[Home] [Blog] [Contact] - [Talks] [Bio] [Customers]
twitter linkedin youtube github rss

Patrick Debois

SSL Virtual Namebased Hosts with Apache 2.x

Apache provides a way of hosting multiple sites on one instance.
To make the difference between lets say www.domain1.org and www.domain2.org you can make:
  • the distinction either based upon the ip-address use to connect to the webserver: apache will have a config part that maps one IP to a specific domain name and documents directory.
  • or use name based virtual hosting: based upon the name used in the request (actually the Host: in the HTTP/1.1 protocol)  , it can make the difference between the two domains.

While this works well for HTTP, there is an Issue with HTTP/S: Before the browser actually requests the page, it first has to negotiate the certificate. So this is a chicken-egg problem. It can not send out the correct certificate before he knows the name, and he can not send the name before the SSL handshake.
As the Apache 2.x documentation puts it:
Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server. It comes as rather a shock to learn that it is impossible.
This impossible depends on what you require....
Getting Apache started on Virtual SSL Hosts The trick is to configure Apache similar to a HTTP Virtual Host but making it listen on *:443 , the standard SSL port.   NameVirtualHost *:443
ServerName www.domain1.com SSLEngine on SSLCertificateFile /path/to/www.domain1.com.cert SSLCertificateKeyFile /path/to/www.domain1.com.key
DocumentRoot /www/vhosts/domain1.com ServerName www.domain2.com SSLEngine on SSLCertificateFile /path/to/www.domain2.com.cert SSLCertificateKeyFile /path/to/www.domain2.com.key DocumentRoot /www/vhosts/domain2.com  
Apache actually will spit out a warning:
[warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
As you can see the certificate there are multiple certificates specified. But actually Apache will use the first one Only, no matter what you specify. This is further described in detail in http://www.onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html
Note: If you fix the IP address of one of the SSL virtual hosts, it will not work anymore.
Fixing the certificates errors: So if we can only specify one SSL certificate, how do we get the multiple names in it? The recipe depends on what kind of names
site.domain.com and site2.domain.com This kind of certificate would require a wildcard certificate. You can get wildcard certificates (*.domain.com) from your Certificate Provider. They will often charge you extra for this. Also this might be dangerous too, having all names under one certificate. So take care! http://www.cb1inc.com/2008/09/11/virtual-hosts-and-wildcard-ssl-certificates-with-apache-2.2 site.domain1.com and site.domain2.com (one owner) Certificates allow you to specify multiple names in your certificates by using the subjectAlternativeName. The creation process is explained http://therowes.net/~greg/2008/01/08/creating-a-certificate-with-multiple-hostnames/ site.domain1.com and site domain2.com (different owners) The problem is actually a result of the implementation of Apache standard SSL module. Fixes exist as  patches or other modules f.i.  the mod_gnutls module. (  http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/ )