Running multiple SSL websites on single server with single ip address

HI

I have a web server running on Centos 6 that is inside a firewall running a single local ip address.

On this server it is running a single site on both 80 and 443.

I now need to run another site on 443.

I understand there is a way using SNI that allows me to run multiple ssl sites using the same ip address and different ssl certs.

Can someone please explain how i configure the server to do this.

thanks
timb551Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StampelCommented:
There is a way with SNI, yes.
Before we go further .. Do you understand that people using OLD versions of webclients will get the security warning as there was no SSL at all ?

If yes, follow this 2 links for configuration
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
http://wiki.gandi.net/en/ssl/multiplecertononehostipport
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
timb551Author Commented:
Thanks.  I have looked through the link and tried to put the config in but when i do so the site that was working starts going to the apache test page rather than the actual site.
0
StampelCommented:
Does your browser support SNI ?
# Because this virtual host is defined first, it will be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

StampelCommented:
Also, what are your exact versions of Apache and OpenSSL  ?
0
timb551Author Commented:
I believe its only old browsers that dont support SNI isnt it.  Im using Firefox ver. 33

Server version: Apache/2.2.15 (Unix)
OpenSSL 1.0.1e-fips 11 Feb 2013

thanks
0
gheistCommented:
Actually SNI support is not so essential.
With wildcard cert you can disable SNI vs HTTP hostname validation and run 100s of sites in same domain.
0
StampelCommented:
Your openssl & apache versions support SNI.
Can you check with Chrome recent version ?
0
alextoftCommented:
Everything modern supports SNI. SNI just means that the requested FQDN (eg. yoursite.com) is included in the Client Hello which is the first part of the SSL handshake, and the first thing which happens after the client establishes the TCP connection on port 443. This means that the web server knows what site you want *before* the SSL handshake takes place, so can present the certificate which matches that FQDN, hence making SSL VirtualHost entries feasible on a single IP.

You want to make sure you've got, as a minimum:

NameVirtualHost *:443

<VirtualHost *:443>
SSLEngine On
ServerName fqdn.on.certificate.com
SSLCertificateFile /path/to/cert/with-fqdn-matching-ServerName
SSLCertificateKeyFile /path/to/corresponding/private.key
SSLCertificateChainFile /path/to/file-containing-CA-cert-chain-for-SSLCertificateFile
DocumentRoot /somewhere
</VirtualHost>
0
gheistCommented:
You need SSL keys for default host so that https listener starts
NameVirtualHost *:443
SSLEngine On
ServerName fqdn.on.certificate.com
SSLCertificateFile /path/to/cert/with-fqdn-matching-ServerName
SSLCertificateKeyFile /path/to/corresponding/private.key
SSLCertificateChainFile /path/to/file-containing-CA-cert-chain-for-SSLCertificateFile

<VirtualHost *:443>
</VirtualHost>
0
timb551Author Commented:
A few typos which were causing me issues but using the links i got it sorted, thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.