHost *:80>

>> ServerAdmin webmaster@localhost DocumentRoot
>> /var/www/example.info/public_html/ 
>> <http://example.info/public_html/> ErrorLog
>> ${APACHE_LOG_DIR}/error.log CustomLog 
>${APACHE_LOG_DIR}/access.log
>> combined ServerName example.info <http://example.info> 
>ServerAlias
>> www.example.info <http://www.example.info> </VirtualHost> 
>> </IfModule>
>> 
>> #/etc/apache2/sites-available/443-example.info
>> <http://443-example.info> <IfModule mod_ssl.c> <VirtualHost 
>*:443> 
>> ServerAdmin webmaster@example.info 
><mailto:webmaster@example.info> 
>> DocumentRoot /var/www/example.info/public_html/ 
>> <http://example.info/public_html/> ErrorLog
>> ${APACHE_LOG_DIR}/error.log CustomLog 
>${APACHE_LOG_DIR}/access.log
>> combined SSLCertificateFile
>> /etc/letsencrypt/live/example.com/fullchain.pem 
>> <http://example.com/fullchain.pem> SSLCertificateKeyFile
>> /etc/letsencrypt/live/example.com/privkey.pem 
>> <http://example.com/privkey.pem> Include
>> /etc/letsencrypt/options-ssl-apache.conf ServerName example.info
>> <http://example.info> ServerAlias www.example.info
>> <http://www.example.info> </VirtualHost>
>> 
>> Notice that SSLCertificateFile and SSLCertificateKeyFile are the 
>> same for both of the domains, because they use the same key of 
>> example.com <http://example.com>.  The website, example.com 
>> <http://example.com> works perfectly fine.  But example.info 
>> <http://example.info> has serious problems (On the order of 
>> NET::ERR_CERT_COMMON_NAME_INVALID).  Who has an idea on how to 
>fix 
>> this?  I can't experiment too much because I'm limited to 5 keys
>> per week so learning this myself is a very slow-track process.
>> 
>> There are a number of HOWTO documents out there, but there is 
>very 
>> wide variance in their steps that I have little confidence in
>> them, but have chosen one and decided to try at it.  Once I get
>> this established, I promise to write a blog article explaining 
>the 
>> procedure a little bit better
>> 
>> 
>> -----------------------------------------------------------------
>----
>>
>> 
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> <mailto:users-unsubscribe@httpd.apache.org> For additional
>> commands, e-mail: users-help@httpd.apache.org 
>> <mailto:users-help@httpd.apache.org>
>> 
>> 
>> 
>> 
>> -- [ ]'s
>> 
>> Filipe Cifali Stangler


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message