SSL on subdomains

dotancohen asked:

I am trying to configure a wildcard SSL certificate to serve on subdomains as well as on the main domain for a server. In order to get the SSL cert to work, it seems that I must define the main site’s sites-available file as such:

<VirtualHost *:443>

When I try to use <VirtualHost> then Firefox complains:

An error occurred during a connection to

SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Google Chrome is less specific:

SSL connection error

To what could I change <VirtualHost *:443> so that I could serve as a different Virtual Host with SSL as well?

This is on Ubuntu Server 12.04 LTS (3.2 kernel) with Apache 2.2.22 and a Godaddy SSL certificate.

Edit:: Here is the Apache sites-enabled file for the domain.

<IfModule mod_ssl.c>
#<VirtualHost *:443>           # With this line, the site serves fine
<VirtualHost> # With this line, browsers throw the error
        DocumentRoot /var/www/someSite/public_html


        <Directory />
                Options FollowSymLinks
                AllowOverride None
        <Directory /var/www/someSite/public_html/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all

        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        SSLEngine on
        SSLCertificateFile    /etc/apache2/ssl/
        SSLCertificateKeyFile /etc/apache2/ssl/someSite.key

        <FilesMatch ".(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars

        BrowserMatch "MSIE [2-6]" 
                nokeepalive ssl-unclean-shutdown 
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


My answer:

Apache recommends against using a hostname in the <VirtualHost> directive for a variety of reasons.

The best practice is to specify the IP address or * in <VirtualHost> and the hostname(s) of the virtual host in the ServerName and ServerAlias directives.

So to resolve this:

  • If you want all of the wildcard subdomains to be served by the existing virtual host, add ServerAlias * to it.
  • If you want all the wildcard subdomains to be served by a completely different virtual host, add a new <VirtualHost> block with a ServerName and ServerAlias *

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.