Solved

Running multiple SSL websites on single server with single ip address

Posted on 2014-10-21
10
181 Views
Last Modified: 2014-10-28
HI

I have a web server running on Centos 6 that is inside a firewall running a single local ip address.

On this server it is running a single site on both 80 and 443.

I now need to run another site on 443.

I understand there is a way using SNI that allows me to run multiple ssl sites using the same ip address and different ssl certs.

Can someone please explain how i configure the server to do this.

thanks
0
Comment
Question by:timb551
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 7

Accepted Solution

by:
Stampel earned 500 total points
ID: 40394422
There is a way with SNI, yes.
Before we go further .. Do you understand that people using OLD versions of webclients will get the security warning as there was no SSL at all ?

If yes, follow this 2 links for configuration
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
http://wiki.gandi.net/en/ssl/multiplecertononehostipport
0
 

Author Comment

by:timb551
ID: 40394554
Thanks.  I have looked through the link and tried to put the config in but when i do so the site that was working starts going to the apache test page rather than the actual site.
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40394619
Does your browser support SNI ?
# Because this virtual host is defined first, it will be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 7

Expert Comment

by:Stampel
ID: 40394652
Also, what are your exact versions of Apache and OpenSSL  ?
0
 

Author Comment

by:timb551
ID: 40394754
I believe its only old browsers that dont support SNI isnt it.  Im using Firefox ver. 33

Server version: Apache/2.2.15 (Unix)
OpenSSL 1.0.1e-fips 11 Feb 2013

thanks
0
 
LVL 62

Expert Comment

by:gheist
ID: 40395898
Actually SNI support is not so essential.
With wildcard cert you can disable SNI vs HTTP hostname validation and run 100s of sites in same domain.
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40396313
Your openssl & apache versions support SNI.
Can you check with Chrome recent version ?
0
 
LVL 19

Expert Comment

by:alextoft
ID: 40402426
Everything modern supports SNI. SNI just means that the requested FQDN (eg. yoursite.com) is included in the Client Hello which is the first part of the SSL handshake, and the first thing which happens after the client establishes the TCP connection on port 443. This means that the web server knows what site you want *before* the SSL handshake takes place, so can present the certificate which matches that FQDN, hence making SSL VirtualHost entries feasible on a single IP.

You want to make sure you've got, as a minimum:

NameVirtualHost *:443

<VirtualHost *:443>
SSLEngine On
ServerName fqdn.on.certificate.com
SSLCertificateFile /path/to/cert/with-fqdn-matching-ServerName
SSLCertificateKeyFile /path/to/corresponding/private.key
SSLCertificateChainFile /path/to/file-containing-CA-cert-chain-for-SSLCertificateFile
DocumentRoot /somewhere
</VirtualHost>
0
 
LVL 62

Expert Comment

by:gheist
ID: 40402534
You need SSL keys for default host so that https listener starts
NameVirtualHost *:443
SSLEngine On
ServerName fqdn.on.certificate.com
SSLCertificateFile /path/to/cert/with-fqdn-matching-ServerName
SSLCertificateKeyFile /path/to/corresponding/private.key
SSLCertificateChainFile /path/to/file-containing-CA-cert-chain-for-SSLCertificateFile

<VirtualHost *:443>
</VirtualHost>
0
 

Author Closing Comment

by:timb551
ID: 40408429
A few typos which were causing me issues but using the links i got it sorted, thanks
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Run Secure WMI query from CentOS 5 147
How to change the nameserver on Ubuntu Server 6 78
I NEED A "BARE" LINUX ... 9 92
Redhat upgrade 1 48
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question