Current time: 11-26-2024, 07:16 PM Hello There, Guest! (LoginRegister)


Post Reply 
multiple ssl certificates (one for each domain)
Author Message
soomon Offline
Junior Member
*

Posts: 37
Joined: May 2007
Reputation: 0
Post: #1
multiple ssl certificates (one for each domain)
hi there,

i found this nice site giving ssl certificates 4 free, which are accepted by every browser:
https://www.startssl.com/

so i created my first certificate and used a new configuration file (ssl_domain1.de.conf) with:
Code:
NameVirtualHost domain1.de:443

<VirtualHost domain1.de1:443>
#
# SSL Start
#

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/ssl_domain1.de.crt
SSLCertificateKeyFile /etc/apache2/ssl/ssl_domain1.de.key
SSLCertificateChainFile /etc/apache2/ssl/startcomsub.class1.server.ca.crt
SSLCACertificateFile /etc/apache2/ssl/startcomca.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

#
# SSL End
#

and added everything from the normal config file of that domain
and everything went great (which means the certificate was working Wink )

then i created the certificate for the second domain (domain2) and did use exactly the same schema for the config file, reloaded apache and:
NameVirtualHost domain1.de:443 has no VirtualHosts

then the certificate for the second domain worked on the second domain, but when i tried to access the first one with ssl i got the certificate of the second domain o_0

i was not sure where my mistake was and tried it with the third domain. but the result was the same, now i got the apach error message about virtual hosts with domain 1&2, but domain 3 was working and domain 1&2 showed the ssl certificate of domain 3.

wehere's my mistake?
what do i have to do?

thanks & greets,
soomon
03-14-2009 02:29 AM
Find all posts by this user Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #2
RE: multiple ssl certificates (one for each domain)
You need to have one IP address per Certificate since the NameBasedVirtualHosting functions on the fact that the browser sends the target domain name in the first http - request.
With SSL, there must be an SSL Handshake FIRST

this means your browser sends a generic connection request at port 443 to the ip of your server and trys key-exchange (to exchange certificate information and to agree on encryption algorythm and encryption depth) at this stage the certificate must be validated before any other transfer continues.
This means that there's no way to send the "first http request" to a ssl secured webserver and this server knows which domain you want.

Thats why you get the second cert on the domain of the first cert. Just because there can only be one active.
03-15-2009 10:10 AM
Visit this user's website Find all posts by this user Quote this message in a reply
soomon Offline
Junior Member
*

Posts: 37
Joined: May 2007
Reputation: 0
Post: #3
RE: multiple ssl certificates (one for each domain)
ok that's bad :/

is there any way to get around this?
i mean there are lot's of sites out there with ssl, and i guess they don't have their own ip (at least not all of them.. or is it really that way?)

any help is greatly appreciated Smile

thanks & greets,
soomon
03-15-2009 10:21 AM
Find all posts by this user Quote this message in a reply
rbtux Offline
Moderator
*****
Moderators

Posts: 1,847
Joined: Feb 2007
Reputation: 33
Post: #4
RE: multiple ssl certificates (one for each domain)
(03-15-2009 10:21 AM)soomon Wrote:  i mean there are lot's of sites out there with ssl, and i guess they don't have their own ip (at least not all of them.. or is it really that way?)

well that is how it is done today...

However you may want to take a look into mod_gnutls... It's possible to do NameBasedVirtualHosting using a single IP and Multiple Certificates... I don't know about client support though
03-15-2009 11:35 AM
Visit this user's website Find all posts by this user Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #5
RE: multiple ssl certificates (one for each domain)
hm look here :

looks promising :
http://www.g-loaded.eu/2007/08/10/ssl-en...od_gnutls/
03-15-2009 10:30 PM
Visit this user's website Find all posts by this user Quote this message in a reply
soomon Offline
Junior Member
*

Posts: 37
Joined: May 2007
Reputation: 0
Post: #6
RE: multiple ssl certificates (one for each domain)
nice i will have a look thanks!
03-19-2009 03:50 PM
Find all posts by this user Quote this message in a reply
Murodese Offline
Newbie
*

Posts: 7
Joined: May 2008
Reputation: 0
Post: #7
RE: multiple ssl certificates (one for each domain)
gnutls is not supported by ie7+windows xp, which is a significant chunk of the market
03-20-2009 03:45 AM
Find all posts by this user Quote this message in a reply
soomon Offline
Junior Member
*

Posts: 37
Joined: May 2007
Reputation: 0
Post: #8
RE: multiple ssl certificates (one for each domain)
that's because IE unter xp does not support SNI.
doesn't seem to be an gnu-tls problem, just microsoft doesnt want to support it or too lazy to implement it.
(This post was last modified: 03-20-2009 04:15 PM by soomon.)
03-20-2009 04:44 AM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 2 Guest(s)