[Ubuntu] Multiple SSL Web Sites On One IP Address With Apache (SNI)

How? Why? What?

To have multiple SSL certificates run on a single IP address we need to utilize SNI, Server Name Indication (SNI) is an extension to the SSL and TLS protocols that indicates what hostname the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS.

To make use of SNI practical, it is necessary that the vast majority of users use web browsers that support it. Users whose browsers do not support SNI will be presented with a default certificate and hence are likely to receive certificate warnings. 

As of November 2012, the only major user bases whose browsers do not support SNI appear to be users of Internet Explorer 8 or below on Windows XP and versions of Java before 1.7 on any operating system, and Default Mobile Browsers

mod_guntld Method

Installing and Configuring

First we need to install mod gnutls

apt-get install libapache2-mod-gnutls

Now we need to disable modssl if it is not already disabled

a2dismod ssl

Now we enable guntls

a2enmod gnutls

Enable Apache to listen on 443

vi /etc/apache2/ports.conf

make sure the following information is present in the ports.conf file

<IfModule mod_gnutls.c>

    Listen 443


Comment out the following section

<IfModule mod_ssl.c>

    # If you add NameVirtualHost *:443 here, you will also have to change

    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl

    # to <VirtualHost *:443>

    # Server Name Indication for SSL named virtual hosts is currently not

    # supported by MSIE on Windows XP.

    Listen 443


Close and save the ports.conf file. Finally we create a ssl.conf file under /etc/apache2/ssl.conf

vi /etc/apache2/ssl.conf

Add the following vhost information modify the listed information as needed to reflect your actual domain names.

NameVirtualHost xx.yy.zz.kk:443

<VirtualHost xx.yy.zz.kk:443>

ServerName secure.domain1.com:443

GnuTLSEnable on

GnuTLSCertificateFile /etc/apache2/ssl-certs/secure.domain1.com.crt

GnuTLSKeyFile /etc/apache2/ssl-certs/secure.domain1.com.key

GnuTLSPriorities NORMAL

DocumentRoot /web/www1


<VirtualHost xx.yy.zz.kk:443>

ServerName secure.domain2.com:443

GnuTLSEnable on

GnuTLSCertificateFile /etc/apache2/ssl-certs/secure.domain2.com.crt

GnuTLSKeyFile /etc/apache2/ssl-certs/secure.domain2.com.key

GnuTLSPriorities NORMAL

DocumentRoot /web/www2


Now that the SSL vhosts are added in the newly created ssl.conf file add a line to your apache2.conf file

Include "/etc/apache2/ssl.conf"

Now that the ssl.conf file is included make sure your .key and .crt files are in the correct location and restart apache2

/etc/init.d/apache2 restart

Was this article helpful?
0 out of 0 found this helpful