Using SSL on two VirtualHosts

Question

So I got an SSL from GoDaddy.
It works for my public site mysite.com.
I would like now to have an SSL connection for my administrator.mysite.com
So I created a self signed certificate using openssl because I don't mind managing my own site with a red mark on the lock.

inside httpd-ssl.conf

<VirtualHost *:443>
   ServerName mysite.com:443
   ServerAlias www.mysite.com

   DocumentRoot /opt/lampp/htdocs/MySite/

   ServerAdmin admin@mysite.com

   ErrorLog /opt/lampp/htdocs/MySite/logfiles/ssl_errors.log
   TransferLog /opt/lampp/htdocs/MySite/logfiles/ssl_access.log

   SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

   SSLCertificateFile /opt/lampp/etc/ssl.crt/mysite.com.crt
   SSLCertificateKeyFile /opt/lampp/etc/ssl.key/server_nopwd.key
   SSLCertificateChainFile /opt/lampp/etc/ssl.crt/gd_bundle.crt

   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
   CustomLog /opt/lampp/htdocs/MySite/logfiles/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
   <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory "/opt/lampp/cgi-bin">
     SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

</VirtualHost>                                  

<VirtualHost *:443>
   ServerName administrator.mysite.com:443
   DocumentRoot "/opt/lampp/htdocs/"

   ServerAdmin admin@mysite.com

   ErrorLog /opt/lampp/htdocs/MySite/logfiles/ssl_errors_admin.log
   TransferLog /opt/lampp/htdocs/MySite/logfiles/ssl_access_admin.log

   SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

   SSLCertificateFile /opt/lampp/etc/ssl.crt/admin.crt
   SSLCertificateKeyFile /opt/lampp/etc/ssl.key/admin.key

   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
   CustomLog /opt/lampp/htdocs/MySite/logfiles/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/opt/lampp/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

</VirtualHost>      

And I get this warning:

[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

What happens is that the administrator host is redirected to the regular host, which is very annoying

Answer 1

I had the same issue. Strangely some report it works for them like a charm but for others not. I even tried using SNI via SSLStrictSNIVHostCheck apache directive but no luck.

When using the ServerAlias directive with a wildcard domain like eg. *.snakeoil.com then order of the VirtualHost configs matters. If the VirtualHost with the wildcard domain alias:

ServerAlias *.snakeoil.com

is the first one it will be processed first and avoids resolution of other vhosts. Try to reverse vhosts so that this catch all is the last one eg.

<IfModule mod_ssl.c>

# first vhost
<VirtualHost *:443>
    ServerName vhost1.snakeoil.com
    [...]
</VirtualHost>

# second vhost
<VirtualHost *:443>
    ServerName vhost2.snakeoil.com
    [...]
</VirtualHost>

# Attention!
# All other vhost requests end up here
# Order matters, keep this entry to be the last one
# as a last resort if any of the above don't apply
<VirtualHost *:443>
    ServerName snakeoil.com
    ServerAlias *.snakeoil.com
    [...]
</VirtualHost>

</IfModule>

Worked for me at least with with apache 2.2.14

Answer 2

That should work fine for newer browsers, although it might be worth checking your htaccess rules incase one of them is inadvertently redirecting admin.mysite.com to mysite.com.

The warning message you're getting is explained more here: https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI (essentially older browsers can only view the default virtualhost).