Solved

Using more than one SSL certificate with apache

Posted on 2003-11-24
9
367 Views
Last Modified: 2010-03-04
I'm having a problem with my ssl.conf and setting up certificates. I have 2 virtual domains listed in ssf.conf and I have a cert for each of them. The vhosts are listed below. Some stuff has been removed for clarity.

<VirtualHost 192.168.0.50:443>
DocumentRoot "/home/donboy/www/rpgdomains/html/"
ServerName secure.websupport.cc:443
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.websupport.cc.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.websupport.cc.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/IPS-IPSCABUNDLE.crt
</VirtualHost>

<VirtualHost 192.168.0.50:443>
DocumentRoot "/home/donboy/www/nexus/html/"
ServerName secure.nexuscity.net:443
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.nexuscity.net.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.nexuscity.net.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/IPS-IPSCABUNDLE.crt
</VirtualHost>

I have heard that I cannot have more than one SSL cert on the same IP address.  The problem is I'm not doing my own DNS. I'm using a 3rd party to handle the DNS. So when somebody calls http://nexuscity.net in the browser, the request is directed to www.zoneedit.com and from there, the http request is forwarded to my IP address. This prevents me from having to mess with my own DNS records, but it also means that all requests must be served from the same IP adrress and the vhosts are differentiated by the ServerName directive.  (At least that's how I understand it all to work)

Is there anything I can do to use more than one cert on the same IP?  Is there some other method I could do to setup apache so that I can use more than one cert in the same conf file?   I guess I could run another instance of apache, but that seems just too problematic and too much overhead just for an extra cert.
0
Comment
Question by:Donboy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 15

Expert Comment

by:periwinkle
ID: 9819150
You must have a unique IP address for each cert - there is no way to share an IP address for multiple certs that I am aware of.
0
 
LVL 2

Author Comment

by:Donboy
ID: 9819342
Ok, I kind of expected that answer.  But is there anything else I can do to accomplish the same goal?  How is something like this normally handled??  Do I need to be doing  my own DNS in order to make this happen?
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 9819609
It not that you aren't doing your own DNS, but that you are using zoneedit to get around not having a static IP address.  Does your ISP support dedicated IP addresses?  Perhaps they would assign you a range of dedicated IP addresses (possibly for $$"s)?
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 2

Author Comment

by:Donboy
ID: 9820094
No, my provider... cableone.net... does not offer a fully static IP addresses... at least not in my location.  I've also shopped around and there really is nothing good in my area that's suitable and offers a static IP.  other providers in my area are running speeds that are way too slow and actually cost more!

What cableone has given me is a "leased" IP address. So while it's possible that the IP may occasionally change, for the most part, it's pretty steady.  I've had the same IP address for about 3 months now, so that's good.  But the problem is, I plan to have numerous domains hosted on the same server and I don't want a dozen sites broken for a week everytime they give me a new IP because I would have to update all my accounts at networksolutions.com to point to new IP addresses.  This way, i do it at zoneedit and the change is pretty much instantaneous.

My server is sitting behind a router which assigns it a static IP.  So maybe I could point multiple IPs (somehow) to the same machine?  Right now I'm just using port forwarding on the router to send all https requests to the same IP... the IP of the server.
0
 

Accepted Solution

by:
tkavuri earned 125 total points
ID: 9820565
OK I have gone through this trouble recently. As your are expecting the ansewer is no , you can not install 2 certs on the same IP address and same port. If you want to use the same IP you have to run the second VH on a non standard port ( other than 443 ).

0
 
LVL 2

Author Comment

by:Donboy
ID: 9828455
Well, hmmm.  I guess the successfully answers the question.  I will award you the points.  Thanks for answering.  I'm really not crazy about opening up those extra ports, but I guess it has to be done for this to work.  Any other advice for me in this redard?  If not, thanks for your insight.
0
 

Expert Comment

by:tkavuri
ID: 9905036
Hey Thanks for those points :) . If you still need any help with that let me know. I can send you an example conf file.

tk
0
 

Expert Comment

by:fletchsod
ID: 9972493
One quick question here.  I can tell this refer to the Apache server itself?  My company use firewall, so behind the firewall is a possibility of more IP Addresses to use on Apache.  So, my question here is does this limitation apply if two or more certificates use the same IP address that point to the firewall?  Just wondering.  

Thanks,
 FletchSOD
0
 

Expert Comment

by:tkavuri
ID: 9972672
As long as your firewall let the traffic go to this IP you should be okay.
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
maven set up 2 207
XAMPP 3 79
CentOS 7 (Apache2) Cannot Install SSL Cert 1 82
web server: redirect 123.domain.com to www.domain.com/123 16 66
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question