Https problems

Discussion in 'Installation/Configuration' started by Trix, Oct 16, 2017.

  1. Trix

    Trix New Member

    Hello,

    I have an ispconfig 3.1.6 installation and i am hosting multiple sites. Some have an SSL cert others dont.
    The interesting thing is that when i try to access a website with https:// that does not have an SSL cert i get the content of a site that has an ssl cert. So when trying https://domain1.com i get the same domain just with the red error that its not secure and i get the content of https://domain2.com. If i access the domain1 on http:// then the page loads normaly.

    Any ideas what is going on?

    Best regards,
    Trix
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the normal behavior of the Apache and Nginx web servers. When there is no vhost for a given domain on a specific port, then the server will show the content of the first vhost that exists for that port and IP combination. You have two options to avoid that:

    a) Enable SSL for all sites.
    b) Use a different IP address for SSL sites. so that SSL sites and non-SSL sites don't share the same IP.
     
  3. Trix

    Trix New Member

    Hi Till,

    I assume that by "Enable SSL for all sites" you ment that everyone will need either an SSL cert or the letsencrypt version? Or there is a method to enable SSl for all sites without a cert so the specific site will get loaded but with an error that is not safe ?

    Thanks,
    Trix
     
  4. HSorgYves

    HSorgYves Active Member

    You access a webserver through IP first and through domain name secondly. So you can reach the server via IP and it matches no website, and then the first alphabetic website is shown.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, ssl requires a cert, which can be either obtained from LE or by another SSL authority (and then inserted on the ssl tab when not LE).

    Maybe as a sidenote, latest browsers will show warnings when you submit form data on a non ssl site and Google will rank down non ssl sites as well, so there are good reasons to set all sites to SSL these days, besides the security benefit that SSL provides.
     
    Trix likes this.
  6. Trix

    Trix New Member

    Okey will try then letsencrypt for the remaining sites.

    Thanks!
    Trix
     

Share This Page