3

I have 3 websites host on a single server, and only one of those website is using SSL. I bought, configured and installed a GoDaddy certificate and it is working fine on all browsers (Chrome, FF, Safari, IE) except Opera which is issuing a warning as described in my question. When I click on details, the hostname showing up is one of the others websites running on the server.

I've read some post about it on here, especially about SNI but can't really understand what I have to do and if this is easily fixable. I am running a Debian Lenny with Apache2 everything up to date.

Nicolas
  • 454
  • 2
  • 6
  • 16

2 Answers2

4

You need a dedicated IP on the website/domain you installed the SSL certificate to. So if for example you host 3 domains on your server, you can share one IP for your two vhosts that don't have an SSL certificate, but the vhost with the SSL certificate needs a second IP dedicated for this domain only. If in the future you add an SSL certificate to one of the other two domains, then you will need another IP etc.

Always remember that for SSL you need a dedicated IP per domain.

You should ask your hosting provider to assign an extra IP to your server, update your vhost configuration & DNS records for the SSL enabled domain, and you'll be fine.

George Tasioulis
  • 2,019
  • 2
  • 17
  • 17
  • Really? What if then I just set this IP up to be the SSL enabled website instead? – Nicolas Sep 26 '11 at 12:33
  • Yes that's no problem. Just get another IP and move the two other domains to the new IP + keep the SSL enabled on the old one. – George Tasioulis Sep 26 '11 at 12:56
  • I'm going for your first solution: I asked for another IP address, and I'll be moving the website to this new IP address in the next days. Thank you. – Nicolas Sep 26 '11 at 15:04
  • 1
    @GeorgeTasioulis `Always remember that for SSL you need a dedicated IP per domain.` - that statement at the very least has caveats that merit a mention. What about SNI? Or alternate name certificates? – Shane Madden Sep 26 '11 at 15:35
  • @ShaneMadden I was just explaining to the OP in simple terms how he can solve his problem in the easiest way. Of course SNI is a solution but it has way many incompatibilities (doesn't work on Windows XP & IE/Safari, Blackberries, Android, or Windows Mobile Internet Explorer) so I wouldn't recommend it. – George Tasioulis Sep 26 '11 at 16:05
3

There are ways to work around the 1:1 IP:host restriction.

The reason for the rule of thumb of 1 IP per SSL host is because when the initial connection a browser makes to a webserver like Apache over SSL is encrypted. Because of this encryption, it is not possible for Apache to know what virtual host you would like to visit because the Host: header is currently encrypted. Therefore, Apache will just server up the certificate from the first SSL host in its virtual host configuration.

If you're doing public webhosting, it's pretty unlikely that the first SSL certificate named in the virtual host config is actually going to be the correct one in all cases, BUT if you are serving a limited number of hosts on an Apache instance you COULD add all of those hosts to a UCC (multi-host) certificate. In that case, the certificate will match all hosts so you won't get the warnings.

I'm not sure if this is a suitable configuration in your case, but I run it in a few places where there are a very finite number of domains on a server and it works well.

jdw
  • 3,855
  • 2
  • 17
  • 21