Apache 2 - Multiple SSL sites with multiple virtual hosts

Question

I have around 10 sites in Apache 2. These are all separate sites - not subdomains. I have SSL certs for two of them and I would like to set up the SSL for both of them and not force my non-ssl sites to use either cert.

The problem I am experiencing is that I am not able to have both certs active, it always seems to default to the first one, regardless of which site i go to.

I've been reading about this, and it looks like while my server might support SSI, windows XP does not support it, so that will not be a viable option. Also, I looked briefly into mod_gnutils, but I can't guarantee that that will do what i want, and I am also not really comfortable making all of the necessary installation/configuration to make that work if i don't absolutely have to.

Any direction provided to me regarding this would be greatly appreciated!

here are the two 443 virtual hosts. I've tried referencing the virtual hosts as you see below, as well as other variations such as simply '' and ''. I also played with the NameVirtualHost references, but still to no avail.

Listen 443 NameVirtualHost www.site1.com:443 NameVirtualHost www.site2.com:443 <VirtualHost www.site1.com:443> DocumentRoot /var/www/site1/ ServerName www.site1.com:443 #SSL SSLEngine on SSLCertificateFile /path/to/ssl/site1.com.crt SSLCertificateKeyFile /path/to/ssl/site1.key SSLCertificateChainFile /path/to/ssl/bundle1.crt </VirtualHost> <VirtualHost www.site2.com:443> DocumentRoot /var/www/site2/ ServerName www.site2.com:443 #SSL SSLEngine on SSLCertificateFile /path/to/ssl/site2.com.crt SSLCertificateKeyFile /path/to/ssl/sit2.key SSLCertificateChainFile /path/to/ssl/bundle2.crt </VirtualHost> 

Answer 1

The short answer is that you either need to get additional IP addresses, or get a certificate that has multiple names in the certificate (SAN or wildcard).

SNI really isn't feasible if you have a site that you want to serve on the Internet. There really just isn't enough browsers that support it yet.

Answer 2

Without using SNI, you cannot have multiple SSL certificates associated with a single IP address/port combination.

The only solution for you is to use either

• multiple IP addresses, each listening on port 443. Multiple IPs might mean increased cost, depending on who you're hosting with, or
• 1 IP address, each with a different port. The down side with this is that your clients will need to specify the port in the URL, which is a bit sucky.

A normal HTTP request starts like this:

1. Browser resolves name (www.example.com) to IP (10.0.0.1)
2. Browser establishes a TCP connection to 10.0.0.1, port 80
3. Browser sends HTTP request part of which includes the "Host:" header, which will be "www.example.com" in this case.
4. Apache uses the host header and matches it to a name-based virtual host, and serves whatever is there.

On the other hand an HTTPS (i.e. HTTP over SSL) request starts like this:

1. Browser resolves name (www.example.com) to IP (10.0.0.1)
2. Browser establishes a TCP connection to 10.0.0.1, port 443
3. Browser negotiates SSL encryption with server. The name of the site (www.example.com) is specified in the certificate, so at this stage it has to match the SSL or else the browser throws a warning that something is wrong with the SSL connection.
4. Browser sends HTTP request, etc.

The reason why you cannot have different certificates associated with 10.0.0.1:443 is because Apache would have no way of knowing which to use for any given incoming connection.