So yet more re-purposed content from my serverfault.com procrastinations. This one was about how to stick a second SSL virtual host on apache, but ended up taking a brief look at the state of "Server Name Indication" technology which allows name based hosting with TLS, and also when wildcard SSL certs can be used...
Question - SSL and ServerAlias on one Apache server with multiple domains
I have a virtual sever which I would like to point two domains to, both pointing to different sites.
1. How do I add a second SSL cert for my other domain www.nymonkey.com?
Uninformed Blather mostly culled from wikipedia.
- the simplest solution, is IP based virtual hosts... supports all browsers - ask your ISP for a second IP address. So you have 1 IP per SSL cert. See below for example config.
- Server name indication - not XP or old safari, or old android - works with only 1 IP - http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Name based virtual hosting, is a strategy of sharing the web server between web sites based on the "Host" header presented by the client, (ie the web browser etc).
This is a HTTP 1.1 extension, and to use it apache reads the content of the request and parses the header, ie it looks like this;
However with the TLS handshake used in SSL connections the server indentifies itself before the Host header is sent, using the "common name" field in the SSL certificate.
GET /index.htm HTTP/1.1 Accept: image/png,image/*;q=0.8,*/*;q=0.5 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0 Host: www.google.co.uk <-- apache checks this value
Hence (using traditional... SSL v1, old browsers etc, Windows XP) there can only be 1 SSL identity per IP address, because the first thing the server does is identify itself as say www.amazon.com, which it cannot change afterwards...
Basically the differences is like so, in normal http://myserver.com requests
but for https:// requests it is more like this;
client: hello server server: hello client client: please give me web XXX server: here is websiteXXX
So basically, for a "supporting all browsers", including crufty old ones solution, You need to ask your ISP for another public IP address and then bind your second virtual host to the second ip instead of the first...
client: hello server server: I am website XXX client: ok, go ahead and give me website XXX server: here is websiteXXX
However there are some alternatives, which allow multiple SSL identities on a single IP address that work on most modern browsers, for example SNI or wildcard certs.
- wildcard certs, not suitable in this particular situation because the servers names are domain level, eg badger.com and monkey.com, rather than badger.server.com and monkey.server.com
Basically the directives for adding SSL virtual hosts are similar, except that you are adding just plain virtual Hosts, rather than NameVirtualHosts.
#if not done elsewhere in httpd.conf incldue these Listen 443 LoadModule ssl_module modules/mod_ssl.so #this does work for wildcard SSL certs like *.myserver.com (and SNI???) NameVirtualHost *:443
SSLEngine On ServerName address1.com DocumentRoot /var/www/adderss2 SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt SSLEngine on ServerName address2.com DocumentRoot /var/www/adderss2 SSLCertificateFile /etc/apache2/ssl/apache.pem