[BlueOnyx:22094] Re: SSL help please

Colin Jack colin at mainline.co.uk
Tue May 22 03:34:39 -05 2018 

Thanks Michael,

> > I have just enabled LetsEncrypt on a website on one of our 5209R
> > servers with nginx enabled.
> >
> > When I go to https://website it loads the certificate for the host!
> >
> > Other vsites on the same server are working fine with LE.
> 
> There are a couple of things here that you want to check.
> 
> When you enable HTTPS (and don't have Nginx as SSL proxy enabled), then a
> Vsite will have two separate <VirtualHost> containers. One for port 80 and one
> for port 443.
> 
> These containers are identical except for the port numbers and the SSL related
> extras in the HTTPS <VirtualHost> container.
> 
> If you access a Vsite via HTTPS and HTTPS is not enabled for it, then Apache
> tries to figure out where this connection should go. With SNI in mind (which
> allows multiple SSL enabled Vsites on the same IP) this could pretty much end
> up on any other SSL enabled Vsite. It *usually* then should go to the _default_
> <VirtualHost>, which is the one that's mentioned first in the Apache
> configuration and that's the one that redirects to the GUI.
> 
> Sometimes Apache gets really confused there. It might retain the
> DocumentRoot of the Vsite you steered to, but uses the SSL certificate from
> another <VirtualHost>.
> 
> So you might want to check your apache configuration. A good start is to run
> "httpd -S" on the command line, as it will list all <VirtualHost> containers and
> their load order. See if the Vsite in question has bot a port 80 and a port 443
> container.

If I disable Nginx then it all works okay.
If I enable Nginx some of the vsites default to the host SSL and some to their local SSL. :-/

> Check the siteX config files for that Vsite to make sure the webserver aliases
> are listed. Make sure you have DNS A records for all of them.
> Could be that one of the DNS A records has gone walkies and that will confuse
> the heck out of Apache.

Yep - DNS is all okay.

> If all the configs look fine and even a restart of Apache doesn't solve it, then you
> might want to try to enable Nginx as SSL proxy just to see if it makes a
> difference. It probably will.

Kind regards

Colin

More information about the Blueonyx mailing list