?
Solved

Using more than one SSL certificate with apache

Posted on 2003-11-24
9
Medium Priority
?
374 Views
Last Modified: 2010-03-04
I'm having a problem with my ssl.conf and setting up certificates. I have 2 virtual domains listed in ssf.conf and I have a cert for each of them. The vhosts are listed below. Some stuff has been removed for clarity.

<VirtualHost 192.168.0.50:443>
DocumentRoot "/home/donboy/www/rpgdomains/html/"
ServerName secure.websupport.cc:443
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.websupport.cc.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.websupport.cc.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/IPS-IPSCABUNDLE.crt
</VirtualHost>

<VirtualHost 192.168.0.50:443>
DocumentRoot "/home/donboy/www/nexus/html/"
ServerName secure.nexuscity.net:443
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.nexuscity.net.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.nexuscity.net.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/IPS-IPSCABUNDLE.crt
</VirtualHost>

I have heard that I cannot have more than one SSL cert on the same IP address.  The problem is I'm not doing my own DNS. I'm using a 3rd party to handle the DNS. So when somebody calls http://nexuscity.net in the browser, the request is directed to www.zoneedit.com and from there, the http request is forwarded to my IP address. This prevents me from having to mess with my own DNS records, but it also means that all requests must be served from the same IP adrress and the vhosts are differentiated by the ServerName directive.  (At least that's how I understand it all to work)

Is there anything I can do to use more than one cert on the same IP?  Is there some other method I could do to setup apache so that I can use more than one cert in the same conf file?   I guess I could run another instance of apache, but that seems just too problematic and too much overhead just for an extra cert.
0
Comment
Question by:Donboy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 15

Expert Comment

by:periwinkle
ID: 9819150
You must have a unique IP address for each cert - there is no way to share an IP address for multiple certs that I am aware of.
0
 
LVL 2

Author Comment

by:Donboy
ID: 9819342
Ok, I kind of expected that answer.  But is there anything else I can do to accomplish the same goal?  How is something like this normally handled??  Do I need to be doing  my own DNS in order to make this happen?
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 9819609
It not that you aren't doing your own DNS, but that you are using zoneedit to get around not having a static IP address.  Does your ISP support dedicated IP addresses?  Perhaps they would assign you a range of dedicated IP addresses (possibly for $$"s)?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:Donboy
ID: 9820094
No, my provider... cableone.net... does not offer a fully static IP addresses... at least not in my location.  I've also shopped around and there really is nothing good in my area that's suitable and offers a static IP.  other providers in my area are running speeds that are way too slow and actually cost more!

What cableone has given me is a "leased" IP address. So while it's possible that the IP may occasionally change, for the most part, it's pretty steady.  I've had the same IP address for about 3 months now, so that's good.  But the problem is, I plan to have numerous domains hosted on the same server and I don't want a dozen sites broken for a week everytime they give me a new IP because I would have to update all my accounts at networksolutions.com to point to new IP addresses.  This way, i do it at zoneedit and the change is pretty much instantaneous.

My server is sitting behind a router which assigns it a static IP.  So maybe I could point multiple IPs (somehow) to the same machine?  Right now I'm just using port forwarding on the router to send all https requests to the same IP... the IP of the server.
0
 

Accepted Solution

by:
tkavuri earned 500 total points
ID: 9820565
OK I have gone through this trouble recently. As your are expecting the ansewer is no , you can not install 2 certs on the same IP address and same port. If you want to use the same IP you have to run the second VH on a non standard port ( other than 443 ).

0
 
LVL 2

Author Comment

by:Donboy
ID: 9828455
Well, hmmm.  I guess the successfully answers the question.  I will award you the points.  Thanks for answering.  I'm really not crazy about opening up those extra ports, but I guess it has to be done for this to work.  Any other advice for me in this redard?  If not, thanks for your insight.
0
 

Expert Comment

by:tkavuri
ID: 9905036
Hey Thanks for those points :) . If you still need any help with that let me know. I can send you an example conf file.

tk
0
 

Expert Comment

by:fletchsod
ID: 9972493
One quick question here.  I can tell this refer to the Apache server itself?  My company use firewall, so behind the firewall is a possibility of more IP Addresses to use on Apache.  So, my question here is does this limitation apply if two or more certificates use the same IP address that point to the firewall?  Just wondering.  

Thanks,
 FletchSOD
0
 

Expert Comment

by:tkavuri
ID: 9972672
As long as your firewall let the traffic go to this IP you should be okay.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses
Course of the Month15 days, 4 hours left to enroll

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question