SSL for virtual hosts on one certificate

Discussion in 'Tips/Tricks/Mods' started by rbartz, Jun 6, 2007.

  1. rbartz

    rbartz Member HowtoForge Supporter

    What this WILL do is give you a way to provide an error free secure SSL connection for one to many virtual hosts that do not have their own IP addresses using ONE certificate that uses ONE IP address.

    For example and and and and...

    What this WILL NOT do is to give you a way to use more than one certificate on one IP address. It will not let you hide the real certificate domain either.

    The upside is you can provide SSL for several domains with one IP and one SSL certificate. The downside is that the certificate is in ONE domain name using what looks like sub-directories but are actually simple links....

    On our servers, we have several small hosted accounts that need SSL for a form or for a few sales a month. Using an IP address for each one, plus buying certificates, is more than they really want or need. However, they do need SSL for simple things. What we needed was a way to use a "server-wide" SSL certificate that would be easy and work well without certificate errors... and we wanted the certificate to work properly on all the virtual hosted sites with NO red warnings in the browser location bar!

    Here are the steps we used:

    Assumptions: You are running Linux and the virtual hosts are stored in /var/www. I do not know anything about doing this on Windows. Finally, you have root access to your server.

    1. Choose the name you will use for the certificate. We wanted our little sites to at least have some semblance of credibility, so we just added secure to the host server's main domain name. If the server domain was we wanted "" to be on the certificate AND IN THE URLs.

    So we changed the "hostname" on the basis page from www to secure, then added back the www in co-domains tab. Finally, go to DNS Manager and add "secure" as a hostname on the advanced tab for your domain.

    If you are creating a new secure host site specifically for this, then register the site and then create it WITH SSL on your server. You might like something like "", but any domain will work. If you use "secure" for the hostname in the basis tab, then be sure to add the www (if you want www) to work in co-domains tab. Check to be sure that all your hostnames are in your DNS setup.

    2. Create a cetificate in the domain's SSL tab using legitimate info, since you will use the request to get a genuine certified certificate. The ispConfig generated certificate request will be in whatever full domain name you used in the "hostname" + "domain" on the basis page.... that is why I changed the www to secure!

    3. Assuming that your domain resolves, check to make sure that "" works. You will get the usual errors about the certificate not being trusted, which will disappear when you get a genuine certified SSL certificate from wherever. Make sure the certificate info shows your secure domain name... as in ""...

    4. Go to the web directory for your secure host domain. Something like /var/www/web1/web. Create a link to some website you want to use the SSL cert on... You will need to know the root directory for the domain you want to use the SSL cert for. If the hosted domain is then can you must find the root directory for joesplace... something like /var/www/web12. Just look in /var/www or your virtual domains root. It should show you a list of links to all the webs. We will say your host domain is in web1 and is in web12

    You HAVE to be root to do this...-> and you MUST be in your secure host sites web root directory!

    The link creation will be like this:

    ln -sf /var/www/web12/web joesplace

    (yes, I think "" would work just as well)

    5. Now you can use "" to open with your host SSL cert... Try it.... If it opens joesplace and the only SSL error you get is the certification path, then you can order your genuine SSL certificate with confidence all will work well later.

    When you receive and your real, genuine, certified SSL certificate, the browser will no longer object to certification path errors or domain name errors if you did everything right. GREEN locations are GREAT...!

    Conclusion: That is what we did to better serve our small clients with simple SSL needs. Now we simply create a new link in our secure domain web root for each site that we need simple SSL on, and advise our clients to tell people that they are using a shared secure server certificate provided by their host.

    We run some sites on leased Linux servers with Fedora Core 3 or 4 that are setup with "The Perfect Setup" guides. Our ispConfig has always installed and upgraded without fault, and we have made very few changes from the standard setups and software versions.

    Hoping this helps others,

  2. chuckl

    chuckl New Member

    Useful compilation RDB, thanks for that.
    It's also possible to use one cert with one IP and multiple Vhosts by using the server name as the CN, and subjectAltname defines in the certificate signing request, where each define is for one of the vhost sites.
    CN -
    subjectAltname1 -
    subjectAltname2 -

    etc etc
    Not very practical if one is adding and removing sites on a daily basis, but it does work
  3. rbartz

    rbartz Member HowtoForge Supporter

    I looked at reverse proxying first, however, we needed something we could change often without getting a new certificate.

    As soon as I that adding a new domain would require a new certificate, well that ruled it pretty much out. Even a 3 month free one takes time!!! Of course you could use the one generated, but... that stupid RED warning!

    Also, it is easy to create and save certs in ispConfig. Adding subjectAltname lines to the CSR seemed to mean manual work... and I hate work! I did not see any way to do that within ispConfig and I am never eager to make simple things more complex.

    I was pretty happy when I realized that an SSL site connection would follow links on the same server. That makes it SO easy after you have a working, certified SSL cert installed. Just create the link! Nothing to edit, and it seems to work exactly like a site installed SSL cert, except for the URL of course...


  4. d31373

    d31373 New Member

    I am using this guide to setup a shared SSL certificate, but am having problems.
    I was in the new secured site root directory, and used the command
    ln -sf /var/www/web1/web web1

    I then attempted to view the page by typing
    SSL is enabled, but I am getting an error which states

    403 Error- Forbidden!

    The following error occurred:

    You are not permitted to access the requested URL
    Please contact the Webmaster with any queries

    Anyone have any idea why? or how to rectify the issue?
  5. rbartz

    rbartz Member HowtoForge Supporter

    My first question will be about your SSL cert. Does "" work?
  6. d31373

    d31373 New Member

    Yes the SSL cert works.
    It works when I type
    It also works when i type
    but gives me a 403 Error - Forbidden...

    I have a feeling it has something to do with ownership...or permissions

    The symlinks that I create look like:
    lrwxrwxrwx 1 root root 17 Nov 19 21:39 web1 -> /var/www/web1/web/

    The symlinks that ISPConfig creates look like:
    lrwxrwxrwx 1 apache web1 13 Nov 15 14:32 -> /var/www/web1/
  7. falko

    falko Super Moderator ISPConfig Developer

    Please make sure that symlinks are allowed in your Apache configuration.

    Options +FollowSymLinks
  8. d31373

    d31373 New Member

    It currently has an entry of
    Options -Indexes FollowSymLinks MultiViews
    I rewrote it it to
    Options -Indexes MultiViews
    Options +FollowSymLinks

    Restarted httpd, attempted to goto the site, and I am still presented with the error.
  9. d31373

    d31373 New Member

    Sorry about the post...I just figured it out...I made the change in the wrong virtual host...
    Thanks falko!

Share This Page