tags:

views:

146

answers:

2
+1  Q: 

How to use on the same Apache2 Server 2 differents Certificates using VirtualHost ?

Hello,

I get a certificate from Gandi for a domain www.mondomaine.fr But for sql.mondomaine.fr I wanted to use a Self-Signed SSL certificate.

If I active sql.mondomaine.fr, the www.mondomaine.fr is using the self-signed certificate instead of the Gandiś one.

If I desactivate the sql. everything works fine.

How can I manage the use of different certificate ?

It seams that the first VirtualHost configuration is taking for every SSL VirtualHost.

Thank you for your help.

Here is my configuration :

For PHPMyAdmin :

<VirtualHost *:443>
    # Chemin vers les données web
    DocumentRoot /usr/share/phpmyadmin

    ServerName sql.mondomaine.fr

    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/phpmyadmin.pem
</VirtualHost>

For mondomaine.fr

<VirtualHost *:443>
    ServerName www.mondomaine.fr
    DocumentRoot /var/www/mondomaine/
    CustomLog /var/log/apache2/secure_access.log combined

    SSLEngine on
    SSLCertificateFile /etc/ssl/mondomaine.fr.crt
    SSLCertificateKeyFile /etc/ssl/mondomaine.fr.key
    SSLCACertificateFile /etc/ssl/GandiStandardSSLCA.pem
    SSLVerifyClient None
</VirtualHost>

The configuration is correct because if the first VirtualHost read is PHPMyAdmin.pem ModSSL use this one and if it is mondomaine.fr.crt the first VirtualHost, Apache use this one.

A: 

Its depens how you created your certificate. if you bought it only for the www subdomain wont work for sql. what you need to do is make it to allow any subdomain, but afaik those certificates are more expensive.

In the other hand you can use your own ceritificate, you only need to sure about what are you putting when you create your virtutalhost

<virtualhost XXX.XXX.XXX.XXX:443>
 serverName www.mondomaine.fr
 # Gandiś ceritificate
</virtualhost>

<virtualhost XXX.XXX.XXX.XXX:443>
 serverName sql.mondomaine.fr
 # your own certificate stuff
</virtualhost>
Gabriel Sosa  2009-10-10 16:00:09
It is exactly what I did but it doesn't work.
Natim  2009-10-10 16:03:01
+2  A: 

You're running up against a general problem with HTTP over SSL - when a client connects, it specifies which host it wants to connect to using the Host: HTTP header, but that only comes after the SSL handshake (when the certificate is presented) has completed. Recent versions of TLS support extensions (specified in RFC 4366) which allow the client to specify what host it is intending to connect to during the SSL handshake, with the specific intent of supporting vhosts; to quote the RFC:

""" TLS does not provide a mechanism for a client to tell a server the name of the server it is contacting. It may be desirable for clients to provide this information to facilitate secure connections to servers that host multiple 'virtual' servers at a single underlying network address. """

According to Wikipedia, recent versions of Firefox, Opera, IE, Chrome, and Safari support this extension; other clients would still not send the extension, and you're out of luck there. You also have to use at least TLS 1.1 to enable extensions support.

There is some documentation on how to set this up with Apache; you may have to rebuild OpenSSL and/or Apache with specific options, depending on your local setup.

Jack Lloyd  2009-10-10 16:10:56
OMG !! It means that if you have two website on the same server, you cannot have one file for each of them ? Is it possible to concatenate many pem file in the same to send everything during the ssl handshake to let the browser choose the one ?
Natim  2009-10-10 16:17:01
No; the SSL handshake only supports sending a single certificate regardless. However the SNI extension allows the server to figure out which one the client expects to get; otherwise, as you noticed, Apache will just always use the first certificate you set in the config file, because without SNI it has no way to figure it out at the point when the SSL handshake starts.
Jack Lloyd  2009-10-10 16:29:32
We the SNI extension, it works well. Thank you.
Natim  2009-10-10 19:17:17

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL