Pick SSL cert based on domain name without separate VHosts

Question

I'm working with a WordPress multi-site network that has various top-level domain names. We're currently serving them all up with one virtual host:

<VirtualHost *:80>
        ServerName example.com
        ServerAlias *
        DocumentRoot /var/www/html/example.com/public
</VirtualHost>

With Let's Encrypt coming later this year, we'd like to offer free HTTPS to our customers. Using this service, we'd be able to automatically get a cert for each domain. I'd like to be able to configure Apache to look in a specific folder for the certificates so that our automated script doesn't need to change the Apache config when adding a new cert.

<VirtualHost *:443>
    DocumentRoot /var/www/html/example.com/public
    ServerName example.com
    ServerAlias *

    SSLEngine on

    # This line should find the cert that corresponds to the requested domain
    SSLCertificateFile /etc/pki/tls/certs/*.crt

    SSLCertificateKeyFile /etc/pki/tls/private/example_com.key
    SSLCertificateChainFile /etc/pki/tls/certs/example_com.ca-bundle
</VirtualHost>

Can Apache be configured to pick the right certificate for the requested domain without needing separate virtual hosts or config changes for each one?

We're open to switching Apache versions or installing a well-known Apache module if needed.

Answer 1

I can't vouch the security of such a system, as it will depend on a combination of the security of your server and automated script in addition to a secure Apache configuration, but it isn't beyond the realm of possibility that one could be deployed.

You do need to configure separate virtual hosts with Server Name Indication (SNI). You should have a default virtual host set up as a catch-all, and to set the Protocol support (currently only the Protocols set in the default virtual host are used for the entire site). Other virtual hosts may be set up in separate config files, with separate private keys and certificates, perhaps on a per-directory basis. If you are on a Unix server you might be able to use a single directory containing soft links to the configuration files to help Apache find them. You'll need to pay special attention to file permissions and directory structure.