I installed Virtualmin yesterday on my server server1.perelon.com.br.
I added 3 virtual servers (perelon.com.br, aprendacomjogos.com.br and inglesnobrasil.com.br) WITHOUT enabling SSL.
I edited the domain inglesnobrasil.com.br to enable SSL. This worked fine for that domain.
But something unexpected happened. I still hadn’t enabled SSL for the other domains. When I tried going to https://aprendacomjogos.com.br I expected to get an error message. But I didn’t. I got the warning window that usually appears for an unsigned certificate and when I accepted that, I got the inglesnobrasil.com.br page, NOT the aprendacomjogos.com.br, even though the aprendacomjogos address was in the URL address area of the browser.
The same happens with the virtual server perelon.com.br, which also doesn’t have SSL enabled.
When I subsequently enabled SSL for aprendacomjogos.com.br, it behaved as expected and I got the correct page.
So if I have a virtual server that does NOT have SSL enabled and I try to go to that site with https, why does it take me to a different site on my server that IS SSL enabled instead of giving me an error message about using https for an unsecured site?
Enabling ssl for site is not enough you have to upload the certificate in Virtualmin -> Virtual Server -> Server Configuration -> Manage SSL Certificate
Regardless of the status of certificates (whether or not there is a certificate or if a certificate is valid), if I type a url, using secure http (https) for a site that does NOT have SSL enabled, why does it display a page from a DIFFERENT virtual server that DOES have SSL enabled? Why doesn’t it just display an error message? Yes, both virtual servers are on the same physical server, but why does one virtual server access a file (the index.html file) from a different virtual server? In my understanding, that should NEVER happen.
Each website that need SSL has to have it’s own IP address.
If you have a shared IP that has 2 or more virtual host and one of them is assigned an SSL. That SSL will show up for all virtual host on that IP.
You can screw up your apache big time by doing such a thing.
Remove the SSL from the shared IP and give the virtual host it’s own dedicated IP before going back and install the SSL.
So what would your solution be to help contribute as to why apache is referring to the last ssl link instead of just giving an 505 error on the page?
As long as I can remember apache has always done this.
Only thing I can think of because I don’t have several domains to test this on, is to make sure every virtual host is created with an ssl.
I also notice in the SSL that a wild card is present. so it could be anything.
If it is an SNI issue (per the prerequisites listed in the link), then it also mentions:
How can you tell if your Apache build supports SNI? If you configure multiple name-based virtual hosts for an address where SSL is configured, and SNI isn’t built into your Apache, then upon Apache startup a message like “You should not use name-based virtual hosts in conjunction with SSL!!” will occur in the error log. If SNI is built in, then the error log will show “[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)”.