Hi there, SSLUseStapling On causes issues with wildcard SSL certificates due prohibited *.domain.tld in site creation form as domain name, so the ServerName won't get the CN of the certificate and the results is an non starting apache server.
You enter *.domain.tld as domain or website? Got it running with nginx and user domain.tld which is the way it should be I guess
No, I don't. It isn't possibile in ispconfig, but the configuration of ssl uses SSLUseStapling which causes an exception on apache restart. I've switched it off in the template for vhosts to get it work. Wildcard certificates have usally *.domain.tld like canonical names, SSLUseStapling compares CN and ServerName which failes in this case due missing wildcard in ServerName. Exception message is: " RSA certificate configured for does NOT include an ID which matches the server name" I don't need a solution for that, but it should be known and switched off or removed from the template, apache doesn't need this check to start per SSL
I have is set on nginx.conf but have only one wildcard domain setup for SSL. Not sure how this will work when another domain needs SSL. Can you post your config to show how you did it?
Website is configured as shop.domain.tld => ServerName with auto wildcard, so *.shop.domain.tld => ServerAlias CN of the SSL certificate ist *.shop.domain.tld apache matches CN with ServerName which won't match in this case. Alternative would be to set every sub sub domain as Website and mount with bind option their directory to the first one in this case you've to set open_basedir of all other vHosts to eachother, to use the same code for cases like en.shop.domain.tld de.shop.domain.tld etc.
I don't understand this. Every good wildcard certificate should have the main domain as alternative name in it. So the ServerName would match this alternative name. We use such a wildcard certificate without problems.
Hi, what should I say, it's a customers Thawte Class 2 certificate Our own certificates would include it ^^
I don't know if this works, but have you tried adding a "ServerName *.xxxxxx" into the apache directives field? I am not sure if it produces an error or overrides the previous entry.
