Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-08 Thread Frank Gingras 
On Mon, Jul 8, 2024 at 4:18 AM Michael Osipov  wrote:

> On 2024/07/04 13:57:06 Frank Gingras wrote:
> > On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov 
> wrote:
> >
> > > Folks,
> > >
> > > please consider the following example:
> > > > 
> > > > ServerAdmin m...@example.com
> > > > ServerName foo.example.com
> > > > ServerAlias foo.sub.example.net
> > > > DocumentRoot /usr/local/www/apache24/data
> > > > ErrorLog "/var/log/apache/foo-ssl-errors.log"
> > > > CustomLog "/var/log/apache/foo-ssl-access.log" common
> > > >
> > > > SSLEngine On
> > > > SSLCertificateFile /etc/ssl/foo.example.com/cert.crt
> > > > SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt
> > > > SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt
> > > > SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt
> > > >
> > > > Include "..."
> > > > 
> > >
> > > I'd like to run a single vhost serving the same content under multiple
> > > FQDNs to the users
> > >
> > > As far as I understand mod_ssl it does not seem to support to have SNI
> on
> > > a single vhost with multiple hostnames. I get error messages in the log
> > > file.
> > > I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
> > > FWIW: the same concept is support with Tomcat: One connector, one
> default
> > > host, aliases and several SSLHostConfig elements.
> > > Is the approach to run two vhosts here? I am sure that a SAN
> certificate
> > > will do the trick, but for €€€ reasons I won' able to order one.
> > >
> > > Michael
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > > For additional commands, e-mail: users-h...@httpd.apache.org
> > >
> > >
> > In that case, define separate :443 vhosts for each name, and redirect to
> > the main one.
>
> As sad it is sounds and also looking into the source code there is no
> alternative to duplicate it.
> There is a long standing issue open in Bugzilla:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61081
>
> At least the docs should tell that using ServerAlias requires a SAN
> certificate to function properly.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
Your options were always to use a wildcard certificate, or a SAN.  This
falls more into the common knowledge of TLS and certificates.

mod_ssl does tie in to openssl, sure, but explaining every concept isn't
the role of the docs.

That being said, a small note to that effect should not be harmful, I will
see if the docs team can come up with some alteration.

Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-08 Thread Michael Osipov 
On 2024/07/04 13:57:06 Frank Gingras wrote:
> On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov  wrote:
> 
> > Folks,
> >
> > please consider the following example:
> > > 
> > > ServerAdmin m...@example.com
> > > ServerName foo.example.com
> > > ServerAlias foo.sub.example.net
> > > DocumentRoot /usr/local/www/apache24/data
> > > ErrorLog "/var/log/apache/foo-ssl-errors.log"
> > > CustomLog "/var/log/apache/foo-ssl-access.log" common
> > >
> > > SSLEngine On
> > > SSLCertificateFile /etc/ssl/foo.example.com/cert.crt
> > > SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt
> > > SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt
> > > SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt
> > >
> > > Include "..."
> > > 
> >
> > I'd like to run a single vhost serving the same content under multiple
> > FQDNs to the users
> >
> > As far as I understand mod_ssl it does not seem to support to have SNI on
> > a single vhost with multiple hostnames. I get error messages in the log
> > file.
> > I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
> > FWIW: the same concept is support with Tomcat: One connector, one default
> > host, aliases and several SSLHostConfig elements.
> > Is the approach to run two vhosts here? I am sure that a SAN certificate
> > will do the trick, but for €€€ reasons I won' able to order one.
> >
> > Michael
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> >
> In that case, define separate :443 vhosts for each name, and redirect to
> the main one.

As sad it is sounds and also looking into the source code there is no 
alternative to duplicate it.
There is a long standing issue open in Bugzilla: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61081

At least the docs should tell that using ServerAlias requires a SAN certificate 
to function properly.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-07 Thread Frank Gingras 
On Sun, Jul 7, 2024 at 5:09 AM rexkogit...@gmx.at.INVALID
 wrote:

