We have a server running virtualmin with multiple websites housed in virtual servers. I have never run into this issue before on our other server but we issued a CSR and got the SSL back from the client and installed it.
After installing it I received a bunch of common name errors. This seems to be because the domain in the SSL contained www. which you can not assign to virtual servers so it doesn't match. However by including www.domain.com in the /etc/apache2/sites-enabled/example.conf record the error went away.
But if I visit the site https://www.example.com, I get a
ERR_SSL_PROTOCOL_ERROR
I also tried running the following:
openssl s_client -connect www.example.com:443
which outputs this:
CONNECTED(00000003)
3073689800:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:759:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 297 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
I checked to see if openssl shows that port 443 is being listened to an it is. I also tweaked the ports.conf file to include a little more detail:
#Listen 80
#Listen 443
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
NameVirtualHost *:443
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
In the /etc/apache2/sites-enabled/example.conf I made sure that there was a series of settings for the virtual server for 443, not just 80 and it includes the following:
<VirtualHost 123.123.123.123:443>
SuexecUserGroup "#1000" "#1000"
ServerName www.example.com
ServerAlias example.com
DocumentRoot /home/example/public_html
ErrorLog /var/log/virtualmin/example.com_error_log
CustomLog /var/log/virtualmin/example.com_access_log combined
ScriptAlias /cgi-bin/ /home/example/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/example/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php5
</Directory>
<Directory /home/example/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
RemoveHandler .php
RemoveHandler .php5
php_admin_value engine Off
IPCCommTimeout 301
FcgidMaxRequestLen 1073741824
SSLEngine on
SSLCertificateFile /home/example/ssl.cert
SSLCertificateKeyFile /home/example/ssl.key
SSLCACertificateFile /home/example/ssl.ca
</VirtualHost>
One thought I still have is that by simply doing the CSR again but without the www in the common name, maybe that will resolve all of this. But before I go back to the client (which I have already a few times) I'd like to see if that is really going to resolve it.
UPDATE
So in the midst of the chaos last night I took the time to upgrade the server from 12.04 to 14.04. This makes things a little easier to diagnose since my other server, with about 20 sites on it, is working OK and is on 14.04.
I've also made sure to enable default-ssl.conf and 000-default.conf just to make sure. Looking through some SSL logs using sudo tail -40 /var/log/apache2/error.log All that I can see is a message for this:
[ssl:warn] [pid 6905] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
Also I tried this:
nmap --script +ssl-enum-ciphers example.com
And it showed that port 443 was open but there were no ssl-enum-ciphers shown for that port..
UPDATE 2
Tried a new cert. Still doesn't work. But I just loaded the site via Firefox and saw this: ERR_SSL_PROTOCOL_ERROR
Looks like this can happen if the Listen 443 is on but the Virtualhost isn't setup for 443, but the .conf file definitely is..
OH MY GOD.
So I found the problem. Another virtual host website also included a section in the virtualhost file for 443. Yet that website was not properly configured to use SSL, because it isn't supposed to.
I found that on a whim and decided to delete that 443 entry in the file and restarted Apache. Now the site loads fine!