Enable SNI on one site

  • i-MSCP 1.5.3

    OS: Debian Jessie 8.11

    Used plugin: Let's Encrypt (latest)


    Can I set SSLStrictSNIVHostCheck off somehow? I need this one of my site.

    https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI


    Maybe with a listener file?

    i-MSCP 1.5.3
    Plugins (latest version): ClamAV, CronJobs, DomainAutoApproval, LetsEncrypt, OpenDKIM, PanelRedirect, PhpSwitcher, PolicydSPF, Postgrey, RecaptchaPMA, RoundcubePlugins, SpamAssasin, WHMCS

  • Hello,


    Have you already tried this Apache2 sni config ?

    Regards

    Thank you, but no, I haven't try that. Very old topic, I think there are different solution now.


    I tried this, but no any effects.

    /etc/apache2/sites-enabled/sub.domain.tld_ssl.conf file:




    Nuxwin have you any tip?


    Thank you!

    i-MSCP 1.5.3
    Plugins (latest version): ClamAV, CronJobs, DomainAutoApproval, LetsEncrypt, OpenDKIM, PanelRedirect, PhpSwitcher, PolicydSPF, Postgrey, RecaptchaPMA, RoundcubePlugins, SpamAssasin, WHMCS

  • Dylan

    Can I set SSLStrictSNIVHostCheck off somehow? I need this one of my site.

    Before giving you any answer, I would want known why you need set the SNI vhost check off exactly.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Dylan

    Before giving you any answer, I would want known why you need set the SNI vhost check off exactly.

    I have a custom billing system, and my online payment partner communicate with an old client with us...

    That client not support SNI, and apache get back 403 error message:

    [Tue Nov 06 08:39:05.759045 2018] [ssl:error] [pid 16618:tid 140185341699840] AH02033: No hostname was provided via SNI for a name based virtual host


    I already talked to them, but they need development in they system... Meantime I need solution for this...

    i-MSCP 1.5.3
    Plugins (latest version): ClamAV, CronJobs, DomainAutoApproval, LetsEncrypt, OpenDKIM, PanelRedirect, PhpSwitcher, PolicydSPF, Postgrey, RecaptchaPMA, RoundcubePlugins, SpamAssasin, WHMCS

  • I have a custom billing system, and my online payment partner communicate with an old client with us...

    That client not support SNI, and apache get back 403 error message:

    [Tue Nov 06 08:39:05.759045 2018] [ssl:error] [pid 16618:tid 140185341699840] AH02033: No hostname was provided via SNI for a name based virtual host


    I already talked to them, but they need development in they system... Meantime I need solution for this...

    OK... The problem is that disabling SNI check in the vhost file that belongs to your billing system is not sufficient if that vhost is not seen as the default name-based vrtual host for the IP/PORT compound:


    Quote from apache documentation

    This directive sets whether a non-SNI client is allowed to access a name-based virtual host. If set to on in the default name-based virtual host, clients that are SNI unaware will not be allowed to access any virtual host, belonging to this particular IP / port combination. If set to on in any other virtual host, SNI unaware clients are not allowed to access this particular virtual host.


    So here, you have two choices:


    First choice

    Disable SNI vhost checking globally. This can be done through the /etc/apache2/mods-available/ssl.conf file.


    Second choice

    Assign a dedicated IP for the billing site, then make sure that the IP is only set (used) for the vhost of the billing system, then disable SNI vhost check in the billing vhost. This could involve the creation of an i-MSCP customer for the billing system subdomain only. Regarding the SNI directive, you can add it into the /etc/apache2/imscp/<domain.tld> file for persistence.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Ok, thank you! I'll think about it...

    i-MSCP 1.5.3
    Plugins (latest version): ClamAV, CronJobs, DomainAutoApproval, LetsEncrypt, OpenDKIM, PanelRedirect, PhpSwitcher, PolicydSPF, Postgrey, RecaptchaPMA, RoundcubePlugins, SpamAssasin, WHMCS