SSL on subdomain and primary domain - ehost

Question

I have issue with my provider - ehost.

I have wildcard certificate. I wanted to first test it before I go live. So I request to install it on subdomain first (uat.domain.com). I have tested application and want to go live. Provider said that it is impossible to install certificate on primary domain (domain.com) because they have installed it first on subdomain.

Of course they have offered me to buy certificate from them.

I really don't understand the issue can someone tell me if they have right or not? I thought that is possible even to take the certficate from ehost and send it to another provider and install it. The certificate is now installed on Apache Server and folders to subdomain and primary domain are in the same server.

Answer 1

Without looking at the actual configuration it is hard to tell, but to answer your question, if they say it is impossible, that is because they are just using 1 VirtualHost in their server.

Generally shared hosting have these kind of issues because they dedicate 1 single instance of Apache to many different clients and have 1 virtualhost per client, but this is just guessing you need to check this is what currently happening.

But I can also describe how Apache works so you understand what may be happening:

If the Apache configuration has different virtualhosts, you can have as many different certificates, wildcards and whatnot, as virtualhosts you have.

This is, 1 certificate per VirtualHost.

But that is not all, if you have several different domain or subdomain names this is when you need to carefully plan how you must configure them.

For instance

If you have defined this virtualhost first:

<VirtualHost *:443>
ServerName example.com
ServerAlias *.example.com
</VirtualHost>

No other virtualhosts for whatever.example.com or example.com will apply or be used since this virtualhost will grab all the requests for those names.

But if you have:

<VirtualHost *:443>
ServerName domain.com
</VirtualHost>

And now you need to define a virtualhost with a new wildcard certificate for your subdomain, you can perfectly do using the new wildcard certificate for *.example.com:

<VirtualHost *:443>
ServerName xxxxx.example.com
</VirtualHost>

and can now define more virtualhosts if you want/need with the same wildcard cert for *.example.com:

<VirtualHost *:443>
ServerName yyyyy.example.com
</VirtualHost>

Note these are stripped down virtualhost examples (obviously your virtualhosts will have more directives inside them, specially the ones loading the key and certificates, etc).

And briefly, things you need to consider:

1. Apache HTTPD looks at Host header to know to which virtualhost it must deliver the request.
2. If you overlap names or define too greedy serveraliases, further defined virtualhosts may never receive requests if the previous virtualhosts matches the host name requested. This is, first match in virtualhost list wins.
3. Apache lets you have 1 certificate per virtualhost, it does not matter if you use the same certificate in several virtualhosts though.
4. You just have to be careful of not overlapping names and wildcards if you use ServerAlias. Having two virtualhosts covering the same name will just make httpd ignore the second virtualhost for the same name.
5. If you have several different files for different virtualhosts, their files are read in alphabetical order, so if you have a-virtualhost.conf with servername 1.example.com and b-virtualhost.conf also with servername 1.example.com, b-virtualhost.conf will be ignored.