Search code examples
sslopensslapachemod-ssl

Wildcard SSL with Multiple Domains

I have a CentOS/Apache+OpenSSL server. I host two domain names with wildcard sub domains (application logic surfaces the correct site), e.g.

https://*.testing1.com

https://*.testing2.com

It works great over HTTP:-

   <VirtualHost *:80>
  # Admin email, Server Name (domain name) and any aliases
  ServerAdmin [email protected]
  ServerName  testing1.com
  ServerName  testing2.com

  ServerAlias *.testing1.com *.testing2.com

  # Index file and Document Root (where the public files are located)
  DirectoryIndex index.html index.php
  DocumentRoot /home/app/public_html/public

</VirtualHost>

I've purchased two Wildcard SSL certificated for both testing1.com and testing2.com, but I'm unsure how to set it up in this structure:-

    <VirtualHost *.testing1.com:443>
     SSLEngine On
     SSLCertificateFile /etc/httpd/ssl/*.testing1.com.crt
     SSLCertificateKeyFile /etc/httpd/ssl/*.testing1.com.key
     SSLCACertificateFile /etc/httpd/ssl/geotrust.cer

     ServerAdmin [email protected]
     ServerName testing1.com
     ServerAlias *.testing1.com

        DirectoryIndex index.html index.php
        DocumentRoot /home/app/public_html/public

  </VirtualHost>

   <VirtualHost *.testing2.com:443>
     SSLEngine On
     SSLCertificateFile /etc/httpd/ssl/*.testing2.com.crt
     SSLCertificateKeyFile /etc/httpd/ssl/*.testing2.com.key
     SSLCACertificateFile /etc/httpd/ssl/geotrust.cer

     ServerAdmin [email protected]
     ServerName testing2.com
     ServerAlias *.testing2.com

        DirectoryIndex index.html index.php
        DocumentRoot /home/app/public_html/public

  </VirtualHost>

The above for the SSL doesn't work, with the *.testing1.com definition, nor with just testing1.com.

I will also need to repeat this for testing2.com

Solution

  • Name-based virtualhosts and SSL wil only work if all the virtualhosts are within the same domain and you have a wildcard SSL certificate for that domain.

    But you have 2 different domains.

    In this case it will only work if you give each SSL-enabled virtualhost it's own IPaddress. So you should use IP-based virtualhosts, not Name-based.

    Explanation: The ServerName which is requested, is contained in the HTTP request headers, but before that the SSL encryption must be already setup. So the ServerName is only available after the encryption has been setup. Therefore Apache can never know which SSL certificate te serve up and wil just use the first one available on that particular IPaddress.