Just one SSL web site per IP address

Discussion in 'General' started by marko, Feb 25, 2012.

  1. marko

    marko New Member

    Hi,

    during my SSL certificates implementation, I have noticed this note in documentation:
    "note that you can have just one SSL web site per IP address"

    Doeas it really means, I can provide only for one customer SSL certificate?

    Thank you in advanced.
     
  2. kwickcut

    kwickcut Member

    yes on ssl per ip so if you have 5 sites wanting ssl u would need 5 ip for that server one ip per site and ssl cert


    kwick
     
  3. falko

    falko Super Moderator ISPConfig Developer

    We've implemented SNI in recent ISPConfig versions which means you can have multiple SSL vhosts per IP. Modern browsers support this:

    Browsers/clients with support for TLS server name indication:

    Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
    Internet Explorer 7 or later (under Windows Vista and later only, not under Windows XP)
    Firefox 2.0 or later
    Curl 7.18.1 or later (when compiled against an SSL/TLS toolkit with SNI support)
    Chrome 6.0 or later (on all platforms - releases up to 5.0 only on specific OS versions)
    Safari 3.0 or later (under OS X 10.5.6 or later and under Windows Vista and later)

    You can test your own browser here: https://alice.sni.velox.ch/
     
  4. dynamind

    dynamind New Member

    SSL IP configuration question

    Hi falco,

    on the folder system/ip adresses, do I set external or internal Ip for the customers?
    What's the right way when I'm behind a router with a server and I have an internal IP on the webserver?
    Setting the 'wrong' IP can refuse apache2 from starting. On my fb-page I get the following error now:

    Fehler 501 (net::ERR_INSECURE_RESPONSE): Unbekannter Fehler.

    messing around with this SSL ; ) *uh*
    when I read the guide here I'd think it can be right only to set the internal IP http://www.ispc-wiki.org/ispconfig3-anleitung

    regards

    PS: I own the

    ISPConfig 3 Manual
    Version 1.2 for ISPConfig 3.0.3.3
    Author: Falko Timme <[email protected]>
    Last edited 05/04/2011

    but it's not explained here how to set it right

    UPDATED: set the internal IP, deleted & re-create the certificate and after a few minutes facebook accepted the certificate again.
    The problem is the fact that I'm the only 'client' who can create the certs due to the unique IP overlap, otherwise you'll see:

    [​IMG]

    Is it possible to fix the message sec_error_untrusted_issuer?

    Hm, now I found all domains redirected directly to my IP instead of the website folders, it's annoying : (
     
    Last edited: Feb 26, 2012
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    If you want to use SNI, enabele the checkbox "Enable SNI" under System > Server Config > Web and then use * for all websites and not the IP address.

    You need to get a officially signed ssl cert, e.g. from startssl.

    SNI is a feature of ISPConfig 3.0.4 and your manual is for ISPConfig 3.0.3.3.
     
  6. falko

    falko Super Moderator ISPConfig Developer

    You must always use IP addresses that you see in the output of
    Code:
    ifconfig
    . The system does not know other IPs.
     

Share This Page