On Mon, Jul 8, 2024 at 4:18 AM Michael Osipov <micha...@apache.org> wrote:
> On 2024/07/04 13:57:06 Frank Gingras wrote: > > On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov <micha...@apache.org> > wrote: > > > > > Folks, > > > > > > please consider the following example: > > > > <VirtualHost *:443> > > > > ServerAdmin m...@example.com > > > > ServerName foo.example.com > > > > ServerAlias foo.sub.example.net > > > > DocumentRoot /usr/local/www/apache24/data > > > > ErrorLog "/var/log/apache/foo-ssl-errors.log" > > > > CustomLog "/var/log/apache/foo-ssl-access.log" common > > > > > > > > SSLEngine On > > > > SSLCertificateFile /etc/ssl/foo.example.com/cert.crt > > > > SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt > > > > SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt > > > > SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt > > > > > > > > Include "..." > > > > </VirtualHost> > > > > > > I'd like to run a single vhost serving the same content under multiple > > > FQDNs to the users > > > > > > As far as I understand mod_ssl it does not seem to support to have SNI > on > > > a single vhost with multiple hostnames. I get error messages in the log > > > file. > > > I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd". > > > FWIW: the same concept is support with Tomcat: One connector, one > default > > > host, aliases and several SSLHostConfig elements. > > > Is the approach to run two vhosts here? I am sure that a SAN > certificate > > > will do the trick, but for €€€ reasons I won' able to order one. > > > > > > Michael > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > > > > In that case, define separate :443 vhosts for each name, and redirect to > > the main one. > > As sad it is sounds and also looking into the source code there is no > alternative to duplicate it. > There is a long standing issue open in Bugzilla: > https://bz.apache.org/bugzilla/show_bug.cgi?id=61081 > > At least the docs should tell that using ServerAlias requires a SAN > certificate to function properly. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > Your options were always to use a wildcard certificate, or a SAN. This falls more into the common knowledge of TLS and certificates. mod_ssl does tie in to openssl, sure, but explaining every concept isn't the role of the docs. That being said, a small note to that effect should not be harmful, I will see if the docs team can come up with some alteration.
