[HCoop-Help] SSL Certificate Without Hostname
Adam Chlipala
adamc at hcoop.net
Sun May 17 09:09:22 EDT 2009
Michal Charemza wrote:
> On 16 May 2009, at 17:31, Adam Chlipala wrote:
>
>
>> Michal Charemza wrote:
>>
>>> I would like to enable SSL on mydomain.com (without any 'www' host).
>>> So far I have successfully requested an IP address and certificate
>>> permissions. I've looked at the examples in the Wiki, but they all
>>> have a hostname part. I've tried adding a 'where' block to
>>> vhostdefault:
>>>
>>> vhostDefault where
>>> SSL = use_cert "/etc/apache2/ssl/user/mydomain.com.pem"
>>> with
>>> ...
>>>
>>> But this results in http requests to my domain showing the hcoop home
>>> page, and https request in a certificate error: the certificate is
>>> for
>>> *.hcoop.net.
OK, these are two separate problems.
HTTP requests for hcoop.net show the HCoop home page because you didn't
configure an HTTP vhost for www.mydomain.com. You set up a redirect
with [vhostDefault], which only covers mydomain.com. I recommend
replacing [CreateWWW = false] with [WWW = begin (* put here the config
that you want for both www.yourdomain.com and yourdomain.com *) end].
The certificate error is exactly the "right" behavior. HTTPS only
allows one certificate per IP address, and our certificate is the one
associated with mire's main IP address. You need to use the [webAtIp]
directive to run your vhost on a different IP address. Unfortunately,
this requires not following the advice I gave in the last paragraph,
since the [WWW] parameter is always used to create a vhost on the
standard IP. ;) Instead, you can keep the [CreateWWW = false] and use
[webAtIp "your.ip" "www" with serverAliasDefault; (* redirect config
goes here *) end]. Because you want to use the same domain name to
serve HTTP and HTTPS, your HTTP vhost needs to be on the alternate IP,
too, because DNS isn't smart enough to support anything else. You will
also need to use the new [DefaultA = false] option to [dom], to avoid
creating an A record for the primary mire IP address.
P.S.: I'm glad to see someone writing and reusing a Domtool function!
It's a welcome counterpart to the complaints that Domtool is too
complicated. :)
More information about the HCoop-Help
mailing list