Multiple SSL-sites on virtual host...

Discussion in 'Installation/Configuration' started by PA1JIM, Jul 30, 2017.

  1. PA1JIM

    PA1JIM New Member

    My question: I use ISPconfig on Ubuntu 16.04 with Apache. I've installed multiple SSL-sites (Let's Encrypt) on a virtual name host. After a dozen sites I run into problems. When a site isn't running SSL but I call it with https:// I get a error because I'll get the certificate of an other customers website. This also gives problems when I want to renew Let's Encrypt certificates. Let's Encrypt will call a challenge, but will get a ssl-certificate from another domain.
    Is there a way to avoid this problem?

    Thanks in advance!
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the normal behavior of Apache and nginx, when there is no matching vhost for a given port, then the first one is used. This does not cause issues with LE as LE connects on port 80 to verify the domain.

    There are several ways to avoid that the content of a wrong domain is shown:

    a) activate SSL for all sites.
    b) use one IP for SSL sites and another one for sites without SSL.
    c) Create a default SSL vhost which is shown in case that no matching SSL site is found, but of course, you will get an SSL error then as well, just the content that is shown when someone accepts it will not be from a different site, it will be the placeholder page that you add in the default website.
  3. PA1JIM

    PA1JIM New Member

    Till, thanks for your answer. I'll implement one of your solutions.

    Meanwhile I solved my LE-update problem. I used in addition to IPv4 also one IPv6 address for all sites in the DNS. But that went terribly wrong since LE went looking for an acme-challenge on the IPv6-address and got a redirect to 443. With no result.
    I trashed all IPv6 DNS-records for domains and LE works fine now.
  4. mccharlet

    mccharlet Member HowtoForge Supporter

    Hi Till,

    ISPConfig 3.1 doesn't support SNI ?

    Best regards
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    All ISPConfig 3 versions support SNI. The question discussed above are not related to SNI.

Share This Page