Hi
My domain is:welcometohmp.com
I have a rocky linux vps and setup everything fine and certbot worked for my other domains *.com.au, *.uk and *.co.uk however the main domain welcometohmp.com seems to be not working. Is it possible that the main domain is looking for the ssl cert in a different directory to the others or something?
im using apache on rocky linux my httpd.conf looks like this;
Its got me baffled why all the other vhosts work however the main one doesn't, please help and I can post more info if required, I did have a look at the *le-ssl.conf file and interestingly enough it doesnt have the main domain there but i tried adding it and still no luck. Please help
t
certbot --version
certbot 2.6.0
They had gotten a cert much earlier today with all 4 domain name sets in it. But, only 7 of the 8 domain names returns the correct cert.
The www.welcometohmp.com uses a self-signed cert.
We should still look at what this shows
sudo apache2ctl -t -D DUMP_VHOSTS
Also, of the 4 sets there are 3 different home pages. That's not necessarily wrong but it is unusual. The pages are very different. That's not directly related to the cert and maybe that's how they want it. Interesting that the two .com domain names do return the same page it is just the www .com one uses the wrong cert.
It shouldn't take too long to sort out though once we see the dump_vhosts output.
hey mike thanks for the reply. I used certbot --apache sudo httpd -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 is a NameVirtualHost
default server welcometohmp.com (/etc/httpd/conf/httpd.conf:85)
port 80 namevhost welcometohmp.com (/etc/httpd/conf/httpd.conf:85)
alias www.welcometohmp.com
port 80 namevhost welcometohmp.co.uk (/etc/httpd/conf/httpd.conf:100)
alias www.welcometohmp.co.uk
port 80 namevhost welcometohmp.uk (/etc/httpd/conf/httpd.conf:115)
alias www.welcometohmp.uk
port 80 namevhost welcometohmp.com.au (/etc/httpd/conf/httpd.conf:130)
alias www.welcometohmp.com.au
*:443 is a NameVirtualHost
default server www.welcometohmp.com (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost www.welcometohmp.com (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost welcometohmp.co.uk (/etc/httpd/conf/httpd-le-ssl.conf:2)
alias www.welcometohmp.co.uk
port 443 namevhost welcometohmp.com.au (/etc/httpd/conf/httpd-le-ssl.conf:19)
alias www.welcometohmp.com.au
port 443 namevhost welcometohmp.com (/etc/httpd/conf/httpd-le-ssl.conf:36)
alias www.welcometohmp.com
port 443 namevhost welcometohmp.uk (/etc/httpd/conf/httpd-le-ssl.conf:53)
alias www.welcometohmp.uk
looks like the main vhost is reading from the wrong ssl file should i just change the conf.d/ssl.conf to include something like this
SSLCertificateFile /etc/letsencrypt/live/welcometohmp.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/welcometohmp.com/privkey.pem
instead of where its trying to read the cert from?
No, I would not recommend that. You have that www...com sub domain defined in two different virtual hosts for port 443. It probably works fine in the second one where it is listed as an alias to the .com root name.
You could change www...com servername in ssl.conf vhost at line 40 to something like default.server. Then you keep all the common ssl options in that file and let that be handled by the httpd-le-ssl config file
Without seeing those I am guessing a little but this is likely to work and has little risk of damaging anything. If you post the contents of both of those files we can say for sure. Use the three backticks before and after to preserve the formatting
Visually, you can see how these three sets of names all "group" nicely:
port 80 namevhost welcometohmp.co.uk (/etc/httpd/conf/httpd.conf:100)
alias www.welcometohmp.co.uk
port 443 namevhost welcometohmp.co.uk (/etc/httpd/conf/httpd-le-ssl.conf:2)
alias www.welcometohmp.co.uk
port 80 namevhost welcometohmp.uk (/etc/httpd/conf/httpd.conf:115)
alias www.welcometohmp.uk
port 443 namevhost welcometohmp.uk (/etc/httpd/conf/httpd-le-ssl.conf:53)
alias www.welcometohmp.uk
port 80 namevhost welcometohmp.com.au (/etc/httpd/conf/httpd.conf:130)
alias www.welcometohmp.com.au
port 443 namevhost welcometohmp.com.au (/etc/httpd/conf/httpd-le-ssl.conf:19)
alias www.welcometohmp.com.au
And this set of names do not:
port 80 namevhost welcometohmp.com (/etc/httpd/conf/httpd.conf:85)
alias www.welcometohmp.com
port 443 namevhost www.welcometohmp.com (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost welcometohmp.com (/etc/httpd/conf/httpd-le-ssl.conf:36)
