You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Wang, Mary Y" <ma...@boeing.com> on 2010/04/24 17:07:15 UTC
[users@httpd] Two Name-Based Virtual Hosts : Two SSL Certificates?
Hi,
I've two name-based virtual hosts defined (two name web sites on a single IP address). I only requested one SSL certificate for the main site. My application is running on the main site first and goes to the second site when user's click on a specific button. Whenever the URL points to the second site, Firefox detected the server certificate belongs to a different site.
Is it a common practice when have two or most name-based virtual hosts running on a single IP on Apache, request a SSL certificate for EACH host name? If so, do I just add the SSLCertificateFile and SSLCertificateKeyFile information in the <VirtualHost> container for the second site as well?
I'm running on Apache 2.
Any suggestions?
Thanks in advance
Mary
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Two Name-Based Virtual Hosts : Two SSL Certificates?
Posted by Jason Nunnelley <ja...@jasonn.com>.
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
I tend to trust the Apache wiki. It says Safari 3.2.1 on Mac OS X 10.5.6
is supported. No notes on iPhone.
IE7 on XP is not supported. There's an awful lot of XP boxes running IE7
(some still running IE6).
http://www.w3schools.com/browsers/browsers_stats.asp
On 4/24/10 5:08 PM, Michael Ni wrote:
> i think people have been saying SNI does not satisfy Safari browser.
>
> the ssl warning still pops up. can someone verify?
--
Jason A. Nunnelley
+1 2562971652
http://www.google.com/profiles/imjasonn
[Member Tekany, LLC]
Re: [users@httpd] Two Name-Based Virtual Hosts : Two SSL
Certificates?
Posted by Michael Ni <mi...@gmail.com>.
i think people have been saying SNI does not satisfy Safari browser.
the ssl warning still pops up. can someone verify?
On Sat, Apr 24, 2010 at 3:03 PM, Jason Nunnelley <ja...@jasonn.com> wrote:
> On 4/24/10 4:42 PM, Wang, Mary Y wrote:
>
>> Crypto,
>>
>> Thanks for the info on SNI. I'm currently running on httpd-2.0.46,
>> therefore, SNI support is not there. The browsers support listed on that
>> wiki can't support the browser versions that are offered in the company
>> currently. The application is running on Redhat 3.9.
>>
>> Are you saying that I can request two IPs for the same server? I'd need
>> to contact our admin over here. I am not sure if we can request a wildcard
>> cert either.
>>
>> If I just request another SSL cert for the second site (not doing any of
>> methods that you listed below), does Apache would still use the default SSL
>> cert for the main site? The user would still get that warning? Is that what
>> you are saying?
>>
>> Please advise.
>>
>
> Mary, you've got a few options here.
>
> 1) Upgrade your server and run SNI even though most sys admins refuse to
> run it. Not likely going to be your pick.
> 2) Add an IP number to your server and run multiple IPs, allowing you to
> set up traditional IP based SSL hosting. You have to do 1 IP per SSL cert if
> you do this. This is an IP on the server. So, you'll configure the server to
> take an extra IP and then add the IP to the configuration for the SSL Apache
> config.
> 3) Run a unified multi-domain SSL certificate. You'll have to buy a new
> certificate from someone who sells a unified certificate. It means you can
> run multiple domains on the same IP, each with different domain names, but
> hosted on the same IP. Some call this a "wildcard" SSL cert. But, typical
> wildcard SSL certs are meant for X.domain.com and not X.com and Y.com.
> You'll want a cert where you can assign multiple domains to the single cert.
>
> Most host providers will sell you an IP for this purpose, if it's an actual
> physical server. If it's ephemeral (cloud hosting), that's likely not an
> option.
>
> You can not run multiple domain certificates without either IP based SSL
> configuration or SNI. IP based SSL certificates will apply the first
> certificate it finds in the configuration. The second is an error, or
> superfluous. It's actually a broken configuration and you should receive an
> apachectl configtest error message if you test the configuration.
>
> --
>
> Jason A. Nunnelley
> +1 2562971652
>
> http://www.google.com/profiles/imjasonn
>
> [Member Tekany, LLC]
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Two Name-Based Virtual Hosts : Two SSL Certificates?
Posted by Jason Nunnelley <ja...@jasonn.com>.
On 4/24/10 4:42 PM, Wang, Mary Y wrote:
> Crypto,
>
> Thanks for the info on SNI. I'm currently running on httpd-2.0.46, therefore, SNI support is not there. The browsers support listed on that wiki can't support the browser versions that are offered in the company currently. The application is running on Redhat 3.9.
>
> Are you saying that I can request two IPs for the same server? I'd need to contact our admin over here. I am not sure if we can request a wildcard cert either.
>
> If I just request another SSL cert for the second site (not doing any of methods that you listed below), does Apache would still use the default SSL cert for the main site? The user would still get that warning? Is that what you are saying?
>
> Please advise.
Mary, you've got a few options here.
1) Upgrade your server and run SNI even though most sys admins refuse to
run it. Not likely going to be your pick.
2) Add an IP number to your server and run multiple IPs, allowing you to
set up traditional IP based SSL hosting. You have to do 1 IP per SSL
cert if you do this. This is an IP on the server. So, you'll configure
the server to take an extra IP and then add the IP to the configuration
for the SSL Apache config.
3) Run a unified multi-domain SSL certificate. You'll have to buy a new
certificate from someone who sells a unified certificate. It means you
can run multiple domains on the same IP, each with different domain
names, but hosted on the same IP. Some call this a "wildcard" SSL cert.
