stackoom
  简体   繁体   中英

Apache SNI: multiple SSL certificates on one IP address

 原文  2013-07-31 21:30:01       apache/ ssl/ sni

Question

Today I'm trying to configure Apache to run two domains each with their own SSL certificate. From what I have read this is supported by SNI as long as my Apache is configured with a recent version of OpenSSL. I verified that it is: 

[notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.7 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- resuming normal operations

I thought I had successfully set up the second domain and certificate, but when I try to visit the second domain in chrome I get the following error: 

You attempted to reach example2.com, but instead you actually reached a server identifying itself as example1.com.

this post seems closest to my issue:

hosting multiple SSL certs on apache

but from what I can tell my server is already configured correctly (clearly it is not!)

I have the following directives in my conf file for example2.com 

ServerName  example2.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example2.com.key

it looks right to me. so why is apache serving example1's cert when I visit example2?

3 answers

solution1
 3  2013-08-01 20:13:47

turns out domain 1 was configured as 

<VirtualHost *:443>

I use webmin, which only reveals that detail when you view the directive directly.

changing * was part of the solution but introduced some other problems. I think I will punt and do IP-based SSL.

solution2
 3  2014-01-22 07:29:11

I add this to ports.conf (Apache/2.2.22) 

NameVirtualHost *:443

You can read details in this post

solution3
 -7  2013-08-01 12:59:44

It's not possible to have multi SSL domain on the same ip addres.

context

When a client contact a https web site all communication are crypt with the site's public key (ssl certificat). Only the private key associate to the public key can decrypt the http request. basically that's how https work .
That why in your virtual host, you define for each ssl web site the certificate and the key

SSLCertificateFile /etc/apache2/ssl/example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example2.com.key

VirtualHost Name base and SSL

When you use VirtualHost name base , when apache receive a client request the server read the request and look which domain name is requested. When the Domain Name is identified apache read virtuahost instruction and return the good web site.

When apache receive an SSL request , the system can't decrypt the message because apache need to use the SSLCertificateKeyFile defined in the Virtualhost but to know which virtualhost to use he need to be able to decrypt the message .... Because apache don't know how to process your request the system return the first virtualhost processed.

That's why you need to use VirtualHost ip base that what is it use in the example :
hosting multiple SSL certs on apache You have 2 ip 1.1.1.1 and 2.2.2.2 

NameVirtualHost 1.1.1.1:443
NameVirtualHost 2.2.2.2:443
<VirtualHost 1.1.1.1:443>
  ServerName www.domain1.com
  ...
  ...
</VirtualHost>
<VirtualHost 2.2.2.2:443>
  ServerName www.domain2.com
  ...
  ...
</VirtualHost>

VirtualHost Name base and SSL wildcard certificat

If the private key AND the public key (ssl certificat) are the same for all domain, apache will be able to decrypt the communication. This situation append only when you use a wildcard certificate for a domain. example , if you have a wildcard for *.domain.com you can define VirtualHost name base like this 

NameVirtualHost 1.1.1.1:443

<VirtualHost 1.1.1.1:443>
   ServerName  foo.domain.com
   SSLEngine on
   SSLCertificateFile /etc/apache2/ssl/wildcard.domain.com.crt
   SSLCertificateKeyFile /etc/apache2/ssl/wildcard.domain.com.key
   ... 
   ...
</VirtualHost>

<VirtualHost 1.1.1.1:443>
   ServerName  bar.domain.com
   SSLEngine on
   SSLCertificateFile /etc/apache2/ssl/wildcard.domain.com.crt
   SSLCertificateKeyFile /etc/apache2/ssl/wildcard.domain.com.key
   ... 
   ...
</VirtualHost>

This configuration will work because, whatever the domain, apache use the same private key to decrypt the communication so the system will be able to select the good VirtualHost setting.

Have a nice day.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use different vhost config files for Apache with SNI & multiple SSL certificates? Certbot certificates not working on Apache for multiple Flask sites sharing an IP address SNI multiple domain ssl apache iis Multiple SSL Certificates break Apache Installing multiple RSA SSL certificates with Apache for one website Apache Multiple Sub Domains With One IP Address Multiple SSL Namebased Multiple Virtual host on one ip address and Port How do I make apache SNI hosts without certificates redirect to http address? Adding multiple SSL certificates in apache AWS Apache - multiple sites on one IP, domain and port with SSL
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM