Using Multiple SSL Certificates in Apache with One IP Address

Found Using Multiple SSL Certificates in Apache with One IP Address today. Basically:

<NameVirtualHost *:443>

<VirtualHost *:443>
 ServerName www.yoursite.com
 DocumentRoot /var/www/site
 SSLEngine on
 SSLCertificateFile /path/to/www_yoursite_com.crt
 SSLCertificateKeyFile /path/to/www_yoursite_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt
</Virtual Host>

<VirtualHost *:443>
 ServerName www.yoursite2.com
 DocumentRoot /var/www/site2
 SSLEngine on
 SSLCertificateFile /path/to/www_yoursite2_com.crt
 SSLCertificateKeyFile /path/to/www_yoursite2_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt
</Virtual Host>

Fixing CA Certificates after upgrade to Ubuntu 14.04.1

After using do-release-upgrade to upgrade Ubuntu to version 14.04.1 I started having the following problem:

root@orac:/root# wget https://www.progclub.org/robots.txt                                                      
--2014-11-20 13:49:28--  https://www.progclub.org/robots.txt                                                   
Resolving www.progclub.org (www.progclub.org)... 67.207.128.184                                                
Connecting to www.progclub.org (www.progclub.org)|67.207.128.184|:443... connected.                            
ERROR: cannot verify www.progclub.org's certificate, issued by '/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA’:                                                  
  Self-signed certificate encountered.                                                                         
To connect to www.progclub.org insecurely, use `--no-check-certificate'.

To start with I did this:

root@orac:/root# cd /etc/ssl/certs
root@orac:/etc/ssl/certs# mv ssl-cert-snakeoil.pem ../
root@orac:/etc/ssl/certs# cd /etc/ssl/private
root@orac:/etc/ssl/private# mv ssl-cert-snakeoil.key ../

Then I got rid of the symlink(s) for the ssl-cert-snakeoil.pem, e.g.:

root@orac:/etc/ssl# cd /etc/ssl/certs
root@orac:/etc/ssl/certs# ll | grep 'snake'
lrwxrwxrwx 1 root root   21 Jan 10  2012 c8882f98 -> ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root root   21 Mar 25  2014 c8882f98.0 -> ssl-cert-snakeoil.pem
root@orac:/etc/ssl/certs# mv c8882f98* ../

Then I ran: dpkg-reconfigure ca-certificates:

root@orac:/root# dpkg-reconfigure ca-certificates 

On the first screen I selected ‘ask’:

  ┌───────────────────────────────────┤ ca-certificates configuration ├────────────────────────────────────┐   
  │ This package may install new CA (Certificate Authority) certificates when upgrading. You may want to   │   
  │ check such new CA certificates and select only certificates that you trust.                            │   
  │                                                                                                        │   
  │  - yes: new CA certificates will be trusted and installed;                                             │   
  │  - no : new CA certificates will not be installed by default;                                          │   
  │  - ask: prompt for each new CA certificate.                                                            │   
  │                                                                                                        │   
  │ Trust new certificates from certificate authorities?                                                   │   
  │                                                                                                        │   
  │                                                  yes                                                   │   
  │                                                  no                                                    │   
  │                                                  ask                                                   │   
  │                                                                                                        │   
  │                                                                                                        │   
  │                                                                                                    │   
  │                                                                                                        │   
  └────────────────────────────────────────────────────────────────────────────────────────────────────────┘   

On the next screen I unselected everything:

Package configuration                                                                                          
                                                                                                               
  ┌────────────────────────────────────┤ ca-certificates configuration ├────────────────────────────────────┐  
  │ This package installs common CA (Certificate Authority) certificates in /usr/share/ca-certificates. .   │  
  │ Please select the certificate authorities you trust so that their certificates are installed into       │  
  │ /etc/ssl/certs. They will be compiled into a single /etc/ssl/certs/ca-certificates.crt file.            │  
  │                                                                                                         │  
  │ Certificates to activate:                                                                               │  
  │                                                                                                         │  
  │    [ ] mozilla/ACEDICOM_Root.crt                                                                    ↑   │  
  │    [ ] mozilla/AC_Raíz_Certicámara_S.A..crt                                                         ▮   │  
  │                                                                                                         │  
  │                                                                                                         │  
  │                                                                                                     │  
  │                                                                                                         │  
  └─────────────────────────────────────────────────────────────────────────────────────────────────────────┘  

Then I ran: dpkg-reconfigure ca-certificates again:

root@orac:/root# dpkg-reconfigure ca-certificates 

On the first screen I selected ‘ask’:

  ┌───────────────────────────────────┤ ca-certificates configuration ├────────────────────────────────────┐   
  │ This package may install new CA (Certificate Authority) certificates when upgrading. You may want to   │   
  │ check such new CA certificates and select only certificates that you trust.                            │   
  │                                                                                                        │   
  │  - yes: new CA certificates will be trusted and installed;                                             │   
  │  - no : new CA certificates will not be installed by default;                                          │   
  │  - ask: prompt for each new CA certificate.                                                            │   
  │                                                                                                        │   
  │ Trust new certificates from certificate authorities?                                                   │   
  │                                                                                                        │   
  │                                                  yes                                                   │   
  │                                                  no                                                    │   
  │                                                  ask                                                   │   
  │                                                                                                        │   
  │                                                                                                        │   
  │                                                                                                    │   
  │                                                                                                        │   
  └────────────────────────────────────────────────────────────────────────────────────────────────────────┘   

On the next screen I selected everything:

Package configuration                                                                                          
                                                                                                               
  ┌────────────────────────────────────┤ ca-certificates configuration ├────────────────────────────────────┐  
  │ This package installs common CA (Certificate Authority) certificates in /usr/share/ca-certificates. .   │  
  │ Please select the certificate authorities you trust so that their certificates are installed into       │  
  │ /etc/ssl/certs. They will be compiled into a single /etc/ssl/certs/ca-certificates.crt file.            │  
  │                                                                                                         │  
  │ Certificates to activate:                                                                               │  
  │                                                                                                         │  
  │    [*] mozilla/ACEDICOM_Root.crt                                                                    ↑   │  
  │    [*] mozilla/AC_Raíz_Certicámara_S.A..crt                                                         ▮   │  
  │                                                                                                         │  
  │                                                                                                         │  
  │                                                                                                     │  
  │                                                                                                         │  
  └─────────────────────────────────────────────────────────────────────────────────────────────────────────┘  

Then magically everything was working again!

root@orac:/root# wget https://www.progclub.org/robots.txt
--2014-11-20 14:35:50--  https://www.progclub.org/robots.txt
Resolving www.progclub.org (www.progclub.org)... 67.207.128.184
Connecting to www.progclub.org (www.progclub.org)|67.207.128.184|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 364 [text/plain]
Saving to: 'robots.txt.1’

100%[=====================================================================>] 364         --.-K/s   in 0s      

2014-11-20 14:35:51 (8.54 MB/s) - 'robots.txt.1’ saved [364/364]