SSL/SNI for Vhosts

Discussion in 'General' started by maxosystem, Oct 18, 2013.

  1. maxosystem

    maxosystem New Member


    We have a ispconfig3 server with several domains. Until now, nobody had ssl certificates (except for us for the admin interface).

    We set up SSL for a customer, put the crt, key and ca-bundle contents on the SSL page for their site. So far so good.

    The problem, which I'm not sure it's a bug, is that their certificate is exposed for all other virtual hosts.

    How can I prevent this.. or at least expose our certificate, not the customer one, when they visit
    Shouldn't SNI (the ability to use SSL for virtualhosts) handle this?

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    SNI can handle this only when all vhosts on that IP have ssl enabled. if one vhost has no ssl enabled and you access the domain by https, then the first vhost in alphabetical order is shown instead.
  3. maxosystem

    maxosystem New Member

    Hi. Thanks for the reply.

    What I ended up doing was to create a default virtualhost for *:443, in 000-default.conf, cloning the *:80 version and adding these lines:

    <IfModule mod_ssl.c>
      SSLEngine on
      SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
      SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
      SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle

    That way, any site which has not specific ssl config will receive our certificate, instead of our customer's.


Share This Page