Wilcard SSL certificate issues in combination with SSLUseStapling

Discussion in 'Developers' Forum' started by HHGAG, Sep 15, 2015.

  1. HHGAG

    HHGAG New Member

    Hi there,

    SSLUseStapling On

    causes issues with wildcard SSL certificates due prohibited
    *.domain.tld
    in site creation form as domain name, so the
    ServerName
    won't get the CN of the certificate and the results is an non starting apache server.
     
    Last edited: Sep 15, 2015
  2. RHITNL

    RHITNL Member

    You enter *.domain.tld as domain or website? Got it running with nginx and user domain.tld which is the way it should be I guess
     
  3. HHGAG

    HHGAG New Member

    No, I don't. It isn't possibile in ispconfig, but the configuration of ssl uses SSLUseStapling which causes an exception on apache restart. I've switched it off in the template for vhosts to get it work. Wildcard certificates have usally *.domain.tld like canonical names, SSLUseStapling compares CN and ServerName which failes in this case due missing wildcard in ServerName.
    Exception message is: " RSA certificate configured for does NOT include an ID which matches the server name"

    I don't need a solution for that, but it should be known and switched off or removed from the template, apache doesn't need this check to start per SSL
     
  4. RHITNL

    RHITNL Member

    I have is set on nginx.conf but have only one wildcard domain setup for SSL. Not sure how this will work when another domain needs SSL. Can you post your config to show how you did it?
     
  5. HHGAG

    HHGAG New Member

    Website is configured as
    shop.domain.tld => ServerName
    with auto wildcard, so *.shop.domain.tld => ServerAlias
    CN of the SSL certificate ist
    *.shop.domain.tld
    apache matches CN with ServerName which won't match in this case. Alternative would be to set every sub sub domain as Website and mount with bind option their directory to the first one in this case you've to set open_basedir of all other vHosts to eachother, to use the same code for cases like
    en.shop.domain.tld
    de.shop.domain.tld
    etc.
     
  6. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    I don't understand this. Every good wildcard certificate should have the main domain as alternative name in it. So the ServerName would match this alternative name. We use such a wildcard certificate without problems.
     
  7. HHGAG

    HHGAG New Member

    Hi,
    what should I say, it's a customers Thawte Class 2 certificate :)
    Our own certificates would include it ^^
     
    Last edited: Sep 16, 2015
  8. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    I don't know if this works, but have you tried adding a "ServerName *.xxxxxx" into the apache directives field? I am not sure if it produces an error or overrides the previous entry.
     
  9. HHGAG

    HHGAG New Member

    No, Apache doesn't like duplicate ServerName definitions :)
     

Share This Page