View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions 2 ssl certs for 1 IP question
Log in to Ask a Question

2 ssl certs for 1 IP question

development

Hello, I'm trying to assign two ssl certs on 1 IP (I have two different domains that i need to point to the same apache instance). I tried doing it via using different ports (sample code i got from another website):

Listen 1443

ServerName zimbra.domaina.moc

ProxyPass / http://zimbra.domain.moc:8080/

ProxyPassReverse / http://zimbra.domain.moc:8080/

SSLEngine On

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

SSLCertificateKeyFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.key

SSLCertificateFile /etc/httpd/conf/domaina_ssl/zimbra.zmb.moc.crt

Listen 2443

ServerName zimbra.domainb.moc

ProxyPass / http://zimbra.domain.moc:8080/

ProxyPassReverse / http://zimbra.domain.moc:8080/

SSLEngine On

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

SSLCertificateKeyFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.key

SSLCertificateFile /etc/httpd/conf/domainb_ssl/zimbra.domainb.moc.crt

I currently don't have any domains to test with but if I do it this way via multiple ports, when the client types in https://www.domainA.com will it work? or will they have to type in https://www.domainA.com:1443 to get it to work? (I don't want them to be typing in the port!)

Or do I need to point the domain (dns/A record) to domainA:1443?

I'm new to this, so any help will be appreciated! Any other solutions/suggestions on how to support multiple domains/ssl certs to one IP are welcome too! I did a solution involving SNI but I think there are some browser compatibility issues that I dont want to take the chance with. Thanks!

6 Replies

You need another IP to achieve what you want, open a support ticket and explain your problem.

If you want your SSL sites to be accessible without having to type the port, yes, you need two IPs.

But if the SSL site is only going to be used for logins, administrative pages, and automated requests, you might be able to get away with putting the port in the links on your non-SSL site. That way, nobody has to type the port; people will just click some links and end up on the correct port. This is perfectly OK for some types of web sites and web services.

thanks hybinet for the response. besides IP and ports, is there another way to do it? I've read about creating another apache daemon (installation) that could have the other virtual host?

http://httpd.apache.org/docs/2.0/vhosts/ip-based.html

will this work?

Name-based vhosts with multiple SSL cert support is in Apache since 2.2.12 with OpenSSL 0.9.8f or later. Browser support isn't exactly universal, though. A lot of old WinXP machines out there with IE6. The client needs a better browser to support SSL SNI extentions.

A quick post on TechRepublic, from 2009, when the feature was introduced.

~~[http://www.techrepublic.com/blog/opensource/configure-apache-to-support-multiple-ssl-sites-on-a-single-ip-address/987" target="_blank">](http://www.techrepublic.com/blog/openso … ddress/987">http://www.techrepublic.com/blog/opensource/configure-apache-to-support-multiple-ssl-sites-on-a-single-ip-address/987](

Apache doc on the feature is here:

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

You might be able to make that work for you.

yep, i thought about using SNI but we have to support mobile browsers too..which is prob a dealbreaker in terms of compatibility. I'm a linux newb but I have heard setting up another apache server with a diff ip and then setting up a reverse proxy to the other server could work..anyone know how to do that or fwd documentation on that?

@lencholamas:

I have heard setting up another apache server with a diff ip and then setting up a reverse proxy to the other server could work..anyone know how to do that or fwd documentation on that?
The same Apache server can listen on any number of IP addresses. If you have 2 IPs, just tell Apache to use one for each site. There is no need for any reverse proxying between multiple daemons, and even if you manage to set it up that way, it won't make any difference. You'd still need 2 IPs if you want to support non-SNI browsers.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct