10

I'm trying to set up an apache-ubuntu-php webserver. My webserver will host multiple SSL sites, each SSL site will have it's own IP address (unless there's a better way to do this).

So I suppose the first step is to get apache to recognize at least two different IP addresses. Right now, I have an SSL and non-SSL version of a website which are http://mysite.com and https://mysite.com. Although both are currently running on my server, I can't get both to use different IP addresses. Right now, both are using the IP 1.1.1.1. I purchased a second IP address 2.2.2.2 but the https://mysite.com won't accept it and firefox complains with the error "ssl_error_rx_record_too_long". Here's a look at my 2 vhost files

/etc/apache2/site-enabled/000-default

#NameVirtualHost 1.1.1.1:80

#<VirtualHost 1.1.1.1:80>
<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

/etc/apache2/site-enabled/mysite.com

<VirtualHost 1.1.1.1:80>
     ServerAdmin john@mysite.com
     ServerName mysite.com
     ServerAlias www.mysite.com
     DocumentRoot /srv/www/mysite.com/public_html/
     ErrorLog /srv/www/mysite.com/logs/error.log
     CustomLog /srv/www/mysite.com/logs/access.log combined
</VirtualHost>
<IfModule mod_ssl.c>
#<VirtualHost 2.2.2.2:443>
<VirtualHost *:443>
     ServerAdmin john@mysite.com
     ServerName mysite.com
     ServerAlias www.mysite.com
     DocumentRoot /srv/www/mysite.com/public_html/
     ErrorLog /srv/www/mysite.com/logs/error.log
     CustomLog /srv/www/mysite.com/logs/access.log combined

        SSLEngine on

        SSLCertificateFile    /etc/ssl/localcerts/www.mysite.com.crt
        SSLCertificateKeyFile /etc/ssl/localcerts/www.mysite.com.pem

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0

</VirtualHost>
</IfModule>

In mysite.com, if I replace <VirtualHost *:443> with <VirtualHost 2.2.2.2:443>, Firefox complains with the error "ssl_error_rx_record_too_long".

So when I try to create and enable a /etc/apache2/site-enabled/mysite2.com with another SSL certificate on a third IP address, Apache complains about an "overlap" problem.

Can someone tell me how to get up my server so that I can host multiple SSL websites on different domains? I want the SSL certificate to work for IE 7+, FF, and Safari on the popular OS such as WinXP, Vista, Win7 and OSX.

John
  • 7,153
  • 22
  • 61
  • 86

2 Answers2

6

I've set this on on my servers by adjusting the /etc/apache2/ports.conf file as follows:

<IfModule mod_ssl.c>
NameVirtualHost *:443
    # SSL name based virtual hosts are not yet supported, therefore no
    # NameVirtualHost statement here
    NameVirtualHost *:443
    Listen 443
</IfModule>

You should then be able to use by editing /etc/apache2/sites-enabled/mysite.com (some code omitted to shorten the example):

<VirtualHost *:443>
     ServerName mysite1.com
     SSLCertificateFile    /etc/ssl/localcerts/www.mysite1.com.crt
     SSLCertificateKeyFile /etc/ssl/localcerts/www.mysite1.com.pem
</VirtualHost>

<VirtualHost *:443>
    ServerName mysite2.com
    SSLCertificateFile    /etc/ssl/localcerts/www.mysite2.com.crt
    SSLCertificateKeyFile /etc/ssl/localcerts/www.mysite2.com.pem
</VirtualHost>

For as many vhosts as you like.

Edit: NEED A SECOND OPINION? GO HERE: http://forum.slicehost.com/comments.php?DiscussionID=3244

Patrick R
  • 2,925
  • 1
  • 18
  • 27
  • oh, it worked...and each of the websites is using the same 1.1.1.1 IP address. So does this mean I don't need the 2.2.2.2 IP address anymore? I don't need a unique IP for each SSL domain? – John Feb 04 '10 at 22:04
  • You are not required to use a unique IP for each SSL domain. – Patrick R Feb 04 '10 at 22:35
  • Please explain why you don't need a separate IP for each domain. This goes against everything I understand about SSL... – Josh Feb 04 '10 at 23:30
  • I'm not sure what to say other than that I've used multiple wildcards certs on servers with one IP. As long as the CommonName matches the ServerName you'll be fine. Now if you're in a shared hosting environment then this may allow others to use your cert. If it worked for johnlai2004 and me... well then, what's the issue? – Patrick R Feb 04 '10 at 23:53
  • voretaq7 explained the reasoning on http://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port -- This is TSL, not SSL. SSL does require a 1:1 relationship between IP addresses and certificates. TLS does not. I just wasn't aware TLS could be used for HTTPS (yet) – Josh Feb 05 '10 at 00:07
  • I can show you how to use multiple IP's on the same server but you'll have to use different ports (ie 443, 442, 441, etc). Won't be as nice for you end users. – Patrick R Feb 05 '10 at 00:12
  • @josh/johnlai2004 - so will my answer/example work for you? if not I obviously didn't understand the end result you were looking for. thought you might be looking for a way to avoid multiple ip addresses. – Patrick R Feb 05 '10 at 00:15
  • Ah ok. This is all so unusual. The certificate works fine for all browsers on all OS except for IE on WinXP. It even works for IE on Win Vista. How do I get this to work for IE on WinXP? – John Feb 05 '10 at 05:15
  • In the end, I just want valid ssl certificates to work for each website when viewed through IE and FF on Windows XP and Vista and Safari on Mac OSX. – John Feb 05 '10 at 05:27
  • In that case you'll need multiple IP addresses. See Craig's answer onhttp://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port – Josh Feb 05 '10 at 05:45
  • Does the answer is about TLS? Where is the fix in the code? do you mean the `*:443` in the `VirtualHost`? – CallMeLaNN Nov 11 '11 at 04:24
0

I can't check currently, so this is just a wild guess: The files are usually read in alphabetical order. You might have more luck when you have them read in reverse order, e.g. rename 000-default to 500-default and use 400-myhost. I can't remember where apache likes to have the default host - first or last. But from what you say (overlap), it might be last

Olaf
  • 908
  • 5
  • 7