Installing UCC certificate for multiple domain names hosted virtually on a single server

I spent some time learning how to set up a UCC certificate (for multiple domains hosted on a single server) on Apache2. I had originally bought separate SSL certificates for each domain, but the certifying authority swore they could not be used with a single IP address, and rather than muck with SNI (see https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI) I paid for a UCC certificate, which allows this arrangement explicitly with a simpler Apache2 configuration. It seemed to me more important to learn how a basic Apache2 configuration worked before advancing to more elaborate topics.

Below are my reference notes from the installation. I’ll be glad for any corrections or comments.

  • Significance of the name UCC

    UCC: Unified Communications Certificate, a single SSL certificate for multiple domains.

  • Basics

    After making changes to the various Apache2 configuration files, it is necessary to restart Apache:

      sudo /etc/init.d/apache2 restart

    When /etc/apache2/sites-available/default-ssl is first created, it is necessary to use

      sudo a2dissite default-ssl

    and then

      sudo a2ensite default-ssl

    to disable and then re-enable the site; the latter creates a link from /etc/apache2/sites-enabled/default-ssl to /etc/apache2/sites-available/default-ssl . Do this before running

      sudo /etc/init.d/apache2 restart
  • Configuration files

    1. /etc/apache2/apache2.conf : The main configuration file
    2. /etc/apache2/conf.d/ : Contains small configuration files for various purposes
    3. /etc/apache2/sites-enabled/ : Contains links to the material in /etc/apache2/sites-available
    4. /etc/apache2/sites-available/default : Contains VirtualHost code-blocks for each domain name hosted virtually; each of them contains appropriate entries for ServerName, ServerAlias, DocumentRoot, CustomLog, ErrorLog; optionally also DirectoryIndex and many other specified in the Apache documentation.
    5. /etc/apache2/sites-available/default-ssl : Contains a <VirtualHost _default_> code block prefaced by <IfModule mod_ssl.c>.
  • Errors and Warnings

    • Warn: “NameVirtualHost *:80 has no VirtualHosts”

      Most of these can be eliminated by removing references to port 80, such as the

        NameVirtualHost *:80

      that http://techexposures.com/2009/06/ubuntu-server-configure-and-run-multiple-websites-on-one-server/ recommends in the apache2.conf file.

      However, one such warning remains. Why? Apparently if any duplicate “NameVirtualHost” entries exist anywhere in any configuration files, this error may crop up. I found such a case in /etc/apache2/ports.conf . At first, I simply changed

        NameVirtualHost *:80

      to

        NameVirtualHost *

      but then the error became “NameVirtualHost *:0 has no VirtualHosts”. So I commented out the whole line and now everything works correctly (or at least without complaint).

    • Error: “mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results”

      In /etc/apache2/sites-available/default , if an asterisk * is used in place of an explicit IP address:

        NameVirtualHost *

      but without a specific port being given, then all the other references to IP addresses in incoming requests as an asterisk must also omit a port. But if a port is specified, it should be specified everywhere the asterisk appears.

    • Error: “Invalid command ‘RewriteEngine’, perhaps misspelled or defined by a module not included in the server configuration”

      Commented out the “RewriteEngine on” block in apache2.conf, which writes any incoming port to be 443. Don’t know this raises an error, but everything apparently works without it.

  • Making sure each domain opens its own separate document tree

    • In /etc/apache2/sites-available/default , each domain name must have its own separate <VirtualHost> block, containing a different DocumentRoot.
    • Also, before all the VirtualHost blocks but after the NameVirtualHost entry, there should be a ServerName statement containing the name of the main domain, for which the UCC certificate is configured. (All the other domains can be added to or removed from the certificate later, assuming the certificate-issuer permits it, but not the main one.)
  • Location of certificates

    • Certificates should be listed in /etc/apache2/sites-available/default within each VirtualHost block that they apply to. Along with them,

        SSLEngine on

      should be listed.

    • Certificates themselves are placed in
        /etc/ssl/certs

      and I have segregated them within a special folder so that they are easy to find (below “domain” stands for a whole domain name):

        /etc/ssl/certs/domain_UCC

      In addition, I’ve labeled each one with a prefix “domain_UCC” so that they are easy to identify:

        domain_UCC_domain.com.crt

      etc.

  • Useful Documentation

    http://wiki.apache.org/httpd/CommonMisconfigurations

[end]

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s