1

I've searched around SF and understand from other posts that with TSL one can have multiple SSL/TSL certs for different subdomains on a single Apache instance. I'm wondering if/how I can host the main domain with one cert and subdomains of that same main domain with a separate wildcard cert.

I'm working on a site that primarily operates in English. When folks visit the www.example.com, we have a mod_rewrite rule that redirects them to example.com. It also redirects plain old HTTP requests to HTTPS. We've got the server configured with a really nice extended validation (EV) cert that turns your browser address bar green -- it looks quite secure and trustworthy.

The issue is that we want to display other languages at other subdomains. E.g.:

  • spanish at es.example.com
  • german at de.example.com
  • italian at it.example.com

Our extended validation cert is not valid for these subdomains so we purchased a wildcard cert and we'd like to set up apache so that it uses the EV cert for HTTPS requests to example.com and the wildcard cert for HTTPS requests to all of the language subdomains.

I understand from this digicert support document and a serverfault post that Apache 2.4.18 should support using multiple SSL certs for different domains if the HTTPS connections are made using TSL but not if they are made using SSL. The digicert document suggests creating an entirely separate VirtualHost section, one for each cert, but I wonder if there are other subtleties I'm missing. Our current apache conf, for example, lacks a ServerName directive and I'm not sure if I would need to create a ServerAlias directive for every supported language or whether we might use a wildcard in these apache configurations? Additionally, the subdomains (en.example.com) are a super-string of the primary domain (example.com) -- I'm worried this might cause confusion when routing requests?

Currently, our only apache SSL conf at /etc/apache2/sites-available/default-ssl.conf looks like this when you take out all the comments:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/html/
        SetEnv CI_ENV testing
        <Directory /var/www/html>
            AllowOverride All
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
            SSLCertificateFile      /etc/ssl/certs/ev-ssl-certificate.crt
            SSLCertificateKeyFile /etc/ssl/private/ev-private.key
            SSLCACertificateFile /etc/ssl/certs/ev-IntermediateCA.crt
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
    </VirtualHost>
</IfModule>

Can anyone tell me what the best-practice approach would be in this situation? Ideally we'll replicate as little code as possible to get this working. I'd also greatly appreciate any warnings or gotchas. E.g., I suspect I'll need to disable SSL protocols so that only TSL is used.

S. Imp
  • 506
  • 1
  • 3
  • 17
  • The Digicert and Serverfault posts you answered is basically showing different virtualhosts, and yes - using virtualhosts for each certificate is the solution. You can also terminate the SSL/TLS connection on forexample HAProxy, Pound or Hitch TLS proxy instead and just let apache server HTTP. – Orphans Apr 12 '18 at 11:13

1 Answers1

0

You should create two virtual host files to store virtual host information in separate files, copying the configuration from the default virtual host file. For more information see How To Set Up Multiple SSL Certificates on One IP with Apache.

As I understand that you are handling multilingual sites as primary English website and other limited language specific sites as subdomains, you want to gain customers trust by displaying green branded bar for your all sites. You can do it using a single EV Multi-Domain SSL certificate; it will enable your company name in the browsers’ address bar for www.example.com, es.example.com, de.example.com and it.example.com. Some example vendors:

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
JC8311
  • 3
  • 1