Resolving “_default_ VirtualHost Overlap on Port 443” for Multiple SSL Sites in Apache


3 views

When configuring multiple SSL-enabled websites on a single Apache server, you'll encounter the warning: "_default_ VirtualHost overlap on port 443, the first has precedence". This occurs because SSL negotiation happens before HTTP headers are processed, making traditional name-based virtual hosting impossible for HTTPS.

Unlike HTTP where the Host header determines routing, HTTPS requires the SSL handshake to complete first. Apache needs to know which certificate to present before seeing the requested domain. When multiple VirtualHosts share port 443 without proper IP-based separation, Apache defaults to the first defined configuration.

You have three practical approaches:

1. Dedicated IP Addresses (Recommended)

<VirtualHost 192.0.2.1:443>
    ServerName example1.com
    SSLEngine on
    SSLCertificateFile /path/to/example1.crt
    # Other SSL directives...
</VirtualHost>

<VirtualHost 192.0.2.2:443>
    ServerName example2.com
    SSLEngine on
    SSLCertificateFile /path/to/example2.crt
    # Other SSL directives...
</VirtualHost>

2. Wildcard or SAN Certificates

For multiple subdomains under the same domain:

SSLCertificateFile /path/to/wildcard.crt
SSLCertificateKeyFile /path/to/wildcard.key

3. SNI (Server Name Indication)

Modern browsers support SNI which allows certificate selection by domain name. Ensure your Apache has:

SSLStrictSNIVHostCheck off
  • Verify OpenSSL version supports SNI: openssl version
  • Confirm Apache modules: a2enmod ssl
  • Check for IP conflicts: netstat -tulpn | grep :443

After configuration:

apachectl configtest
systemctl restart apache2

Use OpenSSL to verify:

openssl s_client -connect example1.com:443 -servername example1.com

When using multiple IPs:

  • Each SSL site consumes additional memory
  • Consider enabling SSL session caching: SSLSessionCache
  • Monitor connection limits with mod_status

Problem: Browser shows wrong certificate
Fix: Clear SSL session cache and verify VirtualHost order

Problem: Chrome ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Fix: Modernize your cipher suite configuration

Problem: Apache fails to start
Fix: Check error logs: tail -f /var/log/apache2/error.log

When configuring multiple SSL-enabled websites on a single Apache server, you'll encounter the warning "_default_ VirtualHost overlap on port 443, the first has precedence". This occurs because of how SSL/TLS handshakes work at the protocol level.

The fundamental limitation stems from the SSL handshake sequence:

1. Client connects to server on port 443
2. SSL handshake occurs (server presents certificate)
3. Only THEN does HTTP communication begin with Host header

This means Apache must choose an SSL certificate before knowing which domain is being requested - making name-based virtual hosts impossible for SSL.

Solution 1: Separate IP Addresses

The most straightforward approach is assigning each SSL site its own IP address:

<VirtualHost 192.168.1.1:443>
    ServerName example1.com
    SSLCertificateFile /path/to/cert1.crt
    # ... other SSL directives
</VirtualHost>

<VirtualHost 192.168.1.2:443>
    ServerName example2.com  
    SSLCertificateFile /path/to/cert2.crt
    # ... other SSL directives
</VirtualHost>

Solution 2: Use SNI (Server Name Indication)

For modern clients (most browsers post-2006), you can use SNI which includes the hostname during SSL handshake:

# Ensure these modules are loaded
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

<VirtualHost *:443>
    ServerName example1.com
    SSLEngine on
    SSLCertificateFile /path/to/cert1.crt
    # ... other config
</VirtualHost>

<VirtualHost *:443>
    ServerName example2.com
    SSLEngine on  
    SSLCertificateFile /path/to/cert2.crt
    # ... other config
</VirtualHost>

When implementing either solution:

  1. Apache must be compiled with OpenSSL support
  2. For SNI, client browsers must support TLS extensions
  3. Always test with openssl s_client -connect example.com:443 -servername example.com
  4. Consider using Let's Encrypt for easier certificate management

If you still see the overlap warning:

  • Check for duplicate VirtualHost definitions
  • Verify all SSL directives are properly closed
  • Ensure no configuration files are being included multiple times
  • Run apachectl configtest to validate configuration