1

My situation:

  • We have two servers, Server A and Server B.
  • Server A has a proxy configured, which serves data (over SSL) from Server B.
  • Server B is reachable via 1.1.1.1 (one.server.example.com) and 2.2.2.2 (two.server.example.com). Server A decides which connection it should use to connect (failover).
  • Apache on Server B is configured with a virtual host server.example.com and has two aliases, one.server.example.com and two.server.example.com.

I'd like to know if I have to buy two SSL certs (because we're connecting to both one.server.example.com and two.server.example.com), or if one will suffice because one.server.example.com and two.server.example.com are just aliases of server.example.com.

Also, if this is not the 'recommended' way to set up such things, please let me know. Never did this before..

Xavier Lucas
  • 13,095
  • 2
  • 44
  • 50
Bjorn
  • 453
  • 1
  • 5
  • 12

2 Answers2

3

There are a few ways to get around this:

  1. Get a wildcard certificate: This allows any number of primary subdomains, however, this can be slightly pricey.

  2. ALT names on certificate: Alternative names on certificates is usually a cheaper option, that allows you to specify allowed domains/subdomains allowed to used to the cert

  3. If this is a backend only (non public facing) service on server B, you could be your own certification authority and set appropriate certification trust on Server A. This is pretty much free but requires a bit more work?

adalal
  • 80
  • 1
  • 7
  • In the end I went with the `SubjectAltName` option as it has the least impact on our infrastructure. Things like VRRP as suggested by @Xavier below would be nice, but it requires (at least) two routers to be installed. That's not the case right now in our setup. – Bjorn Nov 15 '14 at 15:47
2

It seems you implement failover the wrong way. Here you are simply using two IPs on the same server and pointing two domain names to it. If server B goes down, where's the redundancy ?

Take a look at router bridging and VRRP implementations like keepalived.

After that, if you want to host multiple domain names on the same IP using VRRP behind the scene, the decision comes from the connectivity support on client side : does it support TLS SNI extension, does it support X509 extension SubjAltName or not. The most generic solution is to use a wildcard certificate of course.

Xavier Lucas
  • 13,095
  • 2
  • 44
  • 50
  • 1
    Re: redundancy, `Server B` is located at our office, while `Server A `is colocated. IP 1.1.1.1 is routed via our Cable connection, while 2.2.2.2 is routed via our DSL connection. But you're right that, the actual server is not redundant. – Bjorn Nov 15 '14 at 13:40
  • @Bjorn Yup, then you have the perfect case for DNS load balancing and VRRP behind router bridging. With this you will have redundant connection and redundant service on the same domain name. – Xavier Lucas Nov 15 '14 at 13:51