Multiple domain / 1 ip 1 webroot

jd440 · January 25, 2017, 9:34am

I’m running different website (prestashop multi-domain) on my VDS which are all in the same folder/webroot and all using the same IP.

I already done

certbot-auto certonly -w /home/sitexxx/web/www -d example.com -d www.example.com

aNd planning

certbot-auto certonly -w /home/sitexxx/web/www -d example1.com -d www.example1.com
certbot-auto certonly -w /home/sitexxx/web/www -d example2.com -d www.example2.com
certbot-auto certonly -w /home/sitexxx/web/www -d example3.com -d www.example3.com

But I don’t know how could define one certif by domain?
If i add a vhost conf with
or <VirtualHost *:443>
The same cert will be apply to all?

jd440 · January 25, 2017, 10:10am

I guess I should use sni

<VirtualHost *:443>
   ServerName www.example.com
   DocumentRoot /home/sitexxx/web/www

    SSLCertificateFile      /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

<VirtualHost *:443>
   ServerName www.example1.com
   DocumentRoot /home/sitexxx/web/www

    SSLCertificateFile      /etc/letsencrypt/live/example1.com/fullchain.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example1.com/fullchain.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/example1.com/privkey.pem
</VirtualHost>

is it correct?

serverco · January 25, 2017, 8:34pm

roughly, yes

(without your domain name and details I can’t be certain )

jd440 · January 26, 2017, 12:49pm

If to start I wish to listen 443 only for one site
is there a way?

because As soon as i will add listen: 443 the server will listen and reply to https request.

Osiris · January 26, 2017, 1:06pm

Apache will always reply with the first certificate in the first <VirtualHost> section if it gets a request for a hostname it doesn't recognise elsewhere. This is troublesome if the hostname entered by the user is different from this default hostname.

But I'm not sure I see the problem: most users will just type in the hostname, without the https:// in front of it. 99,99 % of the time, it's the webservers maintainers responsibility to redirect HTTP to HTTPS. If you're just redirecting for one domain, then other domains shouldn't be affected.

Also, the following is redundant:

If you have Apache 2.4.8 or above, then SSLCertificateChainFile is deprecated and having SSLCertificateFile point to fullchain.pem is perfect. If you have a Apache version lower than 2.4.8, then you should point SSLCertificateFile to cert.pem and SSLCertificateChainFile to chain.pem. I'm not sure if Apache <2.4.8 will understand fullchain.pem if entered in the two directives.

jd440 · January 26, 2017, 1:13pm

Ok so
I will just at first redirect https --> http until all test succeded and then rediirect http --> https

if user type hostname without http or https does who choose?
navigator/ server?
what the order?

So as I am on apache 2.2
i should type:

SSLCertificateFile /etc/letsencrypt/live/example1.com/chain.pem
SSLCertificateChainFile /etc/letsencrypt/live/example1.com/chain.pem

Osiris · January 26, 2017, 1:22pm

The clients browser. Normally, it will choose HTTP, unless you've set a HSTS header or HSTS preload. Any redirect to HTTPs will be done by your server otherwise, if you've set that up of course.

No. That's incorrect. Please read carefully....

jd440 · January 26, 2017, 1:27pm

Sorry so

SSLCertificateFile /etc/letsencrypt/live/example1.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/example1.com/chain.pem

Osiris · January 26, 2017, 1:29pm

Correct.

system · February 25, 2017, 1:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.