5

Can I set multiple SSL certificates for virtual hosts using Lighttpd web server?

I have several webshops on my server (each webshop has its own domain) and I need to setup a SSL certificate for each of them.

thanks Patrick

aneuryzm
  • 1,714
  • 5
  • 26
  • 41

2 Answers2

4

Using SNI is the way to do it. Here is a quick example:

$HTTP["host"] == "www.domain1.com" {
     server.document-root = "/home/www/domain1.com/public"
     server.errorlog = "/var/log/lighttpd/domain1.com/error.log"
     accesslog.filename = "/var/log/lighttpd/domain1.com/access.log"

     server.error-handler-404 = "/index.php"

     ssl.pemfile = "/etc/lighttpd/certs/www.domain1.com.pem"
}

and if you want to add an other domain with its own SSL, 

$HTTP["host"] == "www.domain2.com" {
         server.document-root = "/home/www/domain2.com/public"
         server.errorlog = "/var/log/lighttpd/domain2.com/error.log"
         accesslog.filename = "/var/log/lighttpd/domain2.com/access.log"

         server.error-handler-404 = "/index.php"

         ssl.pemfile = "/etc/lighttpd/certs/www.domain2.com.pem"
}

Keep in mind that not all browsers support this.

fuero
  • 9,591
  • 1
  • 35
  • 40
Stephane Paquet
  • 141
  • 3
  • As of March 2020, 99% of users are on browsers that support SNI. (source: [caniuse.com](https://caniuse.com/#feat=sni)) – ki9 Mar 20 '20 at 22:58
1

Please look at Lighttpd SNI, Server Name Indication is supported by Lighttpd since 1.4.24, which will allow more than one vhost per ip for SSL as pointed out by jae. Browser support is limited though including IE on XP.

Old answer: You can only setup one SSL certificate per ip/port pair that you use. If you have one IP address and multiple virtual hosts on the same ip address it will not work except if you get a SAN certificate with all the virtual host/domain contained in the SAN certificate. This will get expensive.

The reason for this limitation is that the web server needs to decrypt the SSL request to see which host the client is trying to access. This will be done using the SSL cert bound to that port. The client will then get a different certificate which will not match the host/domain the client is expecting.

This will cause all sorts of security warnings on the client side.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Francois Wolmarans
  • 1,590
  • 10
  • 14
  • @Francois Wolmarans So this means, it is not possible to have more than one webshop on the same server ? – aneuryzm Nov 10 '10 at 10:37
  • Or should I maybe assign a different port to each webshop ? (redirecting the customer to that port) ? – aneuryzm Nov 10 '10 at 10:40
  • @Patrick to be clear you can use unique IP's and/or unique ports, in the case of a "webshop" as you put it, you would be better off using unique ips – Oneiroi Nov 10 '10 at 10:43
  • @Oneiroi ok thanks, so how should I move ? Should I check if my hosting service provides unique IPs for a single VPS ? (Is that correct ?) Or should I use different ports for each webshop ? – aneuryzm Nov 10 '10 at 10:51
  • 1
    @Patrick I am sure your web host would provide more IP addresses to your VPS for a nominal fee, in fact I'd go so far as to say they could also help support you in the deployment of you ssl, send an email to their support address. – Oneiroi Nov 10 '10 at 10:56
  • 1
    @Patric I agree with Oneiroi, you will probably run into all sorts of errors if you start using non standard ports. A lot of corporates limit the port ranges their staff can access. Try for the multiple ip address option. – Francois Wolmarans Nov 10 '10 at 15:46
  • Wrong answer: there's a widely supported extension to SSL that does support SSL with named-based virtual hosting. It's called SNI (Server Name Identification) and lighttpd supports it. Oh, and I used it on lighttpd in early 2010 already! – Jürgen A. Erhard Jan 25 '11 at 11:20