Solved

Using more than one SSL certificate with apache

Posted on 2003-11-24
9
362 Views
Last Modified: 2010-03-04
I'm having a problem with my ssl.conf and setting up certificates. I have 2 virtual domains listed in ssf.conf and I have a cert for each of them. The vhosts are listed below. Some stuff has been removed for clarity.

<VirtualHost 192.168.0.50:443>
DocumentRoot "/home/donboy/www/rpgdomains/html/"
ServerName secure.websupport.cc:443
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.websupport.cc.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.websupport.cc.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/IPS-IPSCABUNDLE.crt
</VirtualHost>

<VirtualHost 192.168.0.50:443>
DocumentRoot "/home/donboy/www/nexus/html/"
ServerName secure.nexuscity.net:443
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.nexuscity.net.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.nexuscity.net.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/IPS-IPSCABUNDLE.crt
</VirtualHost>

I have heard that I cannot have more than one SSL cert on the same IP address.  The problem is I'm not doing my own DNS. I'm using a 3rd party to handle the DNS. So when somebody calls http://nexuscity.net in the browser, the request is directed to www.zoneedit.com and from there, the http request is forwarded to my IP address. This prevents me from having to mess with my own DNS records, but it also means that all requests must be served from the same IP adrress and the vhosts are differentiated by the ServerName directive.  (At least that's how I understand it all to work)

Is there anything I can do to use more than one cert on the same IP?  Is there some other method I could do to setup apache so that I can use more than one cert in the same conf file?   I guess I could run another instance of apache, but that seems just too problematic and too much overhead just for an extra cert.
0
Comment
Question by:Donboy
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 15

Expert Comment

by:periwinkle
Comment Utility
You must have a unique IP address for each cert - there is no way to share an IP address for multiple certs that I am aware of.
0
 
LVL 2

Author Comment

by:Donboy
Comment Utility
Ok, I kind of expected that answer.  But is there anything else I can do to accomplish the same goal?  How is something like this normally handled??  Do I need to be doing  my own DNS in order to make this happen?
0
 
LVL 15

Expert Comment

by:periwinkle
Comment Utility
It not that you aren't doing your own DNS, but that you are using zoneedit to get around not having a static IP address.  Does your ISP support dedicated IP addresses?  Perhaps they would assign you a range of dedicated IP addresses (possibly for $$"s)?
0
 
LVL 2

Author Comment

by:Donboy
Comment Utility
No, my provider... cableone.net... does not offer a fully static IP addresses... at least not in my location.  I've also shopped around and there really is nothing good in my area that's suitable and offers a static IP.  other providers in my area are running speeds that are way too slow and actually cost more!

What cableone has given me is a "leased" IP address. So while it's possible that the IP may occasionally change, for the most part, it's pretty steady.  I've had the same IP address for about 3 months now, so that's good.  But the problem is, I plan to have numerous domains hosted on the same server and I don't want a dozen sites broken for a week everytime they give me a new IP because I would have to update all my accounts at networksolutions.com to point to new IP addresses.  This way, i do it at zoneedit and the change is pretty much instantaneous.

My server is sitting behind a router which assigns it a static IP.  So maybe I could point multiple IPs (somehow) to the same machine?  Right now I'm just using port forwarding on the router to send all https requests to the same IP... the IP of the server.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Accepted Solution

by:
tkavuri earned 125 total points
Comment Utility
OK I have gone through this trouble recently. As your are expecting the ansewer is no , you can not install 2 certs on the same IP address and same port. If you want to use the same IP you have to run the second VH on a non standard port ( other than 443 ).

0
 
LVL 2

Author Comment

by:Donboy
Comment Utility
Well, hmmm.  I guess the successfully answers the question.  I will award you the points.  Thanks for answering.  I'm really not crazy about opening up those extra ports, but I guess it has to be done for this to work.  Any other advice for me in this redard?  If not, thanks for your insight.
0
 

Expert Comment

by:tkavuri
Comment Utility
Hey Thanks for those points :) . If you still need any help with that let me know. I can send you an example conf file.

tk
0
 

Expert Comment

by:fletchsod
Comment Utility
One quick question here.  I can tell this refer to the Apache server itself?  My company use firewall, so behind the firewall is a possibility of more IP Addresses to use on Apache.  So, my question here is does this limitation apply if two or more certificates use the same IP address that point to the firewall?  Just wondering.  

Thanks,
 FletchSOD
0
 

Expert Comment

by:tkavuri
Comment Utility
As long as your firewall let the traffic go to this IP you should be okay.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now