0

Here is the scenario:

  • I have a centOS server with multiple ip addresses associated with it
  • The primary domain name is example.com with ip address x.x.x.1
  • I tell my client to point his cname to my main address.
  • he does it. so clientdomain.com -> example.com
  • now i need to install a secure certificate for clientdoamin.com on my server. but since there can be only one certificate per ip address, I will have to install is on x.x.x.2

Question:

How can I point clientdomain.com to x.x.x.2. When i try to lookup it shows that clientdoamin.com is pointing to x.x.x.1

The reason i don't to go the easiest route of saying "hey client instead of cname to example.com please add an a record to x.x.x.2" is that then every new client i get i'll have to see what ip address i have free and tell him to point his A record to. plus i'd like the flexibility of moving a client from ip address x.x.x.2 to ip address x.x.x.3 without getting the client involved.

Any pointers would be appreciated!

so1o
  • 115
  • 5
  • possible duplicate of [SSL certificate selection based on host-header: is it possible?](http://serverfault.com/questions/126072/ssl-certificate-selection-based-on-host-header-is-it-possible) – Shane Madden May 07 '11 at 05:46
  • @Shane I don't think this is a duplicate at all. This question has a solution involving a different DNS config. The other question is more specific less fixable. – Caleb May 07 '11 at 13:30

4 Answers4

1

Currently, the only way to to add A record to separate ip. IP is the only way for webserver to realize which certificate (ok, there are extension, but it's not supported by many browsers).

You could somehow simplify it by creating client123.youdomain.com A records and asking clients make clientdomain.com in CNAME client123.youdomain.com, but client123.youdomain.com should still be A record to unique ip.

rvs
  • 4,027
  • 1
  • 25
  • 30
1

Instead of creating a CNAME clientdomain.com -> example.com, a better way is to delegate DNS.

DNS delgation can be done on the subdomain level.

Let's say you only need to manage www.clientdomain.com , you can ask the client to create NS record for www.clientdomain.com which point to your name servers. See : http://www.zytrax.com/books/dns/ch8/ns.html

You will need to create DNS record for www.clientdomain.com in your name server and you can change the IP address whenever you like.

Rianto Wahyudi
  • 493
  • 3
  • 11
  • The only question I have with this, would the client still be able to add records in his DNS after the delegation? If so, what happens if there are conflicting records? – so1o May 07 '11 at 23:06
  • Client will still have control over their DNS after the delegation. Remember , you are only delegating the subdomain, not the whole zone. Unfortunately I don't know what happen if there are duplicate/conflicting records. I'll give it a try when I get some free time and let you know how it goes. – Rianto Wahyudi May 08 '11 at 15:13
0

The best way I have found is to tell your client to point their clientdomain.com to your clientdomain.com.example.com. This gives you a lot of flexibility in where you're pointing the domain.

If you want you can aggregate all your clients down to example.com, where an A record points them to whatever IP. Or you can point it to SSL-IP-002.example.com, which would be an A record pointing to x.x.x.2. There are lots of other options once this is configured too.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • the first part of the answer is clear - same as what @rvs mentioned. Can you explain the second portion of the answer. thanks! – so1o May 11 '11 at 00:04
  • You can have your customers CNAME `www.clientdomain.com` -> your CNAME `clientdomain.com.example.com` -> your A `server1.example.com` -> the IP 192.0.2.1. Then if Server1's IP changes, you update your A record. If the client's site changes to Server2, you update your CNAME `clientdomain.com.exmaple.com` -> your A `server2.example.com` -> it's IP 192.0.2.2 – Chris S May 11 '11 at 01:55
  • understood. Is there a way to ask all your clients to point to one domain like proxy.example.com and then manage it to point different server? like how heroku.com does.. – so1o May 12 '11 at 17:05
  • I'm not familiar with heroku, can you give a more specific example? – Chris S May 12 '11 at 17:11
  • In heroku, you can create rails applications in cloud. it is deployed and automatically get a subdomain url for the application eg xyz.heroku.com. now if i want to put my domain name on it, the process is that i put a cname for xyz.mydomain.com and point it to proxy.heroku.com. they internally map it to xyz.heroku.com. I want to see there is an option similar to that so i can just publish it on my faqs for all my clients saying - just point your subdomain cname to proxy.mydomain.com and then i somehow map subdomain.client1.com to ip address1 and subdomain.client2.com to ip address2. – so1o May 12 '11 at 23:47
  • Yep, you can do that, have proxy.example.com 302 redirect to xyz.example.com; it would be slower than the DNS method I described above, but also adds a layer of flexibility and you don't have to worry about DNS caching. – Chris S May 13 '11 at 01:41
-1

The SSL certificate is one per domain and not IP. Use virtual hosting to have SSL for different domains. Let the client CName to your domain and in your webserver create a virtual host in your webserver.

I would suggest CName instead of your client creating a A record because a CName will let you make modifications without requiring any changes from your clients.

Sameer
  • 4,070
  • 2
  • 16
  • 11
  • webserver issues SSL certificate to browser in very early stage of connection, before any headers (including host:) sent. So, webserver does not know which domain's certificate it should use, that's why server just sends sertificate based on ip. – rvs May 07 '11 at 05:25
  • 1
    @rvs3 You are right – Sameer May 07 '11 at 08:39
  • 1
    @rvs, with SNI the host name is sent before TLS is negociated. All the newest browsers and server support it; though most websites still do not on account of older software. @Sameer, a certificate can have many SAN (website domains in this instance), it's not limited to one. – Chris S May 08 '11 at 14:46
  • Unfortuanely, SNI is not supported on IE6 and many Windows XP boxes even with newer browsers, which are good fraction. Hopefully it'll be possible to deprecate IE6 and XP support in a few years, but not now. :( – rvs May 10 '11 at 07:21