> Hi,
>
> well, Apache httpd uses SNI to decide which vhost to use. Otherwise, it
> would not even be possible to have multiple TLS secured domains on the same
> port. However, this is indeed possible, but you have to put the into
> multiple vhosts. These vhosts can be as similar as they share everything
> but the TLS certificate files and ServerNames. They can have the same
> DocumentRoot and so on.
>
> Otherwise, you could also try Haproxy infront of Apache.  Haproxy supports
> SNI and can perform TLS offloading, so that the Apache webserver is to be
> configured with HTTP only.
>
> Kind regards,
> rexkogitans.
> Am 05.07.24 um 16:28 schrieb Frank Gingras:
>
>
>
> On Fri, Jul 5, 2024 at 10:23 AM rexkogit...@gmx.at.INVALID
>   wrote:
>
>> Hi Michael,
>>
>>
>> you can add any number of domain names to a TLS certificate. These
>> entries are known as  SAN (Subject Alternative Name). So, you want a single
>> TLS certificate with multiple domain names instead of multiple TLS
>> certificates each with a single domain name.
>>
>>
>> Kind regards,
>> rexkogitans
>> Am 04.07.24 um 15:57 schrieb Frank Gingras:
>>
>>
>>
>> On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov 
>> wrote:
>>
>>> Folks,
>>>
>>> please consider the following example:
>>> > 
>>> > ServerAdmin m...@example.com
>>> > ServerName foo.example.com
>>> > ServerAlias foo.sub.example.net
>>> > DocumentRoot /usr/local/www/apache24/data
>>> > ErrorLog "/var/log/apache/foo-ssl-errors.log"
>>> > CustomLog "/var/log/apache/foo-ssl-access.log" common
>>> >
>>> > SSLEngine On
>>> > SSLCertificateFile /etc/ssl/foo.example.com/cert.crt
>>> > SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt
>>> > SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt
>>> > SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt
>>> >
>>> > Include "..."
>>> > 
>>>
>>> I'd like to run a single vhost serving the same content under multiple
>>> FQDNs to the users
>>>
>>> As far as I understand mod_ssl it does not seem to support to have SNI
>>> on a single vhost with multiple hostnames. I get error messages in the log
>>> file.
>>> I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
>>> FWIW: the same concept is support with Tomcat: One connector, one
>>> default host, aliases and several SSLHostConfig elements.
>>> Is the approach to run two vhosts here? I am sure that a SAN certificate
>>> will do the trick, but for €€€ reasons I won' able to order one.
>>>
>>> Michael
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>
>>>
>> In that case, define separate :443 vhosts for each name, and redirect to
>> the main one.
>>
>>
>
> They already said that for price reasons, that consideration is not on the
> table.
>
>
That was literally was I suggested prior.

Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-07 Thread rexkogit...@gmx.at.INVALID 

Hi,

well, Apache httpd uses SNI to decide which vhost to use. Otherwise, it
would not even be possible to have multiple TLS secured domains on the
same port. However, this is indeed possible, but you have to put the
into multiple vhosts. These vhosts can be as similar as they share
everything but the TLS certificate files and ServerNames. They can have
the same DocumentRoot and so on.

Otherwise, you could also try Haproxy infront of Apache.  Haproxy
supports SNI and can perform TLS offloading, so that the Apache
webserver is to be configured with HTTP only.

Kind regards,
rexkogitans.

Am 05.07.24 um 16:28 schrieb Frank Gingras:



On Fri, Jul 5, 2024 at 10:23 AM rexkogit...@gmx.at.INVALID
 wrote:

Hi Michael,


you can add any number of domain names to a TLS certificate. These
entries are known as  SAN (Subject Alternative Name). So, you want
a single TLS certificate with multiple domain names instead of
multiple TLS certificates each with a single domain name.


Kind regards,
rexkogitans

Am 04.07.24 um 15:57 schrieb Frank Gingras:



On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov
 wrote:

Folks,

please consider the following example:
> 
>     ServerAdmin m...@example.com
>     ServerName foo.example.com 
>     ServerAlias foo.sub.example.net

>     DocumentRoot /usr/local/www/apache24/data
>     ErrorLog "/var/log/apache/foo-ssl-errors.log"
>     CustomLog "/var/log/apache/foo-ssl-access.log" common
>
>     SSLEngine On
>     SSLCertificateFile /etc/ssl/foo.example.com/cert.crt

>     SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt

>     SSLCertificateFile
/etc/ssl/foo.sub.example.net/cert.crt

>     SSLCertificateKeyFile
/etc/ssl/foo.sub.example.net/key.crt

>
>     Include "..."
> 

I'd like to run a single vhost serving the same content under
multiple FQDNs to the users

As far as I understand mod_ssl it does not seem to support to
have SNI on a single vhost with multiple hostnames. I get
error messages in the log file.
I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
FWIW: the same concept is support with Tomcat: One connector,
one default host, aliases and several SSLHostConfig elements.
Is the approach to run two vhosts here? I am sure that a SAN
certificate will do the trick, but for €€€ reasons I won'
able to order one.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


In that case, define separate :443 vhosts for each name, and
redirect to the main one.




They already said that for price reasons, that consideration is not on
the table.

Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-05 Thread Frank Gingras 
On Fri, Jul 5, 2024 at 10:23 AM rexkogit...@gmx.at.INVALID
 wrote:

> Hi Michael,
>
>
> you can add any number of domain names to a TLS certificate. These entries
> are known as  SAN (Subject Alternative Name). So, you want a single TLS
> certificate with multiple domain names instead of multiple TLS certificates
> each with a single domain name.
>
>
> Kind regards,
> rexkogitans
> Am 04.07.24 um 15:57 schrieb Frank Gingras:
>
>
>
> On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov  wrote:
>
>> Folks,
>>
>> please consider the following example:
>> > 
>> > ServerAdmin m...@example.com
>> > ServerName foo.example.com
>> > ServerAlias foo.sub.example.net
>> > DocumentRoot /usr/local/www/apache24/data
>> > ErrorLog "/var/log/apache/foo-ssl-errors.log"
>> > CustomLog "/var/log/apache/foo-ssl-access.log" common
>> >
>> > SSLEngine On
>> > SSLCertificateFile /etc/ssl/foo.example.com/cert.crt
>> > SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt
>> > SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt
>> > SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt
>> >
>> > Include "..."
>> > 
>>
>> I'd like to run a single vhost serving the same content under multiple
>> FQDNs to the users
>>
>> As far as I understand mod_ssl it does not seem to support to have SNI on
>> a single vhost with multiple hostnames. I get error messages in the log
>> file.
>> I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
>> FWIW: the same concept is support with Tomcat: One connector, one default
>> host, aliases and several SSLHostConfig elements.
>> Is the approach to run two vhosts here? I am sure that a SAN certificate
>> will do the trick, but for €€€ reasons I won' able to order one.
>>
>> Michael
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
> In that case, define separate :443 vhosts for each name, and redirect to
> the main one.
>
>

They already said that for price reasons, that consideration is not on the
table.

Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-05 Thread rexkogit...@gmx.at.INVALID 

Hi Michael,


you can add any number of domain names to a TLS certificate. These
entries are known as  SAN (Subject Alternative Name). So, you want a
single TLS certificate with multiple domain names instead of multiple
TLS certificates each with a single domain name.


Kind regards,
rexkogitans

Am 04.07.24 um 15:57 schrieb Frank Gingras:



On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov  wrote:

Folks,

please consider the following example:
> 
>     ServerAdmin m...@example.com
>     ServerName foo.example.com 
>     ServerAlias foo.sub.example.net 
>     DocumentRoot /usr/local/www/apache24/data
>     ErrorLog "/var/log/apache/foo-ssl-errors.log"
>     CustomLog "/var/log/apache/foo-ssl-access.log" common
>
>     SSLEngine On
>     SSLCertificateFile /etc/ssl/foo.example.com/cert.crt

>     SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt

>     SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt

>     SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt

>
>     Include "..."
> 

I'd like to run a single vhost serving the same content under
multiple FQDNs to the users

As far as I understand mod_ssl it does not seem to support to have
SNI on a single vhost with multiple hostnames. I get error
messages in the log file.
I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
FWIW: the same concept is support with Tomcat: One connector, one
default host, aliases and several SSLHostConfig elements.
Is the approach to run two vhosts here? I am sure that a SAN
certificate will do the trick, but for €€€ reasons I won' able to
order one.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


In that case, define separate :443 vhosts for each name, and redirect
to the main one.

Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-04 Thread Frank Gingras 
On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov  wrote:

> Folks,
>
> please consider the following example:
> > 
> > ServerAdmin m...@example.com
> > ServerName foo.example.com
> > ServerAlias foo.sub.example.net
> > DocumentRoot /usr/local/www/apache24/data
> > ErrorLog "/var/log/apache/foo-ssl-errors.log"
> > CustomLog "/var/log/apache/foo-ssl-access.log" common
> >
> > SSLEngine On
> > SSLCertificateFile /etc/ssl/foo.example.com/cert.crt
> > SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt
> > SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt
> > SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt
> >
> > Include "..."
> > 
>
> I'd like to run a single vhost serving the same content under multiple
> FQDNs to the users
>
> As far as I understand mod_ssl it does not seem to support to have SNI on
> a single vhost with multiple hostnames. I get error messages in the log
> file.
> I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
> FWIW: the same concept is support with Tomcat: One connector, one default
> host, aliases and several SSLHostConfig elements.
> Is the approach to run two vhosts here? I am sure that a SAN certificate
> will do the trick, but for €€€ reasons I won' able to order one.
>
> Michael
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
In that case, define separate :443 vhosts for each name, and redirect to
the main one.

[users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-04 Thread Michael Osipov 
Folks,

please consider the following example:
> 
> ServerAdmin m...@example.com
> ServerName foo.example.com
> ServerAlias foo.sub.example.net
> DocumentRoot /usr/local/www/apache24/data
> ErrorLog "/var/log/apache/foo-ssl-errors.log"
> CustomLog "/var/log/apache/foo-ssl-access.log" common
> 
> SSLEngine On
> SSLCertificateFile /etc/ssl/foo.example.com/cert.crt
> SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt
> SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt
> SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt
> 
> Include "..."
> 

I'd like to run a single vhost serving the same content under multiple FQDNs to 
the users

As far as I understand mod_ssl it does not seem to support to have SNI on a 
single vhost with multiple hostnames. I get error messages in the log file.
I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
FWIW: the same concept is support with Tomcat: One connector, one default host, 
aliases and several SSLHostConfig elements.
Is the approach to run two vhosts here? I am sure that a SAN certificate will 
do the trick, but for €€€ reasons I won' able to order one.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org