2

I have a personal server and I use many sub-domains on it.
Each sub domain has its own unique SSL cert setup with LetsEncrypt.
Each sub domain has its own vhost file under /etc/apache/sites-available/
Each sub domain has its own A record and NS record that point to my server.

For some reason, if I disable one of my subdomains (e.g. sub1.domain.com) using the a2dissite command, and then try to go to that site in a web browser, I get an error saying:

sub1.domain.com uses an invalid security certificate.
The certificate is only valid for sub2.domain.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN

I have verified that the VHOST files do use their appropriate SSL files. And the VHOST files also have the appropriate server name, including the sub domain part.

If I add an exception to the above error, as is an option, I am presented with another one of my subdomains but the URL stays the same as the one that's disabled.

Why does my server point me to a completely different sub-domain when I disable the site? I would think that it would just say it can't be reached, but instead it redirects me to another one of my sub-domains and I'm not sure how to control that.

Frantumn
  • 121

2 Answers2

2

First configured vhost has the highest priority and can be seen as the default or primary server. That means that if a request is received that does not match one of the specified ServerName directives, it will be served by this first .

https://httpd.apache.org/docs/2.4/vhosts/examples.html

In your case sub1.domain.com points to your web server, but web server has no vhost configured that would match the domain. Instead content and SSL cert for default domain are served.

NetworkMeister
  • 130
  • 7
1

Name-based virtual hosts for the best-matching set of <virtualhost>s are processed in the order they appear in the configuration. The first matching ServerName or ServerAlias is used, with no different precedence for wildcards (nor for ServerName vs. ServerAlias).

source: Apache HTTP Server Version 2.4 - Using Name-based Virtual Hosts

Afaik it is not possible to change this sorting process without recompiling.

To change the order of your virtual hosts you could rename the *.conf-files in /etc/apache/sites-available/ like this:

/etc/apache/sites-available/000-default.conf
/etc/apache/sites-available/100-site-one.conf
/etc/apache/sites-available/200-site-two.conf

For Debian (Ubuntu should have similar syntax) I recommend to change from lets say old-site-three.conf to 300-site-three.conf in this order:

$ sudo a2dissite old-site-three.conf

$ sudo mv /etc/apache/sites-available/old-site-three.conf /etc/apache/sites-available/300-site-three.conf

$ sudo a2ensite 300-site-three.conf

$ sudo apache2ctl configtest

$ sudo systemctl restart apache2.service
Fabian
  • 457