+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: System Setup & Installation (/forum-32.html)
+--- Thread: multiple ssl certificates (one for each domain) (/thread-6056.html)
multiple ssl certificates (one for each domain) - soomon - 03-14-2009 02:29 AM
hi there,
i found this nice site giving ssl certificates 4 free, which are accepted by every browser:
https://www.startssl.com/
so i created my first certificate and used a new configuration file (ssl_domain1.de.conf) with:
Code:
NameVirtualHost domain1.de:443
<VirtualHost domain1.de1:443>
#
# SSL Start
#
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/ssl_domain1.de.crt
SSLCertificateKeyFile /etc/apache2/ssl/ssl_domain1.de.key
SSLCertificateChainFile /etc/apache2/ssl/startcomsub.class1.server.ca.crt
SSLCACertificateFile /etc/apache2/ssl/startcomca.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
#
# SSL End
#and added everything from the normal config file of that domain
and everything went great (which means the certificate was working
)then i created the certificate for the second domain (domain2) and did use exactly the same schema for the config file, reloaded apache and:
NameVirtualHost domain1.de:443 has no VirtualHosts
then the certificate for the second domain worked on the second domain, but when i tried to access the first one with ssl i got the certificate of the second domain o_0
i was not sure where my mistake was and tried it with the third domain. but the result was the same, now i got the apach error message about virtual hosts with domain 1&2, but domain 3 was working and domain 1&2 showed the ssl certificate of domain 3.
wehere's my mistake?
what do i have to do?
thanks & greets,
soomon
RE: multiple ssl certificates (one for each domain) - ephigenie - 03-15-2009 10:10 AM
You need to have one IP address per Certificate since the NameBasedVirtualHosting functions on the fact that the browser sends the target domain name in the first http - request.
With SSL, there must be an SSL Handshake FIRST
this means your browser sends a generic connection request at port 443 to the ip of your server and trys key-exchange (to exchange certificate information and to agree on encryption algorythm and encryption depth) at this stage the certificate must be validated before any other transfer continues.
This means that there's no way to send the "first http request" to a ssl secured webserver and this server knows which domain you want.
Thats why you get the second cert on the domain of the first cert. Just because there can only be one active.
RE: multiple ssl certificates (one for each domain) - soomon - 03-15-2009 10:21 AM
ok that's bad :/
is there any way to get around this?
i mean there are lot's of sites out there with ssl, and i guess they don't have their own ip (at least not all of them.. or is it really that way?)
any help is greatly appreciated
thanks & greets,
soomon
RE: multiple ssl certificates (one for each domain) - rbtux - 03-15-2009 11:35 AM
(03-15-2009 10:21 AM)soomon Wrote: i mean there are lot's of sites out there with ssl, and i guess they don't have their own ip (at least not all of them.. or is it really that way?)
well that is how it is done today...
However you may want to take a look into mod_gnutls... It's possible to do NameBasedVirtualHosting using a single IP and Multiple Certificates... I don't know about client support though
RE: multiple ssl certificates (one for each domain) - ephigenie - 03-15-2009 10:30 PM
hm look here :
looks promising :
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/
RE: multiple ssl certificates (one for each domain) - soomon - 03-19-2009 03:50 PM
nice i will have a look thanks!
RE: multiple ssl certificates (one for each domain) - Murodese - 03-20-2009 03:45 AM
gnutls is not supported by ie7+windows xp, which is a significant chunk of the market
RE: multiple ssl certificates (one for each domain) - soomon - 03-20-2009 04:44 AM
that's because IE unter xp does not support SNI.
doesn't seem to be an gnu-tls problem, just microsoft doesnt want to support it or too lazy to implement it.