Whats the deal with hosting multiple SSL enabled websites?


So yet more re-purposed content from my serverfault.com procrastinations. This one was about how to stick a second SSL virtual host on apache, but ended up taking a brief look at the state of "Server Name Indication" technology which allows name based hosting with TLS, and also when wildcard SSL certs can be used...



Question - SSL and ServerAlias on one Apache server with multiple domains

 I have a virtual sever which I would like to point two domains to, both pointing to different sites.


1. How do I add a second SSL cert for my other domain www.nymonkey.com?





Uninformed Blather mostly culled from wikipedia.

short answer (for hosting multiple SSL sites on one apache server)
  • the simplest solution, is IP based virtual hosts... supports all browsers - ask your ISP for a second IP address. So you have 1 IP per SSL cert. See below for example config.

Long answer (and boy I did get carried away with this answer... ;-) here is a quick primer on SSL and name virtual hostings....
Name based virtual hosting, is a strategy of sharing the web server between web sites based on the "Host" header presented by the client, (ie the web browser etc).
This is a HTTP 1.1 extension, and to use it apache reads the content of the request and parses the header, ie it looks like this;
GET /index.htm HTTP/1.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0
Host: www.google.co.uk            <--  apache checks this value 
However with the TLS handshake used in SSL connections the server indentifies itself before the Host header is sent, using the "common name" field in the SSL certificate.
Hence (using traditional... SSL v1, old browsers etc, Windows XP) there can only be 1 SSL identity per IP address, because the first thing the server does is identify itself as say www.amazon.com, which it cannot change afterwards...
Basically the differences is like so, in normal http://myserver.com requests
client: hello server   
server: hello client   
client: please give me web XXX   
server: here is websiteXXX    
but for https:// requests it is more like this;
client: hello server   
server: I am website XXX   
client: ok, go ahead and give me website XXX   
server: here is websiteXXX   
So basically, for a "supporting all browsers", including crufty old ones solution, You need to ask your ISP for another public IP address and then bind your second virtual host to the second ip instead of the first...
However there are some alternatives, which allow multiple SSL identities on a single IP address that work on most modern browsers, for example SNI or wildcard certs.
  • wildcard certs, not suitable in this particular situation because the servers names are domain level, eg badger.com and monkey.com, rather than badger.server.com and monkey.server.com
however with Server Name Indication, you tell the server which Host you want, during the handshake process and the server can provide the correct certificate. It appears that the server will fall back to the default cert, so might be a good strategy when you have a "primary" SSL site, and a less important one which you can accept some loss of user requests.
Basically the directives for adding SSL virtual hosts are similar, except that you are adding just plain virtual Hosts, rather than NameVirtualHosts.
#if not done elsewhere in httpd.conf incldue these
Listen 443
LoadModule ssl_module   modules/mod_ssl.so

#this does work for wildcard SSL certs like *.myserver.com (and SNI???)
NameVirtualHost *:443


  SSLEngine On
  ServerName address1.com
  DocumentRoot /var/www/adderss2
  SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt



  SSLEngine on
  ServerName address2.com
  DocumentRoot /var/www/adderss2
  SSLCertificateFile /etc/apache2/ssl/apache.pem