Solved

Using more than one SSL certificate with apache

Posted on 2003-11-24
9
368 Views
Last Modified: 2010-03-04
I'm having a problem with my ssl.conf and setting up certificates. I have 2 virtual domains listed in ssf.conf and I have a cert for each of them. The vhosts are listed below. Some stuff has been removed for clarity.

<VirtualHost 192.168.0.50:443>
DocumentRoot "/home/donboy/www/rpgdomains/html/"
ServerName secure.websupport.cc:443
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.websupport.cc.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.websupport.cc.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/IPS-IPSCABUNDLE.crt
</VirtualHost>

<VirtualHost 192.168.0.50:443>
DocumentRoot "/home/donboy/www/nexus/html/"
ServerName secure.nexuscity.net:443
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/secure.nexuscity.net.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/secure.nexuscity.net.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/IPS-IPSCABUNDLE.crt
</VirtualHost>

I have heard that I cannot have more than one SSL cert on the same IP address.  The problem is I'm not doing my own DNS. I'm using a 3rd party to handle the DNS. So when somebody calls http://nexuscity.net in the browser, the request is directed to www.zoneedit.com and from there, the http request is forwarded to my IP address. This prevents me from having to mess with my own DNS records, but it also means that all requests must be served from the same IP adrress and the vhosts are differentiated by the ServerName directive.  (At least that's how I understand it all to work)

Is there anything I can do to use more than one cert on the same IP?  Is there some other method I could do to setup apache so that I can use more than one cert in the same conf file?   I guess I could run another instance of apache, but that seems just too problematic and too much overhead just for an extra cert.
0
Comment
Question by:Donboy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 15

Expert Comment

by:periwinkle
ID: 9819150
You must have a unique IP address for each cert - there is no way to share an IP address for multiple certs that I am aware of.
0
 
LVL 2

Author Comment

by:Donboy
ID: 9819342
Ok, I kind of expected that answer.  But is there anything else I can do to accomplish the same goal?  How is something like this normally handled??  Do I need to be doing  my own DNS in order to make this happen?
0
 
LVL 15

Expert Comment

by:periwinkle
ID: 9819609
It not that you aren't doing your own DNS, but that you are using zoneedit to get around not having a static IP address.  Does your ISP support dedicated IP addresses?  Perhaps they would assign you a range of dedicated IP addresses (possibly for $$"s)?
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 2

Author Comment

by:Donboy
ID: 9820094
No, my provider... cableone.net... does not offer a fully static IP addresses... at least not in my location.  I've also shopped around and there really is nothing good in my area that's suitable and offers a static IP.  other providers in my area are running speeds that are way too slow and actually cost more!

What cableone has given me is a "leased" IP address. So while it's possible that the IP may occasionally change, for the most part, it's pretty steady.  I've had the same IP address for about 3 months now, so that's good.  But the problem is, I plan to have numerous domains hosted on the same server and I don't want a dozen sites broken for a week everytime they give me a new IP because I would have to update all my accounts at networksolutions.com to point to new IP addresses.  This way, i do it at zoneedit and the change is pretty much instantaneous.

My server is sitting behind a router which assigns it a static IP.  So maybe I could point multiple IPs (somehow) to the same machine?  Right now I'm just using port forwarding on the router to send all https requests to the same IP... the IP of the server.
0
 

Accepted Solution

by:
tkavuri earned 125 total points
ID: 9820565
OK I have gone through this trouble recently. As your are expecting the ansewer is no , you can not install 2 certs on the same IP address and same port. If you want to use the same IP you have to run the second VH on a non standard port ( other than 443 ).

0
 
LVL 2

Author Comment

by:Donboy
ID: 9828455
Well, hmmm.  I guess the successfully answers the question.  I will award you the points.  Thanks for answering.  I'm really not crazy about opening up those extra ports, but I guess it has to be done for this to work.  Any other advice for me in this redard?  If not, thanks for your insight.
0
 

Expert Comment

by:tkavuri
ID: 9905036
Hey Thanks for those points :) . If you still need any help with that let me know. I can send you an example conf file.

tk
0
 

Expert Comment

by:fletchsod
ID: 9972493
One quick question here.  I can tell this refer to the Apache server itself?  My company use firewall, so behind the firewall is a possibility of more IP Addresses to use on Apache.  So, my question here is does this limitation apply if two or more certificates use the same IP address that point to the firewall?  Just wondering.  

Thanks,
 FletchSOD
0
 

Expert Comment

by:tkavuri
ID: 9972672
As long as your firewall let the traffic go to this IP you should be okay.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question