[HCoop-Help] SSL Certificate Without Hostname

Adam Chlipala adamc at hcoop.net
Sun May 17 09:09:22 EDT 2009 

Michal Charemza wrote:
> On 16 May 2009, at 17:31, Adam Chlipala wrote:
>
>   
>> Michal Charemza wrote:
>>     
>>> I would like to enable SSL on mydomain.com (without any 'www' host).
>>> So far I have successfully requested an IP address and certificate
>>> permissions. I've looked at the examples in the Wiki, but they all
>>> have a hostname part. I've tried adding a 'where' block to  
>>> vhostdefault:
>>>
>>> vhostDefault where
>>>   SSL = use_cert "/etc/apache2/ssl/user/mydomain.com.pem"
>>> with
>>>  ...
>>>
>>> But this results in http requests to my domain showing the hcoop home
>>> page, and https request in a certificate error: the certificate is  
>>> for
>>> *.hcoop.net.

OK, these are two separate problems.

HTTP requests for hcoop.net show the HCoop home page because you didn't 
configure an HTTP vhost for www.mydomain.com.  You set up a redirect 
with [vhostDefault], which only covers mydomain.com.  I recommend 
replacing [CreateWWW = false] with [WWW = begin (* put here the config 
that you want for both www.yourdomain.com and yourdomain.com *) end].

The certificate error is exactly the "right" behavior.  HTTPS only 
allows one certificate per IP address, and our certificate is the one 
associated with mire's main IP address.  You need to use the [webAtIp] 
directive to run your vhost on a different IP address.  Unfortunately, 
this requires not following the advice I gave in the last paragraph, 
since the [WWW] parameter is always used to create a vhost on the 
standard IP. ;)  Instead, you can keep the [CreateWWW = false] and use 
[webAtIp "your.ip" "www" with serverAliasDefault; (* redirect config 
goes here *) end].  Because you want to use the same domain name to 
serve HTTP and HTTPS, your HTTP vhost needs to be on the alternate IP, 
too, because DNS isn't smart enough to support anything else.  You will 
also need to use the new [DefaultA = false] option to [dom], to avoid 
creating an A record for the primary mire IP address.

P.S.: I'm glad to see someone writing and reusing a Domtool function!  
It's a welcome counterpart to the complaints that Domtool is too 
complicated. :)

More information about the HCoop-Help mailing list