HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Just one SSL web site per IP address (http://www.howtoforge.com/forums/showthread.php?t=56311)

marko 25th February 2012 01:36

Just one SSL web site per IP address
 
Hi,

during my SSL certificates implementation, I have noticed this note in documentation:
"note that you can have just one SSL web site per IP address"

Doeas it really means, I can provide only for one customer SSL certificate?

Thank you in advanced.

kwickcut 25th February 2012 02:12

yes on ssl per ip so if you have 5 sites wanting ssl u would need 5 ip for that server one ip per site and ssl cert


kwick

falko 25th February 2012 11:34

We've implemented SNI in recent ISPConfig versions which means you can have multiple SSL vhosts per IP. Modern browsers support this:

Browsers/clients with support for TLS server name indication:

Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
Internet Explorer 7 or later (under Windows Vista and later only, not under Windows XP)
Firefox 2.0 or later
Curl 7.18.1 or later (when compiled against an SSL/TLS toolkit with SNI support)
Chrome 6.0 or later (on all platforms - releases up to 5.0 only on specific OS versions)
Safari 3.0 or later (under OS X 10.5.6 or later and under Windows Vista and later)

You can test your own browser here: https://alice.sni.velox.ch/

dynamind 26th February 2012 17:07

SSL IP configuration question
 
Hi falco,

on the folder system/ip adresses, do I set external or internal Ip for the customers?
What's the right way when I'm behind a router with a server and I have an internal IP on the webserver?
Setting the 'wrong' IP can refuse apache2 from starting. On my fb-page I get the following error now:

Fehler 501 (net::ERR_INSECURE_RESPONSE): Unbekannter Fehler.

messing around with this SSL ; ) *uh*
when I read the guide here I'd think it can be right only to set the internal IP http://www.ispc-wiki.org/ispconfig3-anleitung

regards

PS: I own the

ISPConfig 3 Manual
Version 1.2 for ISPConfig 3.0.3.3
Author: Falko Timme <youknow@yourmailadress.c0m>
Last edited 05/04/2011

but it's not explained here how to set it right

UPDATED: set the internal IP, deleted & re-create the certificate and after a few minutes facebook accepted the certificate again.
The problem is the fact that I'm the only 'client' who can create the certs due to the unique IP overlap, otherwise you'll see:

http://img864.imageshack.us/img864/3424/ipadress.jpg

Is it possible to fix the message sec_error_untrusted_issuer?

Hm, now I found all domains redirected directly to my IP instead of the website folders, it's annoying : (

till 27th February 2012 09:43

Quote:

UPDATED: set the internal IP, deleted & re-create the certificate and after a few minutes facebook accepted the certificate again.
The problem is the fact that I'm the only 'client' who can create the certs due to the unique IP overlap, otherwise you'll see:
If you want to use SNI, enabele the checkbox "Enable SNI" under System > Server Config > Web and then use * for all websites and not the IP address.

Quote:

Is it possible to fix the message sec_error_untrusted_issuer?
You need to get a officially signed ssl cert, e.g. from startssl.

Quote:

but it's not explained here how to set it right
SNI is a feature of ISPConfig 3.0.4 and your manual is for ISPConfig 3.0.3.3.

falko 27th February 2012 17:30

Quote:

Originally Posted by dynamind (Post 274310)
on the folder system/ip adresses, do I set external or internal Ip for the customers?
What's the right way when I'm behind a router with a server and I have an internal IP on the webserver?

You must always use IP addresses that you see in the output of
Code:

ifconfig
. The system does not know other IPs.


All times are GMT +2. The time now is 16:48.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.