Creating a new virtual server makes all SSL certificates invalid

I have some server and subserver installed on Virtualmin.
Some sub-server are subdomain some other virtual server are subdomain that cannot be an alias or a sub server.

Today I decide do create a virtual server with a subdomain name test.mydomain.ext
this has invalidated all other domains and subdomain certificate all wesbite went down because of wrong certificate.

I was terrified and don’t know what to do.
I started to try to renew or generate a new let’s encrypt certificate from one of those domain but get error invalid response unauthorized Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot.

I so removed the new server test.domain.ext and all certificate come to work back again.

So I cannot create test.domain.ext as all my website goes down if I try.
Why? This should be not happen.

I had issues with certificate also by restoring in the past a backup from server A to B.
All certificate was no more valid so I need to reissue one by one but was also not possible because website was not reachable by http maybe for ssl forced… so I had to use a script to disable all domains https then reissue certificate domain for domain and resume back https

I’m using a VPS with a single shared IP.
I tried to go on server template, default settings, ssl website for domains and deactivate Generate SSL certificate for domains without SSL website but this never resolve the issue as maybe a self signed cert is created and all other domains on other virtual server start to be down with an invalid certificate.

I can’t create anymore a new virtual server or all my domain, subdomains on server or sub server get certificate invalid.

Any help will be appreciated. Thank you.

---

I access my Virtualmin from a domain example:

vps.domain.ext

In the dropdown domains list this is the last item as is the hostname the first domain installed.

I have some other domain and subdomain above this.
I want add a new subdomain that currently is not present as virtual server

test.domain1.ext

but if I do al other website goes down because of the wrong certificate.
Seems the new virtual server replace the certificate to all other virtual server website. Maybe the self signed certificate as I disabled to generate a SSL certificate as default.

About my main hostname domain vps.domain.ext that I use to access the Virtualmin panel
On manage virtual server, setup SSL certificate the option
Host default SSL certificate is showing No.

Should I set this as default to avoid the issue of certificate replaced when I add a new virtual server or the solution is different?

I don’t wanna broke the server as I am in production.
Thank you

This sounds like a “the wrong site shows up” problem (and not “all certificates are invalid”). (Troubleshooting Websites | Virtualmin — Open Source Web Hosting Control Panel)

And, you’re right, it shouldn’t happen.

You can fix it by making sure your VirtualHosts are either all * or all IP. They can’t be mixed or the IP will always win making all of the * sites end up serving the first IP site.

There is a bug fix in the next Virtualmin version that fixes a regression where Virtualmin would pick the wrong type of VirtualHost to create, depending on configuration and the existing VirtualHost configuration. But, in the meantime, just fix the new VirtualHost to be the right kind (based on description of the problem I assume the new one gets an IP, while the rest of your VirtualHosts are *, so change the new one to *, too).

And, about all that other stuff in your post: No. You shouldn’t do any of that. Just fix the problem (which is mixing VirtualHosts with IP and *, almost certainly), don’t go around doing unrelated stuff (unless you want to do that unrelated stuff for some other reason…but it won’t fix this problem).

@Jamie, could you double-check whether we’re actually doing it correctly? Are we checking IPv6 correctly when deciding whether to use * or an IP? A few people have reported these issues, so something may be off.

A lot of people have reported these issues. But, I thought we’d already discussed it and it was fixed?

Hi Joe,
I hope you are well and thank you very much for your reply!

You are right, doing the command grep -i 'virtualhost' /etc/apache2/sites-enabled/*.conf 2>/dev/null || grep -i 'virtualhost' /etc/httpd/conf/httpd.conf 2>/dev/null before the new virtual server add show all domains with the * for the port 80 and 443

after I create the new virtual server I can see the new domain has a specific server IP and not the * so I need edit the conf file and replace the IP with the * and restart Apache.

This seems resolve the issue.
Seems a bug in Virtualmin.

Thank you!

Can you tell me more about your system? What is the output of the ip a command? What entry exactly was added with an IP address instead of *? Is your system set up to have both IPv4 and IPv6?

ip a gives the following result:

See here

What entry exactly was added with an IP address instead of *?

Instead of * was present my VPS IPv4 87.106.161.154

Is your system set up to have both IPv4 and IPv6?

How can I check this for you?

I’ll take a closer look and get back to you if I find anything. Thanks!

Who is your cloud provider?

Thank you.

IONOS IT

If this will not get a fix solution I ask you how can I avoid in the future adding a new Virtual Server get down all my websites. Now I know how to resolve but this will cause downtime.

I’m asking if I can find a way to avoid completely downtime in the future.
Hope maybe a fix can be find and released.

I thought it was fixed, but maybe there’s a corner case I missed? Like if there’s a virtualhost using an IPv6 address, does this mean that * cannot be used for IPv4?

If a request comes in on an IP (v6 or v4) Apache will prefer the first IP-based VirtualHost on that IP, ignoring * VirtualHosts, regardless of ServerName. Apache does not consider ServerName until after IP has matched as precisely as it can. IP always beats ServerName.

If there is an IP-based VirtualHost for the IP the request came in on, no *-based VirtualHosts will work on that IP.

If you want to use an IP in a VirtualHost, and you have other VirtualHosts you expect to answer on the same IP, you have to always use IPs. And, vice-versa. You cannot mix and match, if you want everything to work.

I am unaware of any way to alter this behavior in Apache and the documentation seems pretty clear about this being the behavior.

In short: If many IPv6 IPs are being used (a different one for every VirtualHost), and everything is configured appropriately to use mutliple IPv6 addresses, then the IPv6 VirtualHost can be IP-based. * will work in this case, if all those other VirtualHosts requests are coming in on different IPv6 addresses.

But, if you have more than one VirtualHost on an IP, they all have to use the same specifier (* or an IP).

I don’t think my VPS support or use ipv6.
My domain that works have the * on the VirtualHost but in this days when I added a new Virtual Server instead of have the * was setup my VPS ipv4 and this cause the issue on all other domains.

I had to replace the ipv4 with the * for the port 80 and 443 to make websites works again or all certificate was replaced by the not valid one generated (self signed) by the new host but even if a Let’s encrypt is generated for the new host all other website get broken.

If you never find any bug I’m asking help to understand how can I avoid future Virtual host created in VirtualHost with my IPV4 instead of the *, this cause all website to be broken.

I can fix manually but this will cause every time downtime.
I dont have multiple IP I have a normal Ionos VPS XL

Can you show the form for creating a new domain, when “Create Virtual Server” is clicked, especially the “IP address and forwarding” section and its default settings?

I confirm I use default settings.
What I can see is the IP is added on VirtualHost instead of * , as all other domain has been setup with * this maybe create issue and I need after edit the VirtualHost replacing the shared IP showed in the screen with an * on port 80 and 443 so all other websites return to work after a downtime for invalid certificate.

What is the output of:

grep -Rs apache_star /etc/webmin/virtual-server

Thanks for the help.
If you can please if you reply to my message use the reply button so I get notified by email (thank you .

What is the output of:

grep -Rs apache_star /etc/webmin/virtual-server

The output is:

/etc/webmin/virtual-server/last-config:apache_star=0
/etc/webmin/virtual-server/config:apache_star=0

I just set up an Ubuntu 24.04 instance on Linode, and everything worked fine right away. I could create domains without any problems, and all records were added as * to Apache.

However, I started to change things and move away from defaults. When I deleted IPv6 from the interface and only left the IPv4, creating a new virtual server in Virtualmin did begin creating domains with IP, even though all previous records were added correctly with *.

Great! We’ve solved the most complicated part. Now we need to figure out how to fix it…