I spent some time learning how to set up a UCC certificate (for multiple domains hosted on a single server) on Apache2. I had originally bought separate SSL certificates for each domain, but the certifying authority swore they could not be used with a single IP address, and rather than muck with SNI (see https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI) I paid for a UCC certificate, which allows this arrangement explicitly with a simpler Apache2 configuration. It seemed to me more important to learn how a basic Apache2 configuration worked before advancing to more elaborate topics.
Below are my reference notes from the installation. I'll be glad for any corrections or comments.
Significance of the name UCC ----------------------------
UCC: Unified Communications Certificate, a single SSL certificate for multiple domains.
After making changes to the various Apache2 configuration files, it is necessary to restart Apache:
sudo /etc/init.d/apache2 restart
When /etc/apache2/sites-available/default-ssl is first created, it is necessary to use
sudo a2dissite default-ssl
sudo a2ensite default-ssl
to disable and then re-enable the site; the latter creates a link from /etc/apache2/sites-enabled/default-ssl to /etc/apache2/sites-available/default-ssl . Do this before running
sudo /etc/init.d/apache2 restart
Configuration files -------------------
- /etc/apache2/apache2.conf : The main configuration file
- /etc/apache2/conf.d/ : Contains small configuration files for various purposes
- /etc/apache2/sites-enabled/ : Contains links to the material in /etc/apache2/sites-available
- /etc/apache2/sites-available/default : Contains VirtualHost code-blocks for each domain name hosted virtually; each of them contains appropriate entries for ServerName, ServerAlias, DocumentRoot, CustomLog, ErrorLog; optionally also DirectoryIndex and many other specified in the Apache documentation.
- /etc/apache2/sites-available/default-ssl : Contains a \<VirtualHost _default_> code block prefaced by \<IfModule mod_ssl.c>.
Errors and Warnings -------------------
Warn: "NameVirtualHost *:80 has no VirtualHosts"Most of these can be eliminated by removing references to port 80, such as the
that http://techexposures.com/2009/06/ubuntu-server-configure-and-run-multiple-websites-on-one-server/ recommends in the apache2.conf file.
However, one such warning remains. Why? Apparently if any duplicate "NameVirtualHost" entries exist anywhere in any configuration files, this error may crop up. I found such a case in /etc/apache2/ports.conf . At first, I simply changed
but then the error became "NameVirtualHost *:0 has no VirtualHosts". So I commented out the whole line and now everything works correctly (or at least without complaint).
Error: "mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results"
In /etc/apache2/sites-available/default , if an asterisk * is used in place of an explicit IP address:
but without a specific port being given, then all the other references to IP addresses in incoming requests as an asterisk must also omit a port. But if a port is specified, it should be specified everywhere the asterisk appears.
Error: "Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration"
Commented out the "RewriteEngine on" block in apache2.conf, which writes any incoming port to be 443. Don't know this raises an error, but everything apparently works without it.
Making sure each domain opens its own separate document tree ------------------------------------------------------------
- In /etc/apache2/sites-available/default , each domain name must have its own separate \<VirtualHost> block, containing a different DocumentRoot.
- Also, before all the VirtualHost blocks but after the NameVirtualHost entry, there should be a ServerName statement containing the name of the main domain, for which the UCC certificate is configured. (All the other domains can be added to or removed from the certificate later, assuming the certificate-issuer permits it, but not the main one.)
Location of certificates ------------------------
Certificates should be listed in /etc/apache2/sites-available/default within each VirtualHost block that they apply to. Along with them,SSLEngine on
should be listed.
Certificates themselves are placed in
and I have segregated them within a special folder so that they are easy to find (below "domain" stands for a whole domain name):
In addition, I've labeled each one with a prefix "
domain_UCC" so that they are easy to identify:
Useful Documentation --------------------