I've searched around SF and understand from other posts that with TSL one can have multiple SSL/TSL certs for different subdomains on a single Apache instance. I'm wondering if/how I can host the main domain with one cert and subdomains of that same main domain with a separate wildcard cert.
I'm working on a site that primarily operates in English. When folks visit the www.example.com, we have a mod_rewrite rule that redirects them to example.com. It also redirects plain old HTTP requests to HTTPS. We've got the server configured with a really nice extended validation (EV) cert that turns your browser address bar green -- it looks quite secure and trustworthy.
The issue is that we want to display other languages at other subdomains. E.g.:
- spanish at es.example.com
- german at de.example.com
- italian at it.example.com
Our extended validation cert is not valid for these subdomains so we purchased a wildcard cert and we'd like to set up apache so that it uses the EV cert for HTTPS requests to example.com and the wildcard cert for HTTPS requests to all of the language subdomains.
I understand from this digicert support document and a serverfault post that Apache 2.4.18 should support using multiple SSL certs for different domains if the HTTPS connections are made using TSL but not if they are made using SSL. The digicert document suggests creating an entirely separate VirtualHost section, one for each cert, but I wonder if there are other subtleties I'm missing. Our current apache conf, for example, lacks a ServerName directive and I'm not sure if I would need to create a ServerAlias directive for every supported language or whether we might use a wildcard in these apache configurations? Additionally, the subdomains (en.example.com) are a super-string of the primary domain (example.com) -- I'm worried this might cause confusion when routing requests?
Currently, our only apache SSL conf at /etc/apache2/sites-available/default-ssl.conf looks like this when you take out all the comments:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/html/
SetEnv CI_ENV testing
<Directory /var/www/html>
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ev-ssl-certificate.crt
SSLCertificateKeyFile /etc/ssl/private/ev-private.key
SSLCACertificateFile /etc/ssl/certs/ev-IntermediateCA.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Can anyone tell me what the best-practice approach would be in this situation? Ideally we'll replicate as little code as possible to get this working. I'd also greatly appreciate any warnings or gotchas. E.g., I suspect I'll need to disable SSL protocols so that only TSL is used.
