+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Contributions Area (/forum-40.html)
+--- Forum: Howtos (/forum-41.html)
+--- Thread: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls (/thread-4696.html)
Pages: 1 2
[HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - Murodese - 10-14-2008 02:07 PM
So I was looking for a solution to the annoying single cert per ip/port and found mod_gnutls - it's been in development for quite a while, but has skimmed under the radar from what I can see.
Basically, it supports SNI - server name indication, which means that it doesn't suffer from the single cert limitation. Not only that, it's pretty easy to install (in etch/lenny at least). If your distro doesn't have it in repositories, you can grab and compile it from source at http://www.outoforder.cc/projects/apache/mod_gnutls/
Code:
apt-get install libapache2-mod-gnutls
a2dismod ssl (this should happen automatically from apt but do it anyway to make sure)
a2enmod gnutlsEdit /etc/apache2/ports.conf and add the following line.
Code:
Listen 443Create/open /etc/apache2/sites-available/02_ssl.conf and write up your virtual hosts.
(x.x.x.x being your server ip)
Code:
NameVirtualHost x.x.x.x:443
<VirtualHost>
ServerName domain1.tld:443
GnuTLSEnable on
GnuTLSCertificateFile /path/to/crt/file/1
GnuTLSKeyFile /path/to/key/file/1
GnuTLSPriorities NORMAL # this can be changed to a wide range of options - see http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#GnuTLSPriorities
DocumentRoot /var/www/virtual/domain1.tld/htdocs
(other apache directives)
</VirtualHost>
<VirtualHost>
ServerName domain2.tld:443
GnuTLSEnable on
GnuTLSCertificateFile /path/to/crt/file/2
GnuTLSKeyFile /path/to/key/file/2
GnuTLSPriorities NORMAL # this can be changed to a wide range of options - see http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#GnuTLSPriorities
DocumentRoot /var/www/virtual/domain2.tld/htdocs
(other apache directives)
</VirtualHost>Where I've marked other apache directives, you need to add config directives from the standard ispcp.conf file - suexec parameters and the like, or php won't work.
Enable the site (a2ensite 02_ssl.conf) and restart Apache (/etc/init.d/apache2 restart) and you should have two separate domains hosted off the same server using different ssl certificates ;]
(I haven't tested this extensively so let me know if anything major is broken - it appears to work ok on our server)
I also didn't cover making your ssl certificates - there's a tonne of tutorials out there already for this.
Enjoy!
RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - rethus - 06-09-2010 10:41 PM
Thanks for this howto, i have add it to the wiki for you: http://isp-control.net/documentation/howto:multiple_ssl_certificates_on_a_single_ip_port_using_mod_gnutls
RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - slowjack2k - 07-18-2010 01:32 AM
It's a good HowTo. I wan't to add not every browser support's SNI (for instance ie on Windows XP). Does mod_gnutls support more as mod_ssl? You can test your browser here.
PS: I found this hint to test a client and redirect client's without SNI Support
RewriteCond %{SSL:SSL_TLS_SNI} =""
RewriteCond %{HTTP:Host} !=alice.example.com
RewriteRule .* https://alice.example.com/sni-info.html [L]
RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - momo - 07-18-2010 11:33 AM
Thanks.
The 1st certificate you put in the 02_ssl_conf will behave correctly on XP.
The 2nd, 3rd, etc will display a untrusted alert.
RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - Top44 - 07-19-2010 08:13 AM
As I think I understand you need a OS higher than XP.
On wich pages you setup multiple certs ? Would be nice to test this.
greets
RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - slowjack2k - 07-20-2010 01:46 AM
(07-19-2010 08:13 AM)Top44 Wrote: As I think I understand you need a OS higher than XP.
It isn't a XP issue. Firefox 3.6.6 can SNI even with XP.
How I sad you can test it here https://sni.velox.ch/
Regards
RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - Top44 - 07-20-2010 03:38 AM
Yeah, your right, just re read it.
I´m on the way to test this on 2 Domains with Official certs, but didn´t work yet, domain2 uses the cert of domain1.
greets
RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - slowjack2k - 07-20-2010 03:57 AM
Without a piece of source code it's not easy to say what's wrong. I think it would be easier to explain in german corner
RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - allrob - 07-22-2010 06:32 AM
Isn't there a small mistake in the guide?
When declaring a virtual host, don't u need an ip address and port, maybe that's why some peeps can't get it to work / get strange results? Like the certificate error?
NameVirtualHost ip.ad.dr.ess:port
<VirtualHost ip.ad.dr.ess:port> #<<<<<<<<<<<<<<<<<
ServerName vhostname.tld:port
...
etc etc
...
GnuTLSEnable on
GnuTLSEnable on
GnuTLSCertificateFile /path/to/certs/vhostname.tld.crt
GnuTLSKeyFile /path/to/certs/vhostname.tld.key
GnuTLSPriorities NORMAL # this can be changed to a wide range of options - see http://www.outoforder.cc/projects/apache/mod_gnutls$
</VirtualHost>
and then add another virtual host as the above and it works.
RE: [HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls - Top44 - 07-22-2010 08:56 AM
Yeah, that was one of my mistakes, now it runs with 2 Certs and Domains, but there is also a little prob, when you type in the adress of the second SSL domain without the "www" it uses the cert of the first SSL Domain, with "www" its okay.
Had tested it with Aliases and and and
Greets