SSL for virtual hosts on one certificate
What this WILL do is give you a way to provide an error free secure SSL connection for one to many virtual hosts that do not have their own IP addresses using ONE certificate that uses ONE IP address.
For example https://secure.myhost.com/joesplace/... and https://secure.myhost.com/jimsplace/... and and and...
What this WILL NOT do is to give you a way to use more than one certificate on one IP address. It will not let you hide the real certificate domain either.
The upside is you can provide SSL for several domains with one IP and one SSL certificate. The downside is that the certificate is in ONE domain name using what looks like sub-directories but are actually simple links....
On our servers, we have several small hosted accounts that need SSL for a form or for a few sales a month. Using an IP address for each one, plus buying certificates, is more than they really want or need. However, they do need SSL for simple things. What we needed was a way to use a "server-wide" SSL certificate that would be easy and work well without certificate errors... and we wanted the certificate to work properly on all the virtual hosted sites with NO red warnings in the browser location bar!
Here are the steps we used:
Assumptions: You are running Linux and the virtual hosts are stored in /var/www. I do not know anything about doing this on Windows. Finally, you have root access to your server.
1. Choose the name you will use for the certificate. We wanted our little sites to at least have some semblance of credibility, so we just added secure to the host server's main domain name. If the server domain was www.myhost.com we wanted "secure.myhost.com" to be on the certificate AND IN THE URLs.
So we changed the "hostname" on the basis page from www to secure, then added back the www in co-domains tab. Finally, go to DNS Manager and add "secure" as a hostname on the advanced tab for your myhost.com domain.
If you are creating a new secure host site specifically for this, then register the site and then create it WITH SSL on your server. You might like something like "secure.besthost.com", but any domain will work. If you use "secure" for the hostname in the basis tab, then be sure to add the www (if you want www) to work in co-domains tab. Check to be sure that all your hostnames are in your DNS setup.
2. Create a cetificate in the domain's SSL tab using legitimate info, since you will use the request to get a genuine certified certificate. The ispConfig generated certificate request will be in whatever full domain name you used in the "hostname" + "domain" on the basis page.... that is why I changed the www to secure!
3. Assuming that your domain resolves, check to make sure that "https://secure.myhost.com" works. You will get the usual errors about the certificate not being trusted, which will disappear when you get a genuine certified SSL certificate from wherever. Make sure the certificate info shows your secure domain name... as in "secure.myhost.com"...
4. Go to the web directory for your secure host domain. Something like /var/www/web1/web. Create a link to some website you want to use the SSL cert on... You will need to know the root directory for the domain you want to use the SSL cert for. If the hosted domain is www.joesplace.com then can you must find the root directory for joesplace... something like /var/www/web12. Just look in /var/www or your virtual domains root. It should show you a list of links to all the webs. We will say your host domain is in web1 and joesplace.com is in web12
You HAVE to be root to do this...-> and you MUST be in your secure host sites web root directory!
The link creation will be like this:
ln -sf HOSTED_SITE_WEB_DIRECTORY LINK_NAME
ln -sf /var/www/web12/web joesplace
(yes, I think "joesplace.com" would work just as well)
5. Now you can use "https://secure.myhost.com/joesplace/" to open joesplace.com with your host SSL cert... Try it.... If it opens joesplace and the only SSL error you get is the certification path, then you can order your genuine SSL certificate with confidence all will work well later.
When you receive and your real, genuine, certified SSL certificate, the browser will no longer object to certification path errors or domain name errors if you did everything right. GREEN locations are GREAT...!
Conclusion: That is what we did to better serve our small clients with simple SSL needs. Now we simply create a new link in our secure domain web root for each site that we need simple SSL on, and advise our clients to tell people that they are using a shared secure server certificate provided by their host.
We run some sites on leased Linux servers with Fedora Core 3 or 4 that are setup with "The Perfect Setup" guides. Our ispConfig has always installed and upgraded without fault, and we have made very few changes from the standard setups and software versions.
Hoping this helps others,
Useful compilation RDB, thanks for that.
It's also possible to use one cert with one IP and multiple Vhosts by using the server name as the CN, and subjectAltname defines in the certificate signing request, where each define is for one of the vhost sites.
CN - ourserver.usefulhosting.com
subjectAltname1 - www.domain1.com
subjectAltname2 - www.domain2.com
Not very practical if one is adding and removing sites on a daily basis, but it does work
I looked at reverse proxying first, however, we needed something we could change often without getting a new certificate.
As soon as I that adding a new domain would require a new certificate, well that ruled it pretty much out. Even a 3 month free one takes time!!! Of course you could use the one generated, but... that stupid RED warning!
Also, it is easy to create and save certs in ispConfig. Adding subjectAltname lines to the CSR seemed to mean manual work... and I hate work! I did not see any way to do that within ispConfig and I am never eager to make simple things more complex.
I was pretty happy when I realized that an SSL site connection would follow links on the same server. That makes it SO easy after you have a working, certified SSL cert installed. Just create the link! Nothing to edit, and it seems to work exactly like a site installed SSL cert, except for the URL of course...
I am using this guide to setup a shared SSL certificate, but am having problems.
I was in the new secured site root directory, and used the command
ln -sf /var/www/web1/web web1
I then attempted to view the page by typing
SSL is enabled, but I am getting an error which states
403 Error- Forbidden!
The following error occurred:
You are not permitted to access the requested URL
Please contact the Webmaster with any queries
Anyone have any idea why? or how to rectify the issue?
My first question will be about your SSL cert. Does "https://secure.yourdomain.com" work?
Yes the SSL cert works.
It works when I type https://secure.mydomain.com
It also works when i type https://secure.mydomain.com/web1
but gives me a 403 Error - Forbidden...
I have a feeling it has something to do with ownership...or permissions
The symlinks that I create look like:
lrwxrwxrwx 1 root root 17 Nov 19 21:39 web1 -> /var/www/web1/web/
The symlinks that ISPConfig creates look like:
lrwxrwxrwx 1 apache web1 13 Nov 15 14:32 www.sample.com -> /var/www/web1/
Please make sure that symlinks are allowed in your Apache configuration.
It currently has an entry of
Options -Indexes FollowSymLinks MultiViews
I rewrote it it to
Options -Indexes MultiViews
Restarted httpd, attempted to goto the site, and I am still presented with the error.
Sorry about the post...I just figured it out...I made the change in the wrong virtual host...
|All times are GMT +2. The time now is 10:00.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.