{"id":61,"date":"2012-06-07T15:55:32","date_gmt":"2012-06-07T15:55:32","guid":{"rendered":"https:\/\/www.demenageur-site.com\/blog\/?p=61"},"modified":"2014-02-25T19:57:41","modified_gmt":"2014-02-25T19:57:41","slug":"plusieurs-certificats-ssl-pour-differents-virtualhosts-sur-une-seule-ip","status":"publish","type":"post","link":"https:\/\/www.demenageur-site.com\/blog\/2012\/06\/plusieurs-certificats-ssl-pour-differents-virtualhosts-sur-une-seule-ip\/","title":{"rendered":"Plusieurs certificats SSL pour diff\u00e9rents VirtualHosts sur une seule IP"},"content":{"rendered":"<p>Dans ce tuto, nous allons voir comment installer 2 certificats SSL diff\u00e9rents pour deux virtualhosts diff\u00e9rents, sur un serveur debian \/ apache2 ne disposant que d&rsquo;une IP.<\/p>\n<p>Pour faire simple, nous envisageons ici le cas de certificats autosign\u00e9s.<br \/>\nLe principe est le m\u00eame pour les certificats issus d&rsquo;une autorit\u00e9 de certification.<\/p>\n<p>D\u00e9j\u00e0, activons le module ssl\u00a0 :<\/p>\n<p><em>a2enmod ssl<\/em><\/p>\n<p>On cr\u00e9e un repertoire pour stocker les certificats :<\/p>\n<p><em>mkdir \/etc\/ssl\/exempleA<\/em><br \/>\n<em>cd \/etc\/ssl\/exempleB<\/em><\/p>\n<p>On g\u00e9n\u00e9re la\u00a0 cl\u00e9 (sans passphrase pour ne pas avoir \u00e0 la retaper au red\u00e9marrage automatique d&rsquo;apache) :<br \/>\n<em>openssl genrsa -out www.exampleA.com.key 2048<\/em><br \/>\nOn g\u00e9n\u00e8re le CSR<br \/>\n<em>openssl req -new -key www.exampleA.com.key -out www.exampleA.com.csr<\/em><br \/>\nOn g\u00e9n\u00e8re le certificat<br \/>\n<em>openssl x509 -req -days 365 -in www.exampleA.com.csr -signkey www.exampleA.com.key -out www.exampleA.com.crt<\/em><\/p>\n<p>On r\u00e8gle les droits au minimum sur ces fichiers<br \/>\n<em>chmod 600 *<\/em><\/p>\n<p>\u00e9diter ainsi le VirtualHost du site exempleA<\/p>\n<p><em>&lt;VirtualHost *:443&gt;<\/em><br \/>\n<em>\u00a0\u00a0\u00a0 DocumentRoot \/home\/exampleA\/www<\/em><br \/>\n<em>\u00a0\u00a0\u00a0 ServerName www.exampleA.com<\/em><br \/>\n<em>\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0SSLEngine on<\/em><br \/>\n<em>\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0SSLCertificateFile \/etc\/ssl\/exampleA\/www.exampleA.com.crt<\/em><br \/>\n<em>\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0SSLCertificateKeyFile \/etc\/ssl\/exampleA\/www.exampleA.com.key<\/em><br \/>\n<em>\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0SSLVerifyClient None<\/em><br \/>\n<em>\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0SSLOptions +StdEnvVars<\/em><br \/>\n<em>&lt;\/VirtualHost&gt;<\/em><\/p>\n<p>Note : on peut aller beaucoup plus en d\u00e9tail dans la configuration\u00a0 du Vhost s\u00e9curis\u00e9, je ne mets ici que les lignes les plus basiques.<\/p>\n<p>On fait la m\u00eame chose pour le second Vhost :<\/p>\n<p><em>mkdir \/etc\/ssl\/exempleB<\/em><br \/>\n<em>cd \/etc\/ssl\/exempleB<\/em><br \/>\n<em>openssl genrsa -out exempleB.key 2048<\/em><br \/>\n<em>openssl req -new -key exempleB.key -out exempleB.csr<\/em><br \/>\n<em>openssl x509 -req -days 365 -in exempleB.csr -signkey exempleB.key -out exempleB.crt<\/em><\/p>\n<p><em>&lt;VirtualHost *:443&gt;<\/em><br \/>\n<em>\u00a0\u00a0\u00a0 DocumentRoot \/home\/exampleB\/www<\/em><br \/>\n<em>\u00a0\u00a0\u00a0 ServerName www.exampleB.com<\/em><br \/>\n<em>\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0SSLEngine on<\/em><br \/>\n<em>\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0SSLCertificateFile \/etc\/ssl\/exampleB\/www.exampleB.com.crt<\/em><br \/>\n<em>\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0SSLCertificateKeyFile \/etc\/ssl\/exampleB\/www.exampleB.com.key<\/em><br \/>\n<em>\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0SSLVerifyClient None<\/em><br \/>\n<em>\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0SSLOptions +StdEnvVars<\/em><br \/>\n<em>&lt;\/VirtualHost&gt;<\/em><\/p>\n<p>Alors ajoutez dans \/etc\/apache2\/ports.conf<\/p>\n<p><em>&lt;IfModule mod_ssl.c&gt;<\/em><br \/>\n<em>\u00a0\u00a0\u00a0 Listen 443<\/em><br \/>\n<em>\u00a0\u00a0\u00a0 NameVirtualHost *:443<\/em><br \/>\n<em>&lt;\/IfModule&gt;<\/em><\/p>\n<p>Si vous obtenez le message d&rsquo;erreur suivant au red\u00e9marrage d&rsquo;apache :<br \/>\n<em>\u00ab\u00a0[warn] _default_ VirtualHost overlap on port 443, the first has precedence\u00a0\u00bb<\/em><br \/>\nC&rsquo;est que vous avez fait une erreur dans \/etc\/apache2\/ports.conf ou dans un des vhosts.<\/p>\n<p>Si vous obtenez le message d&rsquo;erreur suivant au red\u00e9marrage d&rsquo;apache :<br \/>\n\u00ab\u00a0Restarting web server: apache2 &#8230; waiting (98)Address already in use: make_sock: could not bind to address [::]:443\u00a0\u00bb<\/p>\n<p>C&rsquo;est que vous avez activ\u00e9 gnutls. (ce qui active donc 2 fois le Listen 443 dans ports.conf)<br \/>\nDonc d\u00e9sactivez gnutls :<br \/>\n<em>a2dismod gnutls<\/em><\/p>\n<p>M\u00e9fiez-vous car la commande &lsquo;apache2ctl -t&rsquo; ne signalera pas d&rsquo;erreur.<\/p>\n<p>Si tout est ok, lorsque vous visitez https:\/\/www.exampleA.com et https:\/\/www.exampleB.com vous obtenez bien 2 certificats diff\u00e9rents<br \/>\n(Dans notre cas, en raison des certificats autosign\u00e9s, vous devrez ajouter deux exceptions de s\u00e9curit\u00e9 dans votre navigateur)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dans ce tuto, nous allons voir comment installer 2 certificats SSL diff\u00e9rents pour deux virtualhosts diff\u00e9rents, sur un serveur debian \/ apache2 ne disposant que d&rsquo;une IP. Pour faire simple, nous envisageons ici le cas de certificats autosign\u00e9s. Le principe<span class=\"ellipsis\">&hellip;<\/span><\/p>\n<div class=\"read-more\"><a href=\"https:\/\/www.demenageur-site.com\/blog\/2012\/06\/plusieurs-certificats-ssl-pour-differents-virtualhosts-sur-une-seule-ip\/\">Lire la suite &#8250;<\/a><\/div>\n<p><!-- end of .read-more --><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-61","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.demenageur-site.com\/blog\/wp-json\/wp\/v2\/posts\/61","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.demenageur-site.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.demenageur-site.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.demenageur-site.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.demenageur-site.com\/blog\/wp-json\/wp\/v2\/comments?post=61"}],"version-history":[{"count":7,"href":"https:\/\/www.demenageur-site.com\/blog\/wp-json\/wp\/v2\/posts\/61\/revisions"}],"predecessor-version":[{"id":257,"href":"https:\/\/www.demenageur-site.com\/blog\/wp-json\/wp\/v2\/posts\/61\/revisions\/257"}],"wp:attachment":[{"href":"https:\/\/www.demenageur-site.com\/blog\/wp-json\/wp\/v2\/media?parent=61"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.demenageur-site.com\/blog\/wp-json\/wp\/v2\/categories?post=61"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.demenageur-site.com\/blog\/wp-json\/wp\/v2\/tags?post=61"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}