New virtual servers with ssl enabled cause all other virtual servers to use the new virtual server's ssl certificate

Hi there,

Since last week, a problem has occurred which brings down all the secure virtual servers on my web server.

Steps to reproduce: 1. Create a new virtual server with ssl feature enabled

Result: All secure virtual servers use the newly created virtual server's ssl certificate, instead of their own.

Last week, I cloned the server to a new instance, made some changes to the new instance and then repointed the elastic IP address at the network card of the new instance. It seems that since then this problem is occurring but I am not sure it is relevant.

Thanks, L

Status: 
Active

Comments

Do the other virtual servers have SSL enabled? Because if you use an https: URL to access a domain that doesn't have SSL on in Virtualmin, you will get the website of the first domain that does have SSL enabled.

VuOnline's picture
Submitted by VuOnline on Wed, 01/11/2017 - 04:13

Yes, the virtual servers which have SSL enabled are the only ones affected.

If a new virtual server is created, with SSL enabled, all other virtual servers with SSL enabled will go down because they will start using the SSL certificate of the new virtual server, which will be invalid for them.

Mostafa's picture
Submitted by Mostafa on Wed, 01/11/2017 - 11:32

There might be an IP mismatch here, what do you get by running:

Debian:

grep -R "443" /etc/apache2 | grep -i "virtualhost\|listen"

Centos:

grep -R "443" /etc/httpd | grep -i "virtualhost\|listen"
VuOnline's picture
Submitted by VuOnline on Tue, 01/31/2017 - 09:20

Hi there,

Thanks for getting back to me. You are absolutely correct, new virtual servers are being created differently than the old ones were.

When I ran: grep -R "443" /etc/apache2 | grep -i "virtualhost|listen"

I found that all the lines looked like this:

/etc/apache2/sites-enabled/olddomain1.com.conf:<VirtualHost *:443>
/etc/apache2/sites-enabled/olddomain2.com.conf:<VirtualHost *:443>
/etc/apache2/sites-enabled/olddomain3.com.conf:<VirtualHost *:443>

but a domain would have a line looking like this:

/etc/apache2/sites-enabled/newdomain.com.conf:<VirtualHost 10.0.0.113:443>

Which is obviously going to mean that the new domain's virtual server takes precedence for all other domain requests.

How do I go about fixing this?

Thanks!

Gotcha that does indeed explain it.

Virtualmin will normally try to use x.x.x.x:443 when possible (though there are cases where it doesn't).

Were the domains using the *:443 format added using Virtualmin?

Also, should all these domains be on their own IP address, or should they be sharing an IP?

VuOnline's picture
Submitted by VuOnline on Wed, 02/01/2017 - 06:16

Yes these domains were added and managed in virtualmin. They were recently moved to another virtualmin instance, on a different IP. But Virtualmin detected this change and asked if I would like to update the IP for these domains to the new one. I allowed it to do that for all domains but perhaps it has done something else. How then should I update the domains with *:443 to 10.0.0.113:443

Unfortunately, t sounds like you may need to go through the config files, and manually update any config files using *:443 to x.x.x.x:443.

VuOnline's picture
Submitted by VuOnline on Thu, 02/09/2017 - 08:31

In the end I changed the Virtualmin config so that new apache virtual hosts would be created with * instead of the server's IP address.

Virtualmin > System Settings > Virtualmin Configuration > Defaults for new domains > Address format for Apache virtual hosts: Always use *