[HowTo] Multiple SSL Certificates on a Single IP/Port using mod_gnutls

[Murodese]

So I was looking for a solution to the annoying single cert per ip/port and found mod_gnutls - it's been in development for quite a while, but has skimmed under the radar from what I can see.

Basically, it supports SNI - server name indication, which means that it doesn't suffer from the single cert limitation. Not only that, it's pretty easy to install (in etch/lenny at least). If your distro doesn't have it in repositories, you can grab and compile it from source at http://www.outoforder.cc/projects/apache/mod_gnutls/

Code:

apt-get install libapache2-mod-gnutls
a2dismod ssl (this should happen automatically from apt but do it anyway to make sure)
a2enmod gnutls

Edit /etc/apache2/ports.conf and add the following line.

Code:

Listen 443

Create/open /etc/apache2/sites-available/02_ssl.conf and write up your virtual hosts.

(x.x.x.x being your server ip)

Code:

NameVirtualHost x.x.x.x:443

<VirtualHost>

ServerName domain1.tld:443

GnuTLSEnable on
GnuTLSCertificateFile /path/to/crt/file/1
GnuTLSKeyFile /path/to/key/file/1
GnuTLSPriorities NORMAL # this can be changed to a wide range of options - see http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#GnuTLSPriorities

DocumentRoot /var/www/virtual/domain1.tld/htdocs

(other apache directives)

</VirtualHost>


<VirtualHost>

ServerName domain2.tld:443

GnuTLSEnable on
GnuTLSCertificateFile /path/to/crt/file/2
GnuTLSKeyFile /path/to/key/file/2
GnuTLSPriorities NORMAL # this can be changed to a wide range of options - see http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#GnuTLSPriorities

DocumentRoot /var/www/virtual/domain2.tld/htdocs

(other apache directives)

</VirtualHost>

Where I've marked other apache directives, you need to add config directives from the standard ispcp.conf file - suexec parameters and the like, or php won't work.

Enable the site (a2ensite 02_ssl.conf) and restart Apache (/etc/init.d/apache2 restart) and you should have two separate domains hosted off the same server using different ssl certificates ;]

(I haven't tested this extensively so let me know if anything major is broken - it appears to work ok on our server)

I also didn't cover making your ssl certificates - there's a tonne of tutorials out there already for this.

Enjoy!

[rethus]

Thanks for this howto, i have add it to the wiki for you: http://isp-control.net/documentation/how...mod_gnutls

[slowjack2k]

It's a good HowTo. I wan't to add not every browser support's SNI (for instance ie on Windows XP). Does mod_gnutls support more as mod_ssl? You can test your browser here.

---

PS: I found this hint to test a client and redirect client's without SNI Support

RewriteCond %{SSL:SSL_TLS_SNI} =""
RewriteCond %{HTTP:Host} !=alice.example.com
RewriteRule .* https://alice.example.com/sni-info.html [L]

[momo]

Thanks.

The 1st certificate you put in the 02_ssl_conf will behave correctly on XP.
The 2nd, 3rd, etc will display a untrusted alert.

[Top44]

As I think I understand you need a OS higher than XP.

On wich pages you setup multiple certs ? Would be nice to test this.

greets

[slowjack2k]

(07-19-2010 08:13 AM)Top44 Wrote:  As I think I understand you need a OS higher than XP.

It isn't a XP issue. Firefox 3.6.6 can SNI even with XP.

How I sad you can test it here https://sni.velox.ch/

Regards

[Top44]

Yeah, your right, just re read it.

I´m on the way to test this on 2 Domains with Official certs, but didn´t work yet, domain2 uses the cert of domain1.

greets

[slowjack2k]

Without a piece of source code it's not easy to say what's wrong. I think it would be easier to explain in german corner

[allrob]

Isn't there a small mistake in the guide?
When declaring a virtual host, don't u need an ip address and port, maybe that's why some peeps can't get it to work / get strange results? Like the certificate error?

NameVirtualHost ip.ad.dr.ess:port

<VirtualHost ip.ad.dr.ess:port> #<<<<<<<<<<<<<<<<<
ServerName vhostname.tld:port
...
etc etc
...
GnuTLSEnable on
GnuTLSEnable on
GnuTLSCertificateFile /path/to/certs/vhostname.tld.crt
GnuTLSKeyFile /path/to/certs/vhostname.tld.key
GnuTLSPriorities NORMAL # this can be changed to a wide range of options - see http://www.outoforder.cc/projects/apache/mod_gnutls$

</VirtualHost>

and then add another virtual host as the above and it works.

[Top44]

Yeah, that was one of my mistakes, now it runs with 2 Certs and Domains, but there is also a little prob, when you type in the adress of the second SSL domain without the "www" it uses the cert of the first SSL Domain, with "www" its okay.

Had tested it with Aliases and and and

Greets