Mixing Wildcard and Site Specific Certs

Hi,

I'm currently configured with a wildcard cert for my domain (siddique.ca) that I use for some of my internally focused websites as well as for other things like home automation. I wanted to create a couple of websites I could host for my kids, thecookieavenue.com and vuerto.ca. I created specific certs for each of the kid ones.

On my Ubuntu Server running Apache, the config for the sites seem to be fine. However, when I try to open any of the child sites, I get it redirecting to my siddique.ca wildcard.

Is there any way to to have it so the same host can have wildcards for some sites about 4 in total using the wildcard, and two specific ones for cookie and vuerto? Currently using certbot 2.11.0.

Thanks,

Siddique

1 Like

Sure, you just have a VirtualHost for each set of domain names related to the cert for them. You use ServerName and ServerAlias statements to list the names handled by that VirtualHost

What does this show

sudo apache2ctl -t -D DUMP_VHOSTS

You may need apachectl or httpd for your system. You did not answer the questions you should have been shown so I don't know which is correct.

This is more an Apache config issue than it is a cert issue. Although, depending how you requested the cert it may affect the auto-renewal. Showing the command(s) you used to get the cert would help us advise you better.

3 Likes

Thanks Mike.
I apologize for not answering those questions but I had thought they might not be related to what I was asking.

Regarding the output of the dump hosts:

VirtualHost configuration:
173.183.225.166:443    is a NameVirtualHost
         default server d173-183-225-166.abhsia.telus.net (/etc/apache2/sites-enabled/farley-le-ssl.conf:1)
         port 443 namevhost d173-183-225-166.abhsia.telus.net (/etc/apache2/sites-enabled/farley-le-ssl.conf:1)
         port 443 namevhost d173-183-225-166.abhsia.telus.net (/etc/apache2/sites-enabled/fool-le-ssl.conf:1)
         port 443 namevhost d173-183-225-166.abhsia.telus.net (/etc/apache2/sites-enabled/pantheon-le-ssl.conf:1)
         port 443 namevhost d173-183-225-166.abhsia.telus.net (/etc/apache2/sites-enabled/personal-le-ssl.conf:1)
173.183.225.166:80     is a NameVirtualHost
         default server farley.siddique.ca (/etc/apache2/sites-enabled/farley.conf:1)
         port 80 namevhost farley.siddique.ca (/etc/apache2/sites-enabled/farley.conf:1)
         port 80 namevhost fool.siddique.ca (/etc/apache2/sites-enabled/fool.conf:1)
         port 80 namevhost pantheon.siddique.ca (/etc/apache2/sites-enabled/pantheon.conf:1)
         port 80 namevhost personal.siddique.ca (/etc/apache2/sites-enabled/personal.conf:1)
*:443                  is a NameVirtualHost
         default server thecookieavenue.com (/etc/apache2/sites-enabled/cookie-le-ssl.conf:2)
         port 443 namevhost thecookieavenue.com (/etc/apache2/sites-enabled/cookie-le-ssl.conf:2)
         port 443 namevhost vuerto.ca (/etc/apache2/sites-enabled/vuerto-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server thecookieavenue.com (/etc/apache2/sites-enabled/cookie.conf:1)
         port 80 namevhost thecookieavenue.com (/etc/apache2/sites-enabled/cookie.conf:1)
         port 80 namevhost vuerto.ca (/etc/apache2/sites-enabled/vuerto.conf:1)

Looking at this, I can see what you mean about this being more of an apache issue with the defaults set the way they are. In my conf files for each one, I did set the server names but I hadn't updated the aliases. I'll try to do that now.

2 Likes

In those two config files you have a VirtualHost statement using the IP-based method. You need to change that to name based by changing their VirtualHost statements so they are like your new ones. So like these

<VirtualHost *:80>
<VirtualHost *:443>

Mixing IP and name-based VHosts often is problematic. The IP based "latch" the incoming first which is why you see all your requests going to the same place.

4 Likes

Thanks Mike. I think the fact that I used to change the virutalhost to be named invidually is a hold over from some old config I had where having it as just a wildcard didn't work. That said, I did correct as per your suggestions and things are looking like they're working now.

Thank you for your help.

3 Likes

No worries. If all your VirtualHosts name the correct IP it also would have worked. It is just easier to manage by using the *:port format (which relies purely on SNI then)
except for the very unusual cases were IP:Port is required :slight_smile:

4 Likes