0

We have 2 websites and want to get a SSL-certificate for both:

  1. www.example.de
  2. www.otherExample.eu

Both sites reside on the same server under different root with their own config-file. With certbot I got a certificate for each one of the sites: sudo certbot --apache -d www.example.de -d www.otherExample.eu

www.example.de works fine but www.otherExample.eu throws SSL-NO-CIPHER-OVERLAP-Error Related to this question: How to fix SSL_ERROR_NO_CYPHER_OVERLAP for 2 domains on apache with certbot

I am aware of the fact that the handshake happens before the addressed site is known (that is why I want to have one certificate for both sites) Multiple SSL websites on the same Apache server

First question: At this point isn't it possible to get one certificate for both sites? Second question: Could it be, that it isn't working because both sites have a different top-level-domain-name?

Final question: Is it generally possible to to get two SSL-secured sites running on one server?

Please note: We have an SNI-Server that first gets the request and sends it to the webserver.

Nadia Espinosa
  • 154
  • 5
Zehke
  • 13
  • 4

1 Answers1

1

I am aware of the fact that the handshake happens before the addressed site is known

This is wrong. This is a long solved problem and the solution is that the client sends the request URL part (or at least the domain) BEFORE the protocol negotiation. This is in place since - no idea, many many years at least - because otherwise hosters would have to reserve one IP per SSL certificate.

This is what SNI does.

First question: At this point isn't it possible to get one certificate for both sites?

It actually is. I suggest instead of asking here you read - the offers of certificate providers. SAN (Subject Alternative Names) Are not something new.

Please note: We have an SNI-Server that first gets the request and sends it to the webserver.

Well, if you DO have an SNI server then - bascially - it either is a broken config (which we can not magically debug for you), or broken software - the SNI server should forward with SNI enabled, too.

TomTom
  • 51,649
  • 7
  • 54
  • 136