I have several virtual hosts (A, B, C) on a single apache setup on 14.04.
I got a certificate for A&B, but C is an unrelated site and doesn’t need a certificate.
Going to http://C works fine, but if I now go to https://C it complains that it has a bad certificate, one intended for A & B.
Also, google is now indexing https://C as if it is a mirror of A&B.
When I created the certificate A,B,and C all had the ServerName set to localhost and were differentiated using ServerAlias es, (A&B on one virtual host) and © on another virtual host. I suspect that having the same servername is the issue. But changing the servername for A&B to localhost.AB seems to have made no difference.
Should I change my certificate or my site configurations?
Is there any reason not to have C be on TLS as well?
It could be on TLS, but its a totally separate unrelated domain.
- You have 3 domains sharing the same public ip.
- You have configured your web server to use NameVirtualHost so you have configured Apache to listen on port 443 on your public IP.
- Apache will serve requests based on the domain name because your are using NameVirtualHost.
- As you have not defined a VirtualHost on port 443 for domain C Apache doesn't know what to serve and will always default to the first VirtualHost defined on port 443 (that is the reason you get a bad certificate for domain C because Apache is serving the content of domain A).
Conclusion: This is how Apache works
Solution: Issue a certificate for domain C and create a VirtualHost on port 443 for it.
Or if you actively don’t want domain C to be available in HTTPS, you could move it to a separate IP address. (I agree with @sahsanu that if you’re sharing an IP address, you can’t completely prevent clients from attempting to access any of the sites in HTTPS, and then Apache won’t know exactly what to do for sites that don’t have an HTTPS virtual host defined with a matching certificate. In theory clients should not commonly attempt to access sites in HTTPS today unless there are associated links or redirections that suggest it.)
I have now set up a default 443 that simply goes to
You don’t have permission to access / on this server.
Hopefully it will keep google from confusing my real https sites with certificates from those that have no certificate.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.