Certbot on Linux/Apache -- set IP address for port?

My web server is (include version):

  • Apache 2.2

The operating system my web server runs on is (include version):

  • Linux RHEL 6.9

I can login to a root shell on my machine (yes or no, or I don’t know):

  • Yes

I’ve successfully used certbot to set up certificates for virtualhosts on my server. However, I have found that when it (automatically) creates the SSL -specific conf files, it uses a wildcard instead of an IP address when specifying the port:

<VirtualHost *:443>

…but I need it to use a specific IP address (otherwise it tries to serve the same certificate for all domains). I can set this manually if necessary, but I’m wondering if there’s some way to configure certbot to use a specific IP address when creating these files?

Thanks in advance for any help.

Unless your server responds to multiple IP addresses, setting the IP won't make much of a difference.
More likely, this may be the only virtual host with :443, so it becomes the "default" and any 443 request on your IP will be handled by this virtual host - despite any servername/serveralias mismatch.

Thanks for the reply, rg305

That’s exactly what it does: it has separate IP addresses for port 80 and port 443. And the server hosts multiple virtual hosts – several of which are already set up with SSL certificates (not created using LE) which are running happily on the 443-only IP address.

If I manually edit the config files that certbot creates and set the IP address for port 443. it all works fine. But I’d rather not have to remember to do that, if I can run certbot and have it set the IP address automatically.

I think certbot won't create virtual hosts for you.
So if setup all your virtual hosts with IP:port instead of *:port then it should go smoothly from there.

Thanks again rg305, but certbot does indeed create a virtual host config file (a separate one, just for SSL), and populates it automatically.

So if you have a config file called

www.mydomain.com.conf

certbot creates a new file called

www.mydomain.com-le-ssl.conf

And populates it with an entire VHOST record, including the necessary directives for handling SSL.

Apache can handle SNI - why aren’t you just using the ServerName directive?

Hi Jared,

I am using the servername directive, and it is working with SNI (all SSL-enabled domains are using the same IP address for port 443). Here’s the VHOST config that certbot creates – it’s basically a copy of the original (non-SSL) VHOST config that I created, with the port changed and the SSL directives added.

<VirtualHost *:443>
 # General
  ServerAdmin someone@mydomain.com
  DocumentRoot /var/www/vhosts/www.mydomain.com/httpdocs/
  ServerName www.mydomain.com
  ServerAlias mydomain.com
# Logging
  ErrorLog /var/log/httpd/error_log
  CustomLog /var/log/httpd/access_log common
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/chain.pem
</VirtualHost>

So how does this come into play?:

When you later also add:
"all SSL-enalbed domains are using the same IP address for port 443"

As I’ve explained, where it says

<VirtualHost *:443>

I need it to say

<VirtualHost 1.2.3.4:443>

…because without that, Apache will just serve the same certificate for all domains (the first in the list, I believe). All the existing vhosts have the IP address set (instead of using a wildcard) and work fine.

This doesn't add up.

Well, all I can tell you is that it works. I’m by no means an expert, and while I was involved in some of the setup of the server, I also had to rely on help from the host’s support team to get it all working. But it does work, as long as the IP address is set in the VHOST.

It’s possible that your setup is old enough that it doesn’t support SNI. Certbot’s Apache plugin assumes that you’re running something new enough to support that technology. To confirm, can you run “openssl version” and “apachectl -v” and reply with the output?

I’m pretty sure it does support SNI, but just in case:

OpenSSL 1.0.1e-fips 11 Feb 2013

Server version: Apache/2.2.15 (Unix)
Server built:   Jul 26 2017 05:23:12

Hi @Filofox,

I can double-check, but my impression is that Certbot doesn’t currently include the option that you want. As a workaround, perhaps you could make a sed script to change the configuration file the way you want it.

For example

sed -i 's/VirtualHost \*:443/VirtualHost 192.168.42.42:443/' /etc/apache2/sites-available/*-le-ssl.conf

I don’t understand the particular issue well enough to know whether I agree or disagree that this distinction should matter in terms of Apache’s behavior.

Hi schoen,

OK thanks for the reply, I suspect you’re right (having spent the afternoon trawling the docs and Googling away) but I thought I’d check.

I’ll admit I don’t really understand the ins and outs of what Apache is doing, either – but it works and that’s good enough for me.

That should allow SNI support. It’s possible you don’t have the “NameVirtualHost *:443” directive in your configuration. You can see this wiki article for more information.

Alternately, you can do as schoen suggests to force a specific IP.

Apache HTTPd prior to 2.3.11 requires NameVirtualHost to be set to enable name-based hosting. The issue is likely a combination of that directive not being enabled for port 443 (stopping SNI from working properly) and the affected configuration file being used as the “default” host overriding the more specific VirtualHosts.

Hm, well ports.conf has the following:

Listen 80
NameVirtualHost *:80

Listen 443
NameVirtualHost 1.2.3.4:443

<IfModule mod_ssl.c>
NameVirtualHost *:443
</IfModule>

I didn’t create or edit this file, so that must be something that the host’s support team did.

I recall there was an issue where non-SSL sites that share the same server were responding to SSL requests (using the ‘default’ SSL certificate) which is why the separate IP address was required.

It’s possible. I’m not sure what to suggest if that file is being read for the configuration, as it should allow SNI based on the versions of components you reported.

OK well thanks everyone for your responses. I think the answer is just (as schoen suggested) that I’ll need to manually (or with a script) set the IP address after the VHOST file is created.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.