subdomains SSL

#1
Hello everybody !

Sorry if my request will seem very simple to you, I just switched from apache to openlitespeed and the transition is not the easiest. xD

I have a domain name, which we will call site1.fr. On this one I have 3 subdomains, for example:
sub1.site1.fr
sub2.site1.fr
sub3.site1.fr

I have on OpenLiteSpeed 4 virtual Hosts:
site1
sub1
sub2
sub3

I can't put HTTPS on it ... I did a certbot just on site1, on Listeners, I added all the sub, it didn't work.

So then I did a certbot on each subdomain, for which I put the keys directly in virtualhost> XX> SSL. it doesn't work either. Could someone refer me please?

Have a good days !
 

JMo

New Member
#3
Hi,
I found this thread after some digging and it seemed more appropriate to drop this here rather than starting a new thread. Also coming from Apache I have a similar issue with my subdomains where I put an individual SSL cert for each subdomain on each virtual host. Administrator in his/her reply says "you also need to make sure that listener has one cert on it" so I did that and in fact removing that cert from the listener results in error. However SSLlabs server test shows a mismatch. I am far from experienced this but it seems to grab the listener SSL from site 1 as an extra cert to the other subdomains, thus giving a mismatch. This confuses me.

I started this search because I have an essential plugin that every time I try to activate the license throws a handshake error: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:error:0A000410:SSL routines::sslv3 alert handshake failurestream_socket_client(): Failed to enable cryptostream_socket_client(): Unable to connect to ssl://automaticcss.com:443 (Unknown error).

So far I have been unable to solve this, I have deleted the plugin and re-installed, I have force-renewed the cert to no avail. All info about the issue seems to be pointing to an ssl misconfiguration though so I hope someone can point me to a solution.

Thanks!
 

Cold-Egg

Administrator
#4
Assume you have a cert on the listener, then you just need to add the VH SSL with its cert, and the SSL certificate in the virtual host will overwrite the listener. If not working, please share both server and vh configs so we can check for you. You can also inbox me if you want to keep the config in private.
 

JMo

New Member
#5
Hi, thanks for your reply to my post. I have been trying to answer here but every time I get a spam message where I really don't see anything inappropriate in my wording. I was able to resolve the immediate handshake issue though.
 

JMo

New Member
#7
Let's see... this was my original reply:

Hi, thanks for your reply to my post. Meanwhile I was able to solve the initial handshake issue that started me on this quest. As it turns out I had to re-install
Code:
lsphp81-curl
and apparently it had nothing to do with the SSL certificates.

Re. my doubt about the SSL tho, I have 4 subdomains and still installing the main domain on the server (I know I should have done the main domain first but since I was more interested in getting the subdomains up I did it this way). So each subdomain (site1, site2, site3, site4) has its own cert setup on the respective VH and I used the cert from site1 for the listener. As I understand this is the correct way.

Doing a check on SSLlabs for the subdomains 2, 3, 4 the server result shows cert #1 - the actual cert on the VH indeed overriding the one on the listener but also cert #2 - (no SNI) which is the cert on the listener. This one of course is showing a mismatch against the cert from site1 that is being overridden. I get that now.

I guess my question is: does this extra cert mismatch from the listener have any consequence for the way a website works in terms of security, SEO, otherwise? Or is it simply the way Litespeed works and I should't be bothered about the extra cert?

Thanks again,

Johanna
 
#9
Looks like I had the same problem and I wasn't able to fix it (for my understanding).
Right now I'm moving from NGINX to OpenLiteSpeed and I already have all the Let’s Encrypt certs.

I have put the certs in my vhost (will result in SSL_ERROR_RX_RECORD_TOO_LONG @ Firefox) and my listener has no cert.
When I do the same (also same cert) to a HTTPS listener it works.
But the listener is using a wildcard for the domains.

So the big question for me is:
  • Do I have to set a listener for every subdomain?
  • Or can I use only 2 listener (HTTP and HTTPS) for hundreds of different domains + subdomains?
    • While setting the specific cert in the vhost for each subdomain
    • I don't have a wildcard cert. So what should I use for the wildcard listener which can hold many different domains? Self signed trash or a random Let's Encrypt cert because it's never been served when there is a matching vhost?
In NGINX I haven't set any cert for the "default" config, only for each vhost (the server block with the specific server_name / domain). Maybe this confused me.
Also I don't understand why I have to enter a cert in the listener when the vhost overwrites the listeners cert (who cares if there is no site to serve when the vhost domain doesn't match).
 
Top