uagamaga
By:
uagamaga

SSL Certificate on one website interferes with all the other websites on the same droplet which do not have an SSL Certificate.

April 21, 2016 3.8k views
Apache DigitalOcean Ubuntu

Hello,

I have the following problem. I have about a dozen websites running on one droplet with the help of virtual hosts. I have installed an SSL Certificate on just one of them and it works great. Now the issue is:

Let:
SITE-SSL be the website with the SSL Certificate installed and
SITE-NO-SSL be any of the other websites with no SSL Certificate on the same droplet

If i browse to SITE-NO-SSL with https:// instead of http:// , I would normally want nothing to happen, maybe get a 404 or redirect to http:// , but instead this happens:

http://stinseid.net/img/prob1.jpg
http://stinseid.net/img/prob2.jpg

Okay, so then the weird part is, if I click on proceed, it takes me to SITE-SSL but the domain doesn't change and I can browse through SITE-SSL with the URL still being the one from SITE-NO-SSL.

Of course, I want to get rid of this as soon as possible, but I couldn't come up with any solution. Why would the websites with no SSL somehow be connected to the website with SSL.

My configuration is as follows:

I am running a LAMP stack on Ubuntu 14.04.
All the websites with no SSL have a .conf file that looks like this:

<VirtualHost *:80>

        ServerAdmin admin@mysite.com
        ServerName mysite
        ServerAlias www.mysite.com
        DocumentRoot /var/www/mysite.com/public

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

And the .conf for the website with SSL looks like this:

<VirtualHost *:80>
   ServerName mysite-ssl.com
   Redirect permanent / https://mysite-ssl.com/
</VirtualHost>

<VirtualHost *:443>

        ServerAdmin admin@mysite-ssl.com
        ServerName mysite-ssl.com
        ServerAlias www.mysite-ssl.com
        DocumentRoot /var/www/mysite-ssl.com/public
        SSLEngine on

        SSLCertificateFile /path/to
        SSLCertificateKeyFile /path/to
        SSLCertificateChainFile /path/to

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

I suspect that this <VirtualHost *:443> is not contained to this particular virtual host and whenever i access https:// for any domain on this droplet it comes through this virtual host that listens to 443 and shows the content of this website, that has the SSL Certificate.

I tried putting a <VirtualHost *:443> inside the .conf file for the non-SSL websites where I would redirect to http:// , but then the apache service wouldn't run and the error log would say this:

Command line: '/usr/sbin/apache2'
AH00169: caught SIGTERM, shutting down
AH02240: Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/apache2/sites-enabled/mysite.com.conf:1)
AH02312: Fatal error initialising mod_ssl, exiting.
AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

This is it. I really don't know how to solve this. I hope someone knows something about this problem.

3 Answers

What you're seeing here is due to how the SSL protocol works.

When a browser makes an https:// request for a domain, it first connects to the server over the SSL port (port 443). Only after it connects to the SSL port of the server does it begin the SSL protocol where it asks the server to provide the site's SSL certificate.

As a result, if one site on a server has SSL enabled, if you go to the "https://" URL of any site on the server, the browser will immediately attempt to secure the connection and will check the certificate the server sends back. You can't get a 404 page or a redirect until after the connection is secured by the browser.

So, you're only option for any sites that don't have their own valid SSL certificate is to let the user see a warning about an untrusted certificate when those sites are accessed with "https:// URLs. If you don't want one of the real site's domains to be shown in the SSL certificate information in the warning they see, you can use a self-signed certificate with a fake name. But visitors will still see scary untrusted site warnings in the browser in that case.

The only way to entirely avoid the SSL warnings on your servers for sites without their own SSL cert is to either a) use a valid SSL cert for each domain, or b) host your non-SSL sites on a separate server where there are no SSL sites at all.

  • Thanks very much. I managed to do it by creating a self-signed certificate for each domain that doesn't have a trusted ssl certificate and updating the virtual host accordingly.

i think you need to install self signed ssl for all the non ssl sites. then after giving warning it will take you to the correct location.

Will need to put SSL sites each on their own IP and not as VHost.

Have another answer? Share your knowledge.