Unable to share a wildcard SSL cert with multiple subdomains

Submitted by wiseguy on Tue, 09/21/2010 - 11:36
  • Note! This issue is copied from a forum post I made earlier.

Hi,

I'm trying to share a self-signed wildcard cert among multiple subdomains which were created as "Top-level server" and not "Sub-server" as I want to separate the sites. All sites run on the same IP address.

I have a "root domain" called domain.com which has a *.domain.com wildcard cert. I can then create a new "Top-level server" called e.g. sub1.domain.com and enable SSL and it works. When I go to Server Configuration - Manage SSL Certificate it says "This virtual server shares its SSL certificate with domain.com, so it cannot be edited on this page. Use its Manage SSL Certificate page to change SSL settings.". Very nice!

The trouble starts when I try to enable SSL on another subdomain. This message is shown: "The following potention problems were detected with the creation of this virtual server : SSL cannot be enabled for more than one domain on the IP address x.x.x.x unless a virtual IP interface or private port is enabled, or the certificate can be used for this domain. The current certificate is only valid for : Are you sure you want to continue?"

I censored the IP address above but as you can see, it won't use the same cert as for domain.com and also "current certificate" is empty. Strange, right?

Status: 
Closed (fixed)

Comments

Submitted by JamieCameron on Tue, 09/21/2010 - 13:12

That seems like a bug ..

When you go to the Manage SSL Certificate page for the domain on that IP, what hostnames does it show in the "Web server hostname" and "Other domain names" fields?

Submitted by wiseguy on Tue, 09/21/2010 - 15:26

Web server hostname *.domain.com

I have no "Other domain names" field, probably because I didn't add e.g. domain.com when I created the cert. However, I've also tried with another cert valid for both *.domain.com & domain.com, but the behavior was the same.

Also used by domains sub1.domain.com is shown and at the "Self-Signed Certificate" tab www.sub1.domain.com is pre-filled.

Submitted by JamieCameron on Tue, 09/21/2010 - 19:27

That is unusual .. looking at the code, I can't see how this error could occur.

Are you running the latest version of Virtualmin (3.81) ?

Submitted by wiseguy on Wed, 09/22/2010 - 03:59

I'm running version 3.80.

As this is happening on my installation every time I try to enable SSL on a second subdomain, is there a way for me to find out what's failing "behind the scenes"?

Submitted by JamieCameron on Wed, 09/22/2010 - 16:09

You can see what commands Virtualmin is running to get information about a cert as follows :

  1. Go to Webmin -> Webmin Configuration -> Debugging Log File .
  2. Change "Debug log enabled?" to "Yes"
  3. In "Events to log" , check only "Commands executed"
  4. In "Script types to debug", select only "Web interface CGIs"
  5. Click Save
  6. Try to enable SSL for the problem domain
  7. Run grep openssl /var/webmin/webmin.debug and post the output here.

Submitted by wiseguy on Wed, 09/22/2010 - 18:20

Unfortunately, there was nothing tagged "openssl" in the debug output, and nothing else that looked interesting neither. I also tested with full debug without seeing anything of interest for this specific matter.

I'm not sure, but I believe that feature-ssl.pl is involved in checking for "clashing" domains while one selects to enable SSL for a subdomain. Is it possible to somehow debug the actual matching process, and hopefully get a clue about why Virtualmin doesn't use the wildcard cert already available?

Submitted by JamieCameron on Wed, 09/22/2010 - 18:36

That is odd, as openssl should get run to extract the list of domains from the cert.

I wonder if perhaps there is some other (possibly corrupt) domain with the same IP address that Virtualmin is picking up in the clash detection.

If you like, I could login to your system myself and see what is going wrong. If this is possible, see http://www.virtualmin.com/documentation/system/support for instructions on granting access.

Submitted by wiseguy on Wed, 09/22/2010 - 19:16

I know that this is getting silly now, but I can't actually find the required virtualmin-support package, neither in the GUI nor with apt-get :D

Where is it supposed to be? It's not under http://software.virtualmin.com/gpl/debian right?

Submitted by JamieCameron on Wed, 09/22/2010 - 23:47

Ah, that package is only available for the pro version of virtualmin.

In that case, you can instead just email me login details at jcameron@virtualmin.com if you like.

Submitted by JamieCameron on Thu, 09/23/2010 - 13:32

Thanks for the login - I found the problem, which was caused by having multiple domains with different users sharing the same SSL cert. This triggered a bug in the Virtualmin code, which I will fix in the 3.81 release.

I have also applied the fix on your system, and successfully enabled SSL for the domain you were trying.

Submitted by Issues on Fri, 10/08/2010 - 03:22

Automatically closed -- issue fixed for 2 weeks with no activity.