Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I host a few domains on my webserver and one uses SSL. Back when I installed it, I created a private key and a CSR, sent the CSR to a certificate authority (Comodo), received the certificates and installed them together with Comodo's root & intermediate certificates. No problems there.
Now one of my customers wants me to host their small website on my server as well. They also need SSL. So I told them to get a certificate and they did. They sent me the certificate through email. Problem is, I only got 3 certificates. The public key certificate, and Comodo's root & intermediate certificate.
Aren't I supposed to get their private key as well? The one they used to request the certificate?
you need their private key to load the certificate in the server, yes. Otherwise there would be thousands of fake SSL identified sites for google and microsoft out there.
but you do realize it's impossible to serve multiple certs on the same port? unless you have multiple IP addresses, you need a SINGLE certificate containing BOTH of the domain names, stored in Subject Alternative Name attributes, (SAN's)
ybut you do realize it's impossible to serve multiple certs on the same port? unless you have multiple IP addresses, you need a SINGLE certificate containing BOTH of the domain names, stored in Subject Alternative Name attributes, (SAN's)
No, I wasn't aware of that. I thought that was handled by apache. Why wouldn't this work (in apache):
Because you perform the SSL handshake **BEFORE** you make an HTTP request. So there is no knowledge at all about what site you're going to ask for. The browser obviously knows what site you've asked for, but it's not asked the server for it yet at this point, so the first certificate available has to be served.
There are some HTTP extensions to permit this, but they are not at all standardised or implemented reliably yet.
Because you perform the SSL handshake **BEFORE** you make an HTTP request.
Ok, that makes sense.
In this case it's not really a problem since SSL on the other domain was for testing purposes only anyway, but it is something to keep in mind for next time.
I want to secure a few sites of my own all running on the same IP address. So I need a single certificate for them all, right? Also, would I be able to add domains to the certificate in the future? Or do I simply need to purchase a new certificate that contains all domains?
TBH I've rarely been involved in the actual purchase arrangements of the certificates, but you'd want one certificate with multiple SAN's. I don't *think* SAN's cost extra, (a wildcard cert, e.g. to cover *.domain.com would though) so a new cert for one site *should* cost (approx) the same as a replacement cert with another SAN. Note though that the client will get that cert and be able to see all of the FQDN's that that cert can support. If this goes between different commercial customers, this can be an issue.
There is a way to host multiple sites SSL enabled on nginx with a single IP. I know that you are using Apache now for your hosting needs, but figured I would throw that option out there.
There is a way to host multiple sites SSL enabled on nginx with a single IP. I know that you are using Apache now for your hosting needs, but figured I would throw that option out there.
no, it's not Apache, it's SSL. When a browser is asked to connect to an https site the very very first thing it does in an SSL handshake, it has no way of evening knowing what kind of server it's talking to. could be an HTTP server, could be NNTPS, could be FTPS, SMTPS, anything, let alone what the server is specifically.
We have been employing SNI for the customers that we have to preserve IP space. It works for us pretty well. Problem is sometimes you get someone that is not using an up to date browser/OS.
I believe there's an apache module that can handle this. The way we are doing it is with a Citrix NetScaler front-ending the web servers. We use a Comodo Multi-Domain certificate for it with something like 15 domains on it.
I believe there's an apache module that can handle this. The way we are doing it is with a Citrix NetScaler front-ending the web servers. We use a Comodo Multi-Domain certificate for it with something like 15 domains on it.
booo, NetScaler suxxxxx, BigIP 4eva!
Yeah the wikipedia article says mod_ssl can handle it in very recent builds of the module.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.