Two domain names with SSL on one IP

, Max Ivak

If you have two different domain names with SSL certificates hosted on one server with one IP address then you will get a warning on the client. Warning is like this: SSL certificate is issued to another domain name. It means that it is not possible to have multiple https virtual hosts on apache web server using one IP address.

If you setup Apache’s VirtualHosts on port 443 on one IP you will get this warning while starting Apache:
[warn] _default_ VirtualHost overlap on port 443, the first has precedence

You can add this line:

NameVirtualHost *:443

This works for multiple domains on one IP on port 80: (in case of warning [warn] _default_ VirtualHost overlap on port 80, the first has precedence):
NameVirtualHost *:80

! BUT in case of port 443 this is not a solution. A client’s browser will still show a warning.

The solution is to get additional IP addresses. One web server can be assigned multiple IP addresses. Find an example how to configure VirtualHosts in Apache to have two domains with SSL below.

Some theory about SSL and connection with web server

HTTPS establishes an SSL connection with the server prior to any HTTP conversation. Since SSL requires a certificate which is linked to the server host name, and the virtual host name hasn’t been transmitted by the client yet, there’s no way short of ESP for the server to tell which SSL certificate to use. But this isn’t an apache server failing so much as a general issue with HTTP/SSL.

Virtual hosts with SSL on Apache web server

This example shows two domains with both 80 and 443 port that will work for http and https.

NameVirtualHost *:80
 
<VirtualHost *:80>
  ServerName site1.com
  ServerAlias www.site1.com
  ServerAdmin webmaster@site1.com
  DocumentRoot "/var/www/html/site1"
</VirtualHost>
 
<VirtualHost ip1:443>
  ServerName site1.com
  DocumentRoot "/var/www/html/site1"
 
  SSLEngine on
  SSLCertificateFile /path/to/cert/site1.com.crt
  SSLCertificateKeyFile /path/to/cert/site1.com.key
  SSLCertificateChainFile /path/to/cert/bundle1.crt
 
</VirtualHost>
 
<VirtualHost *:80>
  ServerName site2.com
  ServerAlias www.site2.com
  ServerAdmin webmaster@site2.com
  DocumentRoot "/var/www/html/site2"
</VirtualHost>
 
<VirtualHost ip2:443>
  ServerName site2.com
  DocumentRoot "/var/www/html/site2"
 
  SSLEngine on
  SSLCertificateFile /path/to/cert/site2.com.crt
  SSLCertificateKeyFile /path/to/cert/site2.com.key
  SSLCertificateChainFile /path/to/cert/bundle2.crt
 
</VirtualHost>
You can verify your installed SSL certificates using this online service: http://www.digicert.com/help/

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>