geekdom without assumption

ssl and virtual hosts in apache 2

I purchased a third-party signed certificate for one of our sites to get rid of the annoying security warnings. There are a dozen sites running on the server, so I have been using named virtual hosts in apache in order to avoid wasting valuable ips. I went through the whole exciting process of generating the cert request in openssl, verifying the whois records, and sending in proof that we own the name and that we are who we say we are. The process was relatively painless while still showing that they due their due diligence to assure proper authentication. At any rate, I had my certificate within a couple of hours, thinking that this was all to easy.

With the files in hand, I opened up my httpd.conf to replace my self-signed certs with the real deal. I made the changes and restarted the server, only to find that the old certificate was still being used. At first I thought that the issue was in reloading the .conf file, but that proved not to be true after a reboot. I started googling to see what could be wrong, only to learn that name-based virtual hosting and SSL do not mix. Apparently the SSL handshake occurs before the http headers with the hostname (which is how Apache knows what page to serve you) so that you can only use one SSL cert per IP address.

I made myself another latte and sat down to figure the damage on switching everything over to ip-based hosting. Running Linux makes it trivial to use multiple ip addresses on one network card (I don’t know of any limit), but I was afraid I would run short on leased ips. After scanning half a dozen sites with bits and pieces about ip virtual on Apache, it dawned on me that I might be able to run both name-based and IP-based on the same daemon. I’m sure why I assumed I couldn’t (maybe because almost every howto contains something to the effect of “Name-Based vs. IP-Based” in the title), but the revelation was a cheering thought.

After backing up my old httpd.conf, I changed the virtual server in question to a IP based one (leaving the others in tact). A quick change in the DNS A records and I was ready to test it out. To my delight, everything worked as it should. Anyone who can read this–and comprehend it–knows that it’s never that easy, but lucky for me it was.

The power and flexibility of the LAMP stack continues to amaze me. No matter how messy the situation is, this winning combination will deliver in spades. It is no wonder that so many organizations use it.

Related Tags: [ , ]

Leave a Reply