This is actually a request. The server that runs Ipstenu.org hosts three other domains. I set up my self signed certificate just fine for *.ipstenu.org, but I want to add on the other domains. For some reason I seem to be failing.

I somehow managed to get it half-baked. If you go to https://otherdomain.com it kicks you to https://ipstenu.org/wp-signup.php?new=otherdomain.com which isn’t what I want at all.

I’m using WHM on CentOS 5.6 and I’m a total newbie when it comes to all this! Links to tutorials with pretty pictures, advice, or directions are all welcome!

Reader Interactions

Comments

  1. It’s not that hard using SNI (Server Name Indicator) on Apache2 and mod_gnutls or mod_ssl which should be easy to add that RPM via yum. I run my multisite on 1 IP and SSL that way. Each vhost works with and without SSL and Apache2 serves the correct certs.

    Do you know which OpenSSL is on your server? Your distro is fairly new so you may just need some config.

  2. GAH. OpenSSL 0.9.8b doesn’t support SNI; I’m using v0.9.8k. I think that f and above supported SNI. There is an SNI write up here on Wikipedia.

    Hrm. You could install mod_gnutls but backup up your config first. Just installing mod_gnutls and the supporting libgnutls shouldn’t break anything and yum is pretty forgiving.

    The mod_gnutls doesn’t use OpenSSL (uses gnutls, naturally) so if you can get that running instead of mod_ssl then you should be able to use SNI. That’s also what I’m using but I forget why I switched from mod_ssl.

  3. From what I know, there are two ways to do multiple domains on a single SSL cert. Option 1 is to use a wildcard SSL cert that will cover *.whateverdomain.com. So if you’re only talking about subdomains, you’re good. But if you’re like me, you have a mix of subdomains and fully-qualified domains all sharing 1 domain.

    In that case, you’ll need a Unified Communications Certificate. They’re more expensive, and you have to know ahead of time what domains you’re protecting … so no wildcards.

    I’ve set up both (wildcards and UCCs) before. Once you know which direction you’re going, it’s fairly straight-forward. So let me push back with a question … which direction do you need to head?

    • Well, that’s not really entirely correct. Getting another (expensive) cert won’t solve the problem.

      The problem is that for plain text Apache2 figures out which vhost you meant via the request. Plain text is easy.

      But for SSL based requests, Apache2 doesn’t even get the request to process until after the SSL encryption is established and by then you got the wrong VHOST and wrong cert. The old method just says send it to the first VHOST with SSL. That’s why *.ipstenu.org will work: the wildcard cert is fine for subdomains. When you want to use someotherdomain.com, Apache2 will still send you to the wrong VHOST and SSL cert. Previously, you bound SSL VHOSTS to separate IPs to get around that.

      That’s where SNI (Server Name Indication, I always say “Indicator”…) Independent of IP it figures out the requested web site and VHOST before Apache2 starts processing the request. You ask for someotherdomain.com, you get sent to the correct VHOST and SSL certs. Apache2 serves the request using the correct certs and all is right in the world.

    • I managed to get this all working with OpenSSL 0.9.8e and Apache 2.2.21. So either your information isn’t entirely accurate, or I broke something by mistake and got it to work when it shouldn’t have.

    • It’s easy to check: according to the Wiki link support for SNI is in 0.9.8f and above.

      If it works for you, that’s great. But with SNI you can use individual SSL certs from places like StartSSL.com which issues valid SSL certs and recognized by browsers such as IE, Firefox, Chrome, etc.

      The StartSSL certs are free. Between that and SNI support that’s what I use for my one server IP.

    • Side-note: Bloody well can’t log into startssl.com from ANY Mac Browser. POS.

    • I have *.ipstenu.org set up as self signed.

      I ‘need’ (want) *.ipstenu.org, domainb.com, domainc.net, etc etc. I don’t PLAN on wildcarding the other domains.

      However I’m going to look up SNI now 🙂 Study time!

      It’s possible I can upgrade to OpenSSL f (or k) so I’ll poke that for a moment.

  4. Why do you want to SSL the other domains?

    I just set the admin panels to use sub-domains of the main domain, therefore only needed to setup a wildcard certificate for that main domain, then the admin panels for each mapped domain worked fine.

    • They’re not mapped in MultiSite. They’re 100% separate domains.

      ipstenu.org and jorjafox.net are totally separate accounts on the sever for a reason 👿

%d bloggers like this: