I got a startssl wildcard cert but now I noticed strange issues. No mather if SSL is enabled or not: a different (earlier it was my) root domain website is displayed for all other domains having SSL disabled. as a response I thought I should create at least an unsigned cert for the domain which gets loaded now, the SSL site from this domain gets loaded on port 443 on about every site where ssl is disabled as it has no cert, check out here > hxxps://ispc.lightserver.at/ or hxxps://ihrebuchhalter.at/ or hxxps://ferienhaus-bretagne.at/ very strange indeed. curl shows: curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) my SSL domain still works as it should but for a handful of other sites it's not the best option is it a bug? looks like that's the cause for the behaviour: Code: /# curl -v --ssl https://ispc.lightserver.at/ * Trying 192.168.100.211... * Connected to ispc.lightserver.at (192.168.100.211) port 443 (#0) * found 172 certificates in /etc/ssl/certs/ca-certificates.crt * found 699 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * gnutls_handshake() warning: The server name sent was not recognized * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 * server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none * Closing connection 0 curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. gnutls_handshake() warning: The server name sent was not recognized apache2 error.log shows: [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
Thats no bug, what you describe is the default behaviour of apache, so not related to the use of a wildcard cert or ISPConfig. When you have more than one website on an IP address, then enable SSL for all of them or use a dedicated IP for SSL. otherwise apache will show you the first website that it finds on port 443 when no matching vhost with the right domain / ip combination is found.
thanks till, but wouldn't a default-ssl serve the purpose to show at least only a blank page? or disabling it and copy it to 000.vhost or something?
If you want to have an SSL default vhost (which will show an SSL error as the SSL cert is always wrong for this host), then run: a2ensite default-ssl on ubuntu and Debian and restart apache.
that's what I did but it still shows my site on any site that doesnt have ssl enabled instead of the default apache2 page.
in ispconfig.vhost it shows: Code: NameVirtualHost *:[MyISPconfigSSLPort] it's a little critical in this case as my site is server for the ssl version of notdienst-moedling.at which is a partner who works on a similar area, so he mistyped the url with ssl yesterday an saw my site is served. I recommended him to buy a ssl cert anyway, but ... it's not ideal like that.
The ispconfig.vhost file is not related to your sl websites at all. The ssl vhost of your website is the vhost file of your website.
Edit the ssl default vhost from debian and change the vhost line to <VirtualHost *:443> and then restart apache.