wildcard cert causes curious behaviour

Discussion in 'Installation/Configuration' started by dynamind, Jul 21, 2015.

  1. dynamind

    dynamind Member

    I got a startssl wildcard cert but now I noticed strange issues.
    No mather if SSL is enabled or not:
    a different (earlier it was my) root domain website is displayed for all other domains having SSL disabled.
    as a response I thought I should create at least an unsigned cert for the domain which gets loaded now,
    the SSL site from this domain gets loaded on port 443 on about every site where ssl is disabled
    as it has no cert, check out here >

    [​IMG]

    hxxps://ispc.lightserver.at/
    or
    hxxps://ihrebuchhalter.at/
    or
    hxxps://ferienhaus-bretagne.at/

    very strange indeed.

    curl shows:
    curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)

    my SSL domain still works as it should but for a handful of other sites it's not the best option
    is it a bug?

    looks like that's the cause for the behaviour:

    Code:
    /# curl -v --ssl https://ispc.lightserver.at/
    *   Trying 192.168.100.211...
    * Connected to ispc.lightserver.at (192.168.100.211) port 443 (#0)
    * found 172 certificates in /etc/ssl/certs/ca-certificates.crt
    * found 699 certificates in /etc/ssl/certs
    * ALPN, offering http/1.1
    * gnutls_handshake() warning: The server name sent was not recognized
    * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
    * server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
    * Closing connection 0
    curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
    More details here: http://curl.haxx.se/docs/sslcerts.html
    
    curl performs SSL certificate verification by default, using a "bundle"
    of Certificate Authority (CA) public keys (CA certs). If the default
    bundle file isn't adequate, you can specify an alternate file
    using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
    the bundle, the certificate verification probably failed due to a
    problem with the certificate (it might be expired, or the name might
    not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
    the -k (or --insecure) option.
    
    gnutls_handshake() warning: The server name sent was not recognized

    apache2 error.log shows:

    [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
     
    Last edited: Jul 22, 2015
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats no bug, what you describe is the default behaviour of apache, so not related to the use of a wildcard cert or ISPConfig. When you have more than one website on an IP address, then enable SSL for all of them or use a dedicated IP for SSL. otherwise apache will show you the first website that it finds on port 443 when no matching vhost with the right domain / ip combination is found.
     
  3. dynamind

    dynamind Member

    thanks till, but wouldn't a default-ssl serve the purpose to show at least only a blank page?
    or disabling it and copy it to 000.vhost or something?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    If you want to have an SSL default vhost (which will show an SSL error as the SSL cert is always wrong for this host), then run:

    a2ensite default-ssl

    on ubuntu and Debian and restart apache.
     
  5. dynamind

    dynamind Member

    that's what I did but it still shows my site on any site that doesnt have ssl enabled instead of the default apache2 page.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Does your site uses * or an IP in ispconfig? The default vhost works only for sites with *
     
  7. dynamind

    dynamind Member

    in ispconfig.vhost it shows:
    Code:
    NameVirtualHost *:[MyISPconfigSSLPort]
    it's a little critical in this case as my site is server for the ssl version of notdienst-moedling.at which is a partner who works on a similar area, so he mistyped the url with ssl yesterday an saw my site is served.
    I recommended him to buy a ssl cert anyway, but ... it's not ideal like that.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The ispconfig.vhost file is not related to your sl websites at all. The ssl vhost of your website is the vhost file of your website.
     
  9. dynamind

    dynamind Member

    the vhost of my website holds:
    Code:
    <VirtualHost *:443>
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Edit the ssl default vhost from debian and change the vhost line to

    <VirtualHost *:443>

    and then restart apache.
     
    dynamind likes this.
  11. dynamind

    dynamind Member

    in default-ssl was
    Code:
    <VirtualHost _default_:443>
    now replaced by
    <VirtualHost *:443>
    
     

Share This Page