10

I'm trying to set up an apache-ubuntu-php webserver. My webserver will host multiple SSL sites, each SSL site will have it's own IP address (unless there's a better way to do this).

So I suppose the first step is to get apache to recognize at least two different IP addresses. Right now, I have an SSL and non-SSL version of a website which are http://mysite.com and https://mysite.com. Although both are currently running on my server, I can't get both to use different IP addresses. Right now, both are using the IP 1.1.1.1. I purchased a second IP address 2.2.2.2 but the https://mysite.com won't accept it and firefox complains with the error "ssl_error_rx_record_too_long". Here's a look at my 2 vhost files

/etc/apache2/site-enabled/000-default

#NameVirtualHost 1.1.1.1:80 #<VirtualHost 1.1.1.1:80> <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost>

/etc/apache2/site-enabled/mysite.com

<VirtualHost 1.1.1.1:80> ServerAdmin [email protected] ServerName mysite.com ServerAlias www.mysite.com DocumentRoot /srv/www/mysite.com/public_html/ ErrorLog /srv/www/mysite.com/logs/error.log CustomLog /srv/www/mysite.com/logs/access.log combined </VirtualHost> <IfModule mod_ssl.c> #<VirtualHost 2.2.2.2:443> <VirtualHost *:443> ServerAdmin [email protected] ServerName mysite.com ServerAlias www.mysite.com DocumentRoot /srv/www/mysite.com/public_html/ ErrorLog /srv/www/mysite.com/logs/error.log CustomLog /srv/www/mysite.com/logs/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/localcerts/www.mysite.com.crt SSLCertificateKeyFile /etc/ssl/localcerts/www.mysite.com.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost> </IfModule>

In mysite.com, if I replace <VirtualHost *:443> with <VirtualHost 2.2.2.2:443>, Firefox complains with the error "ssl_error_rx_record_too_long".

So when I try to create and enable a /etc/apache2/site-enabled/mysite2.com with another SSL certificate on a third IP address, Apache complains about an "overlap" problem.

Can someone tell me how to get up my server so that I can host multiple SSL websites on different domains? I want the SSL certificate to work for IE 7+, FF, and Safari on the popular OS such as WinXP, Vista, Win7 and OSX.

Improve this question

2 Answers 2

Reset to default
6

I've set this on on my servers by adjusting the /etc/apache2/ports.conf file as follows:

<IfModule mod_ssl.c> NameVirtualHost *:443 # SSL name based virtual hosts are not yet supported, therefore no # NameVirtualHost statement here NameVirtualHost *:443 Listen 443 </IfModule>

You should then be able to use by editing /etc/apache2/sites-enabled/mysite.com (some code omitted to shorten the example):

<VirtualHost *:443> ServerName mysite1.com SSLCertificateFile /etc/ssl/localcerts/www.mysite1.com.crt SSLCertificateKeyFile /etc/ssl/localcerts/www.mysite1.com.pem </VirtualHost> <VirtualHost *:443> ServerName mysite2.com SSLCertificateFile /etc/ssl/localcerts/www.mysite2.com.crt SSLCertificateKeyFile /etc/ssl/localcerts/www.mysite2.com.pem </VirtualHost>

For as many vhosts as you like.

Edit: NEED A SECOND OPINION? GO HERE: http://forum.slicehost.com/comments.php?DiscussionID=3244

Improve this answer
11
  • oh, it worked...and each of the websites is using the same 1.1.1.1 IP address. So does this mean I don't need the 2.2.2.2 IP address anymore? I don't need a unique IP for each SSL domain? Commented Feb 4, 2010 at 22:04
  • You are not required to use a unique IP for each SSL domain. Commented Feb 4, 2010 at 22:35
  • Please explain why you don't need a separate IP for each domain. This goes against everything I understand about SSL... Commented Feb 4, 2010 at 23:30
  • I'm not sure what to say other than that I've used multiple wildcards certs on servers with one IP. As long as the CommonName matches the ServerName you'll be fine. Now if you're in a shared hosting environment then this may allow others to use your cert. If it worked for johnlai2004 and me... well then, what's the issue? Commented Feb 4, 2010 at 23:53
  • voretaq7 explained the reasoning on serverfault.com/questions/109800/… -- This is TSL, not SSL. SSL does require a 1:1 relationship between IP addresses and certificates. TLS does not. I just wasn't aware TLS could be used for HTTPS (yet) Commented Feb 5, 2010 at 0:07
0

I can't check currently, so this is just a wild guess: The files are usually read in alphabetical order. You might have more luck when you have them read in reverse order, e.g. rename 000-default to 500-default and use 400-myhost. I can't remember where apache likes to have the default host - first or last. But from what you say (overlap), it might be last

Improve this answer
1
  • You can see what it will use with apachectl -t -D DUMP_VHOSTS. The order is first to last. Commented Aug 16, 2013 at 8:32

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.