Avatar of Daniel Stover
Daniel Stover
 asked on

SSL Solution for Multi Domain / Multi Host

I need to secure a couple websites, and am looking for the ideal SSL solution to handle multiple domain names / multiple hosts. Here is a breakdown of my topology.

Website 1 - Self hosted IIS server. This server has multiple IP addresses (3 different ISP connections) and host names, but all point to the same exact virtual machine, aside from a replica that is stored at a remote location, but would need to be able to come online as a failover.

website1a.com - points to 1.1.1.1 (onsite IIS Server)
website1b.com - points to 2.2.2.2 (onsite IIS Server)
website1c.com  - points to 3.3.3.3 (onsite IIS Server)
website1d.com - points to 4.4.4.4 (offsite backup of IIS server)

Website 2 (Wordpress) - GoDaddy VPS hosted, with Name Cheap backup website
website2.com - points to 5.5.5.5 when there is a fail over, I auto redirect the DNS for website2.com to go to NameCheap Hosting 6.6.6.6

I was thinking about purchasing a single SAN SSL that includes every domain. However, I am not sure I will be able to install that SSL on the IIS server, as well as the go-daddy and name-cheap hosting.

Looking for advise.

Thanks in advance!!
Dan
VirtualizationSSL / HTTPSMicrosoft IIS Web ServerWordPress

Avatar of undefined
Last Comment
David Favor

8/22/2022 - Mon
zc2

What are your doubts? There should not be a problem to use a single certificate with multiple SANs on the IIS.
noci

If you only need DV certificates try Lets Encrypt. The renewal process can be easily done using certbot f.e.
David Favor

Just use https://LetsEncrypt.org generating a separate cert for each site or one cert to cover them all.

Tip: Using one cert to cover many domains/hosts will cause you all manner of complexity + problems over time. Better for each cert to cover only one domain or host. Or use a wildcard LetsEncrypt cert to cover all hosts on one domain.

So to cover one domain...

certbot-auto certonly --no-self-upgrade --non-interactive --rsa-key-size 4096 --email $email --agree-tos --webroot -w $dir -d $domain -d www.$domain

Open in new window


Then a CRON job to auto-renew all certs on one machine forever...

0 1 * * * (echo '#####' && date && certbot-auto renew --non-interactive --post-hook "service apache2 reload") >> /var/log/ssl-renewals.log 2>&1

Open in new window

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
David Favor

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Daniel Stover

ASKER
There is a SQL server associated with the IIS website on site. The fail over site is a complete replica of the production environment. All VM's are replicated daily (Including SQL). So outside of the IP changing on a fail over, I would presume I wouldn't have any issues. But I am not positive, and my experience with securing sites with SSL is minimal so I wanted to confirm with you experts :)

I will start a new question starting with securing the IIS website, then open another question about securing the GoDaddy hosted website after. These are two completely separate systems.
David Favor

No problems related to SSL.

So long as you have the correct certs associated with correct sites on correct IP all will be well.

Even if you change a site's IP (best to use short 5-10 minute TTLs for your setup), there will be some period of time (<TTL seconds) where some visitors may see different IPs.

This is also no problem, because certs living on each instance will be correct for the IP where they're running.

I generally use wildcard certs for this exact reason. I can generate the certs on the DNS instance (as zone file access is usually required), then pull the wildcard certs from the DNS instance to any number of machines or containers, allowing extremely complex setups to be maintained with zero human intervention (once setup is working).
Daniel Stover

ASKER
I will open separate questions to address securing the IIS enviroment, then securing the godaddy/namecheap hosting.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
David Favor

Sounds good!