1

I'm using ubuntu 16 LAMP stack. I currently have virtual host files setup for each domain with cloudflare dns pointing to the same IP for 2 Wordpress sites.

I'm using cloudflare to generate a free TLS certificate signed by Cloudflare to install on the server for each domain.

Host files look like this

domain1.conf 

<VirtualHost *:443>
    ServerAdmin webmaster@domain1.com
    ServerName domain1.net
    ServerAlias www.domain1.net
    DocumentRoot /var/www/html/domain1
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine      on
    SSLCertificateFile      /etc/ssl/certs/domain1.crt
    SSLCertificateKeyFile   /etc/ssl/private/domain1.key
</VirtualHost>

domain2.conf 

<VirtualHost ip:443>
    ServerAdmin webmaster@domain1.com
    ServerName domain2.net
    ServerAlias www.domain2.net
    DocumentRoot /var/www/html/domain2
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine      on
    SSLCertificateFile      /etc/ssl/certs/domain2.crt
    SSLCertificateKeyFile   /etc/ssl/private/domain2.key
</VirtualHost>

My cert and key files are not .pem files does that matter?

Do I need to edit my ports.conf file? From reading another suggestion I added the first two lines. 

NameVirtualHost *:80

NameVirtualHost *:443

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>
Mike
  • 11

3 Answers3

1

You are discussing about SSL (default 443), but in your example, you use 80. I presume you also need to change from http to https.

I would use different files for different domains (following hierarchy is for Ubuntu, in RHEL/CentOS I use vhosts.d):

$ ls -1 sites-available/
domain1.net.conf
domain2.net.conf

I use something similar to the following, to redirect http to https.

<VirtualHost *:80>
        ServerAdmin webmaster@domain1.net
        ServerName domain1.net 

        RedirectMatch 301 ^(.*)$ https://domain1.net$1
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin webmaster@domain1.net
        ServerAdmin office@domain1.net
        ServerName domain1.net
        ServerAlias *.domain1.net
        ServerSignature Off

        SSLEngine On
        SSLCertificateFile /your/path/to/fullchain.pem
        SSLCertificateKeyFile /your/path/to/privkey.pem
        SSLCertificateChainFile /your/path/to/chain.pem

        # LogLevel debug ssl:debug rewrite:trace8
        # LogLevel info ssl:warn rewrite:trace8
        LogLevel info

        ErrorLog ${APACHE_LOG_DIR}/domain1.net.error.log
        CustomLog ${APACHE_LOG_DIR}/domain1.net.access.log combined

</VirtualHost>

Yes you need SSL enabled. If you use the same cert for all domains, make sure you have your cert using Subject Alternative Name ^1 / SNI as with all your domains. Also, you need the this field if you make calls to your service using the IP instead of the DN. Otherwise, if your calls use DN not IP, you don't need the specified field.

UPDATE: The file extension doesn't matter. The content is important. However, for maintenance reason, the best practice is to keep the extension convention based on what is the content of the file. More about certificate conversion ^2

UPDATE: To choose between SNI and SAN ^3 (also see @dave comments), please chose if you are going to use 1 cert or multiple certs. The consequence is the process of renewing the certs. If the certs come from different customers, sometimes is not possible.

azbarcea
  • 123
0

If you have different domains, you will need different certificates, one for each domain. In order for this to work, you need Server Name Indication, SNI. See Here

RalfFriedl
  • 3,258
0

My cert and key files are not .pem files does that matter?

It depends on what you mean by .pem files. If you mean the contents of the file is Base-64 encoded DER, it does matter. From mod_ssl documentation:

This directive points to a file with certificate data in PEM format.

If by .pem you simply mean the extension isn't .pem, while the contents are Base-64 encoded DER, you'll be fine - only Microsoft care about the file extension.

You'll know if they're in the wrong format as Apache will refuse to start.

Do I need to edit my ports.conf file?

If your ports.conf doesn't have an entry for port 443, you'll need to add it. Otherwise, no.

garethTheRed
  • 5,429