Up to this point I've been using SNI in my ssl.conf file with Apache 2.2.31 I'm serving up different sites all in the same document root. For example:
NameVirtualHost *:443 <VirtualHost *:443> DocumentRoot "/var/www/html" ServerName www.domain1.com ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLCipherSuite ... SSLHonorCipherOrder on SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle_domain1.crt </VirtualHost> <VirtualHost *:443> DocumentRoot "/var/www/html" ServerName www.domain2.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLCipherSuite ... SSLHonorCipherOrder on SSLCertificateFile /etc/pki/tls/certs/domain2.com.crt SSLCertificateKeyFile /etc/pki/tls/private/domain2.com.key SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle_domain2.crt </VirtualHost> ... Now I've added a wildcard cert in the hopes I can add sub-domains without any extra Apache configuration to another new domain. So the ssl.conf looks like this:
NameVirtualHost *:443 <VirtualHost *:443> DocumentRoot "/var/www/html" ServerName www.domain1.com ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLCipherSuite ... SSLHonorCipherOrder on SSLCertificateFile /etc/pki/tls/certs/domain1.com.crt SSLCertificateKeyFile /etc/pki/tls/private/domain1.com.key SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle_domain1.crt </VirtualHost> <VirtualHost *:443> DocumentRoot "/var/www/html" ServerName www.domain2.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLCipherSuite ... SSLHonorCipherOrder on SSLCertificateFile /etc/pki/tls/certs/domain2.com.crt SSLCertificateKeyFile /etc/pki/tls/private/domain2.com.key SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle_domain2.crt </VirtualHost> ... <VirtualHost *:443> DocumentRoot "/var/www/html" ServerName newdomain.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLCipherSuite ... SSLHonorCipherOrder on SSLCertificateFile /etc/pki/tls/certs/newdomain_wildcard.com.crt SSLCertificateKeyFile /etc/pki/tls/private/newdomain_wildcard.com.key SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle_newdomain_wildcard.crt </VirtualHost> It works for newdomain.com but not on other sub-domains (i.e. test.newdomain.com). I also get this warning on server start if that relevant:
[warn] RSA server certificate wildcard CommonName (CN) `*.newdomain.com' does NOT match server name!?
If I change ServerName to *.newdomain.com, I don't get warnings but the certificate doesn't work at all.
*.newdomain.com. No warnings but the cert is not working at all then