HowTo: Set Up Multiple SSL Certificates on One IP with Apache

Posted on Updated on

As the Apache Web server grows and matures, new features are added and old bugs are fixed. Perhaps one of the most important new features added to recent Apache versions (2.2.12, to be specific) is the long-awaited support for multiple SSL sites on a single IP address.

prerequisites,

  • The server, obviously, must use Apache 2.2.12 or higher.
  • It must also use OpenSSL 0.9.8f or later and must be built with the TLS extensions option.
  •  Apache must be built against this version of OpenSSL as it will enable SNI support if it detects the right version of OpenSSL — the version of OpenSSL that includes TLS extension support.( Default installation contains all these things)

Note:

SNI can only be used for serving multiple SSL sites from your web server and is not likely to work at all on other daemons, such as mail servers, etc. There are also a small percentage of older web browsers that may still give certificate errors. Wikipedia has an updated list of software that does and does not support this TLS extension.

Here am using wild card SSL for hosting two sub-domain in single server, similearly we can also use different ssl for different domain with the same IP.

Follow the basic installation of apache

Redhat :

[root@ip-10-132-82-251 ~]# yum install httpd openssl openssl-devel mod_ssl

Ubuntu:

apt-get install apache2 openssl mod_ssl

Get the the certificate from the authority or use self singed SSL, Verify you have enabled SSL module in the existing apache installation

[root@ip-10-132-82-251 ~]# httpd -M  |grep ssl

Add the following lines in the apace main configuration file httpd.conf

[root@ip-10-132-82-251 ~]#  vi /etc/httpd/conf/httpd.conf 
###FOR SSL
NameVirtualHost *:443
<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>
<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

Create the Virtual Hosts

Once you downloaded all required files for SSL, proceed to creating Vhost.

Here is the Vhost entry that I used

[root@ip-10-132-82-251 ~]# vi /etc/httpd/conf.d/domain1-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName domain1.mydomain.com
        DocumentRoot "/opt/web-home/domain1/public_html"
        <Directory />
                Options FollowSymLinks
                AllowOverride all
        </Directory>
        <Directory /opt/web-home/domain1/public_html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>
        ScriptAlias /cgi-bin/ /opt/web-home/domain1/public_html/cgi-bin/
        <Directory "/opt/web-home/domain1/public_html/cgi-bin/">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/ssl/certs/planetcure.in.crt
SSLCertificateKeyFile /etc/ssl/certs/planetcure.in.key
SSLCertificateChainFile /etc/ssl/certs/planetcure.in.csr
SSLCACertificateFile /etc/ssl/certs/planetcure.in.ca
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>
</IfModule>
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

You can also create more Vhost files using this entry. By changing the domain name and the SSL path.

Now restart the apache

[root@ip-10-132-82-251 ~]# service httpd restart

To verify the list of enabled vhost, use the below command

[root@ip-10-132-82-251 ~]# apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server domain1.planetcure.in (/etc/httpd/conf.d/domain1-ssl.conf:2)
         port 443 namevhost domain1.planetcure.in (/etc/httpd/conf.d/domain1-ssl.conf:2)
         port 443 namevhost domain2.planetcure.in (/etc/httpd/conf.d/domain2-ssl.conf:2)
Syntax OK

Phew, these domains having their own SSL with single IP 🙂

Advertisements

2 thoughts on “HowTo: Set Up Multiple SSL Certificates on One IP with Apache

    Susan said:
    June 13, 2014 at 3:59 pm

    hi,

    thanks for your great article. I managed to install ssl and apache using your guide but I was unable to figure out how you enabled SSL for multiple domains using one IP? I have been reading over and over and was unable to manage to get it working.

    I then found this article http://www.rosehosting.com/blog/how-to-set-up-multiple-ssl-certificates-on-a-centos-vps-with-apache-using-one-ip-address/ and it worked on my centos server.

    the thing now is, how can I redirect specific url, for example http://mydomain.com/store to https://mydomain.com/store ? could you help please?

    thanks

      Anand babu responded:
      June 13, 2014 at 4:07 pm

      Hi susan,

      It can be acheive by two ways. either using rewrite module or apache directive. I suggest rewrite module because it support directory or file exclusion if it is necessary .

      First make sure you enabled rewrite module, then use the below rules in htaccess or alonge Vhost

      RewriteEngine On
      RewriteCond %{HTTPS} off
      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

      Thanks,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s