The operating system my web server runs on is (include version):
Linux RHEL 6.9
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’ve successfully used certbot to set up certificates for virtualhosts on my server. However, I have found that when it (automatically) creates the SSL -specific conf files, it uses a wildcard instead of an IP address when specifying the port:
<VirtualHost *:443>
…but I need it to use a specific IP address (otherwise it tries to serve the same certificate for all domains). I can set this manually if necessary, but I’m wondering if there’s some way to configure certbot to use a specific IP address when creating these files?
Unless your server responds to multiple IP addresses, setting the IP won't make much of a difference.
More likely, this may be the only virtual host with :443, so it becomes the "default" and any 443 request on your IP will be handled by this virtual host - despite any servername/serveralias mismatch.
That's exactly what it does: it has separate IP addresses for port 80 and port 443. And the server hosts multiple virtual hosts -- several of which are already set up with SSL certificates (not created using LE) which are running happily on the 443-only IP address.
If I manually edit the config files that certbot creates and set the IP address for port 443. it all works fine. But I'd rather not have to remember to do that, if I can run certbot and have it set the IP address automatically.
I think certbot won't create virtual hosts for you.
So if setup all your virtual hosts with IP:port instead of *:port then it should go smoothly from there.
I am using the servername directive, and it is working with SNI (all SSL-enabled domains are using the same IP address for port 443). Here’s the VHOST config that certbot creates – it’s basically a copy of the original (non-SSL) VHOST config that I created, with the port changed and the SSL directives added.
<VirtualHost *:443>
# General
ServerAdmin someone@mydomain.com
DocumentRoot /var/www/vhosts/www.mydomain.com/httpdocs/
ServerName www.mydomain.com
ServerAlias mydomain.com
# Logging
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log common
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/chain.pem
</VirtualHost>
…because without that, Apache will just serve the same certificate for all domains (the first in the list, I believe). All the existing vhosts have the IP address set (instead of using a wildcard) and work fine.
Well, all I can tell you is that it works. I’m by no means an expert, and while I was involved in some of the setup of the server, I also had to rely on help from the host’s support team to get it all working. But it does work, as long as the IP address is set in the VHOST.
It’s possible that your setup is old enough that it doesn’t support SNI. Certbot’s Apache plugin assumes that you’re running something new enough to support that technology. To confirm, can you run “openssl version” and “apachectl -v” and reply with the output?
I can double-check, but my impression is that Certbot doesn’t currently include the option that you want. As a workaround, perhaps you could make a sed script to change the configuration file the way you want it.
For example
sed -i 's/VirtualHost \*:443/VirtualHost 192.168.42.42:443/' /etc/apache2/sites-available/*-le-ssl.conf
I don’t understand the particular issue well enough to know whether I agree or disagree that this distinction should matter in terms of Apache’s behavior.
That should allow SNI support. It's possible you don't have the "NameVirtualHost *:443" directive in your configuration. You can see this wiki article for more information.
Alternately, you can do as schoen suggests to force a specific IP.
Apache HTTPd prior to 2.3.11 requires NameVirtualHost to be set to enable name-based hosting. The issue is likely a combination of that directive not being enabled for port 443 (stopping SNI from working properly) and the affected configuration file being used as the "default" host overriding the more specific VirtualHosts.
I didn’t create or edit this file, so that must be something that the host’s support team did.
I recall there was an issue where non-SSL sites that share the same server were responding to SSL requests (using the ‘default’ SSL certificate) which is why the separate IP address was required.
It’s possible. I’m not sure what to suggest if that file is being read for the configuration, as it should allow SNI based on the versions of components you reported.
OK well thanks everyone for your responses. I think the answer is just (as schoen suggested) that I’ll need to manually (or with a script) set the IP address after the VHOST file is created.