alias www.welcometohmp.com
cat ssl.conf
#
# When we also provide SSL we have to listen to the
# standard HTTPS port in addition.
#
Listen 443 https
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.welcometohmp.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# List the protocol versions which clients are allowed to connect with.
# The OpenSSL system profile is used by default. See
# update-crypto-policies(8) for more details.
#SSLProtocol all -SSLv3
#SSLProxyProtocol all -SSLv3
# User agents such as web browsers are not configured for the user's
# own preference of either security or performance, therefore this
# must be the prerogative of the web server administrator who manages
# cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# The OpenSSL system profile is configured by default. See
# update-crypto-policies(8) for more details.
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that restarting httpd will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is sent or allowed to be received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is sent and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
[admin@NickTee conf.d]$ w
22:08:55 up 1 day, 15:21, 1 user, load average: 0.05, 0.01, 0.00
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
admin pts/0 21:59 0.00s 0.02s 0.00s w
[admin@NickTee conf.d]$ ls
README php.conf phpmyadmin.conf ssl.conf.orig welcome.conf
autoindex.conf phpMyAdmin.conf ssl.conf userdir.conf
[admin@NickTee conf.d]$ cd ../conf
[admin@NickTee conf]$ ls
httpd-le-ssl.conf httpd.conf httpd.conf.orig magic
[admin@NickTee conf]$ cat *ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName welcometohmp.co.uk
ServerAlias www.welcometohmp.co.uk
DocumentRoot /var/www/wthmp.co.uk/
<Directory /var/www/wthmp.co.uk>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/wthmp.co.uk.info-error.log
CustomLog /var/log/httpd/wthmp.co.uk.info-access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/welcometohmp.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/welcometohmp.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName welcometohmp.com.au
ServerAlias www.welcometohmp.com.au
DocumentRoot /var/www/wthmp.au/
<Directory /var/www/wthmp.au>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/wthmp.au.info-error.log
CustomLog /var/log/httpd/wthmp.au.info-access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/welcometohmp.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/welcometohmp.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName welcometohmp.com
ServerAlias www.welcometohmp.com
DocumentRoot /var/www/html/
<Directory /var/www/wthmp.com>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/wthmp.com.info-error.log
CustomLog /var/log/httpd/wthmp.com.info-access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/welcometohmp.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/welcometohmp.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName welcometohmp.uk
ServerAlias www.welcometohmp.uk
DocumentRoot /var/www/wthmp.uk/
<Directory /var/www/wthmp.uk>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/wthmp.uk.info-error.log
CustomLog /var/log/httpd/wthmp.uk.info-access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/welcometohmp.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/welcometohmp.com/privkey.pem
</VirtualHost>
</IfModule>
[admin@NickTee conf]$ ls
httpd-le-ssl.conf httpd.conf httpd.conf.orig magic
[admin@NickTee conf]$ cat *ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName welcometohmp.co.uk
ServerAlias www.welcometohmp.co.uk
DocumentRoot /var/www/wthmp.co.uk/
<Directory /var/www/wthmp.co.uk>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/wthmp.co.uk.info-error.log
CustomLog /var/log/httpd/wthmp.co.uk.info-access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/welcometohmp.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/welcometohmp.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName welcometohmp.com.au
ServerAlias www.welcometohmp.com.au
DocumentRoot /var/www/wthmp.au/
<Directory /var/www/wthmp.au>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/wthmp.au.info-error.log
CustomLog /var/log/httpd/wthmp.au.info-access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/welcometohmp.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/welcometohmp.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName welcometohmp.com
ServerAlias www.welcometohmp.com
DocumentRoot /var/www/html/
<Directory /var/www/wthmp.com>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/wthmp.com.info-error.log
CustomLog /var/log/httpd/wthmp.com.info-access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/welcometohmp.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/welcometohmp.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName welcometohmp.uk
ServerAlias www.welcometohmp.uk
DocumentRoot /var/www/wthmp.uk/
<Directory /var/www/wthmp.uk>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/wthmp.uk.info-error.log
CustomLog /var/log/httpd/wthmp.uk.info-access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/welcometohmp.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/welcometohmp.com/privkey.pem
</VirtualHost>
</IfModule>
[admin@NickTee conf]$ cd ..