But, typical wildcard SSL certs are meant for X.domain.com and not X.com
and Y.com. You'll want a cert where you can assign multiple domains to
the single cert.
Most host providers will sell you an IP for this purpose, if it's an
actual physical server. If it's ephemeral (cloud hosting), that's likely
not an option.
You can not run multiple domain certificates without either IP based SSL
configuration or SNI. IP based SSL certificates will apply the first
certificate it finds in the configuration. The second is an error, or
superfluous. It's actually a broken configuration and you should receive
an apachectl configtest error message if you test the configuration.
--
Jason A. Nunnelley
+1 2562971652
http://www.google.com/profiles/imjasonn
[Member Tekany, LLC]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Two Name-Based Virtual Hosts : Two SSL
Certificates?
Posted by "Wang, Mary Y" <ma...@boeing.com>.
Crypto,
Thanks for the info on SNI. I'm currently running on httpd-2.0.46, therefore, SNI support is not there. The browsers support listed on that wiki can't support the browser versions that are offered in the company currently. The application is running on Redhat 3.9.
Are you saying that I can request two IPs for the same server? I'd need to contact our admin over here. I am not sure if we can request a wildcard cert either.
If I just request another SSL cert for the second site (not doing any of methods that you listed below), does Apache would still use the default SSL cert for the main site? The user would still get that warning? Is that what you are saying?
Please advise.
Mary
-----Original Message-----
From: Crypto Sal [mailto:crypto.sal@gmail.com]
Sent: Saturday, April 24, 2010 10:01 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Two Name-Based Virtual Hosts : Two SSL Certificates?
On 04/24/2010 11:07 AM, Wang, Mary Y wrote:
> Hi,
>
> I've two name-based virtual hosts defined (two name web sites on a single IP address). I only requested one SSL certificate for the main site. My application is running on the main site first and goes to the second site when user's click on a specific button. Whenever the URL points to the second site, Firefox detected the server certificate belongs to a different site.
>
> Is it a common practice when have two or most name-based virtual hosts running on a single IP on Apache, request a SSL certificate for EACH host name? If so, do I just add the SSLCertificateFile and SSLCertificateKeyFile information in the<VirtualHost> container for the second site as well?
>
> I'm running on Apache 2.
>
> Any suggestions?
>
> Thanks in advance
> Mary
>
Hi Mary,
Which specific version of Apache are you using? Latest stable is 2.2.15 in the 2.2 branch and can make use of SNI ( http://en.wikipedia.org/wiki/Server_Name_Indication ). Prior to 2.2.12, SNI support wasn't there officially.
Are you targeting a specific browser or OS with your Application? If platform independent then you will need to do one of the following:
Separate IPs, Separate Ports on shared IP, use a wildcard cert, or use a multi-domain certificate. If you're only allowing Firefox 2.x and higher and IE on Vista and Higher, you can go the SNI route.
Easiest method is the Separate IPs route with whatever certificate combination you want.
Hope this helps.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Two Name-Based Virtual Hosts : Two SSL Certificates?
Posted by Crypto Sal <cr...@gmail.com>.
On 04/24/2010 11:07 AM, Wang, Mary Y wrote:
> Hi,
>
> I've two name-based virtual hosts defined (two name web sites on a single IP address). I only requested one SSL certificate for the main site. My application is running on the main site first and goes to the second site when user's click on a specific button. Whenever the URL points to the second site, Firefox detected the server certificate belongs to a different site.
>
> Is it a common practice when have two or most name-based virtual hosts running on a single IP on Apache, request a SSL certificate for EACH host name? If so, do I just add the SSLCertificateFile and SSLCertificateKeyFile information in the<VirtualHost> container for the second site as well?
>
> I'm running on Apache 2.
>
> Any suggestions?
>
> Thanks in advance
> Mary
>
Hi Mary,
Which specific version of Apache are you using? Latest stable is 2.2.15
in the 2.2 branch and can make use of SNI (
http://en.wikipedia.org/wiki/Server_Name_Indication ). Prior to 2.2.12,
SNI support wasn't there officially.
Are you targeting a specific browser or OS with your Application? If
platform independent then you will need to do one of the following:
Separate IPs, Separate Ports on shared IP, use a wildcard cert, or use a
multi-domain certificate. If you're only allowing Firefox 2.x and higher
and IE on Vista and Higher, you can go the SNI route.
Easiest method is the Separate IPs route with whatever certificate
combination you want.
Hope this helps.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Two Name-Based Virtual Hosts : Two SSL
Certificates?
Posted by Michael Ni <mi...@gmail.com>.
i had the same issue,
i would buy another ssl cert for your 2nd host.
you also need another IP for your 2nd host.
make sure your dns server are pointing to the right ips depending on the
host
you need to register two ssl certs
make sure you have that SSLChain..... thing in your virutal host so Safari
browser won't bug out
On Sat, Apr 24, 2010 at 8:07 AM, Wang, Mary Y <ma...@boeing.com>wrote:
> Hi,
>
> I've two name-based virtual hosts defined (two name web sites on a single
> IP address). I only requested one SSL certificate for the main site. My
> application is running on the main site first and goes to the second site
> when user's click on a specific button. Whenever the URL points to the
> second site, Firefox detected the server certificate belongs to a different
> site.
>
> Is it a common practice when have two or most name-based virtual hosts
> running on a single IP on Apache, request a SSL certificate for EACH host
> name? If so, do I just add the SSLCertificateFile and SSLCertificateKeyFile
> information in the <VirtualHost> container for the second site as well?
>
> I'm running on Apache 2.
>
> Any suggestions?
>
> Thanks in advance
> Mary
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>