[admin@NickTee httpd]$ ls
conf conf.d conf.modules.d logs modules run state
[admin@NickTee httpd]$ cd conf.d
[admin@NickTee conf.d]$ ls
README php.conf phpmyadmin.conf ssl.conf.orig welcome.conf
autoindex.conf phpMyAdmin.conf ssl.conf userdir.conf
[admin@NickTee conf.d]$ cat ssl.conf
#
# When we also provide SSL we have to listen to the
# standard HTTPS port in addition.
#
Listen 443 https
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.welcometohmp.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# List the protocol versions which clients are allowed to connect with.
# The OpenSSL system profile is used by default. See
# update-crypto-policies(8) for more details.
#SSLProtocol all -SSLv3
#SSLProxyProtocol all -SSLv3
# User agents such as web browsers are not configured for the user's
# own preference of either security or performance, therefore this
# must be the prerogative of the web server administrator who manages
# cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# The OpenSSL system profile is configured by default. See
# update-crypto-policies(8) for more details.
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that restarting httpd will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is sent or allowed to be received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is sent and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
The ssl.conf needs to change. Although, you may have changed it already?
In any event, I suggest finding these lines
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.welcometohmp.com:443
And replace the last line with (not commented out)
ServerName default.server
Then, after restarting Apache show result of this again
sudo httpd -t -D DUMP_VHOSTS
You should have a nice clean grouping of your names. The default for port 443 should show this default.server name instead of one of your actual domain names.
Apache is quirky. There are several ways to do the same thing and sometimes subtle differences matter.
sudo httpd -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 is a NameVirtualHost
default server welcometohmp.com (/etc/httpd/conf/httpd.conf:85)
port 80 namevhost welcometohmp.com (/etc/httpd/conf/httpd.conf:85)
alias www.welcometohmp.com
port 80 namevhost welcometohmp.co.uk (/etc/httpd/conf/httpd.conf:100)
alias www.welcometohmp.co.uk
port 80 namevhost welcometohmp.uk (/etc/httpd/conf/httpd.conf:115)
alias www.welcometohmp.uk
port 80 namevhost welcometohmp.com.au (/etc/httpd/conf/httpd.conf:130)
alias www.welcometohmp.com.au
*:443 is a NameVirtualHost
default server default.server (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost default.server (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost welcometohmp.co.uk (/etc/httpd/conf/httpd-le-ssl.conf:2)
alias www.welcometohmp.co.uk
port 443 namevhost welcometohmp.com.au (/etc/httpd/conf/httpd-le-ssl.conf:19)
alias www.welcometohmp.com.au
port 443 namevhost welcometohmp.com (/etc/httpd/conf/httpd-le-ssl.conf:36)
alias www.welcometohmp.com
port 443 namevhost welcometohmp.uk (/etc/httpd/conf/httpd-le-ssl.conf:53)
alias www.welcometohmp.uk
thanks for the help. seems to have fixed it, legend. great help in this place!!!
