Topic: SSL Certificate for different VirtualHost

[michelandre]

Hi all,

I have more than one web site on my SME-9.1 server. Each in a different i-bay and I would like each of them to have a different SSL Certificate.
- Line 39-75 are original from my server (toto.org)
- Line 52-54 are the original file locations for my server SSL files (Certificate for toto.org)

According to:
     42 ##  All SSL configuration in this context applies both to
     43 ##  the main server and all SSL-enabled virtual hosts
     44 ##      (unless overridden by virtual hosts)
I can override for another VirtaulHost???

- Line 93-95 are the 3 lines I would like to add for the location files of the second certificate for the other web site: (Certificate for titi.org)

QUESTIONS:
1) Is that the proper way to do that?
2) I will have to signal something (post-ugrade and reboot). Is there another way without reboot?
3) What do I do with those 4 config setprop command?
# config setprop modSSL crt /home/e-smith/ssl.crt/my-server-name.toto.org.crt
# config setprop modSSL key /home/e-smith/ssl.key/my-server-name.toto.org.key
# config setprop modSSL CertificateChainFile  /home/e-smith/bundle.crt
# config setprop modSSL CommonName www.toto.org
4) What about the command for the email?
# signal-event domain-modify  ;  signal-event email-update

Than you,

Michel-André

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

From: https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

Next, in the NameVirtualHost directive list your server's public IP address, *:443, or other port you're using for SSL (see example below).
Then point the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to the locations of the certificate files for each website as shown below:

NameVirtualHost *:443
########################################################## this is like for toto.org  ???
<VirtualHost *:443>

 ServerName www.yoursite.com
 DocumentRoot /var/www/site
 SSLEngine on
 SSLCertificateFile /path/to/www_yoursite_com.crt
 SSLCertificateKeyFile /path/to/www_yoursite_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt

</VirtualHost>

########################################################## this is like for titi.org   ???
<VirtualHost *:443>
 ServerName www.yoursite2.com
 DocumentRoot /var/www/site2
 SSLEngine on
 SSLCertificateFile /path/to/www_yoursite2_com.crt
 SSLCertificateKeyFile /path/to/www_yoursite2_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt
 
</VirtualHost>

###############

My SME-9.1 server: /etc/httpd/conf/httpd.conf

     38 ...
     39 ########################################################## for toto.org (I don't change nothing)
     40 ##  SSL Global Context Configuration
     41 ##
     42 ##  All SSL configuration in this context applies both to
     43 ##  the main server and all SSL-enabled virtual hosts
     44 ##      (unless overridden by virtual hosts)
     45 ##
     46 <IfModule mod_ssl.c>
     47 Listen 0.0.0.0:443
     48
     49 SSLEngine off
     50 SSLProxyEngine On
     51
     52 SSLCertificateChainFile /home/e-smith/ssl.crt/bundle.crt
     53 SSLCertificateFile /home/e-smith/ssl.crt/my-server-name.toto.org.crt
     54 SSLCertificateKeyFile /home/e-smith/ssl.key/my-server-name.toto.org.key
     55
     56 SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
     57
     58 SSLPassPhraseDialog  builtin
     59
     60 SSLSessionCache         dbm:state/ssl_scache
     61
     62 SSLSessionCacheTimeout  300
     63 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
     64
     65 SSLMutex  file:state/ssl_mutex
     66
     67 SSLRandomSeed startup file:/dev/urandom 512
     68 SSLRandomSeed connect builtin
     69
     70 #SSLLogLevel info
     71 SSLProtocol all -SSLv3
     72 </IfModule>
     73 #
     74 #       END OF SSL GLOBAL CONTEXT CONFIGURATION
     75 #############################################
     76 ...
     77
     78 ...
     79 ############################################# for titi.org
     80
     81 <VirtualHost 0.0.0.0:443>
     82
     83     ServerName titi.org
     84     ServerAlias my-server-name.titi.org  ftp.titi.org  mail.titi.org  proxy.titi.org  wpad.titi.org  www.titi.org
     85
     86     DocumentRoot         /home/e-smith/files/ibays/server-ibay/html
     87     ScriptAlias /cgi-bin /home/e-smith/files/ibays/server-ibay/cgi-bin
     88     Alias       /files   /home/e-smith/files/ibays/server-ibay/files
     89
     90     # SSL Directives
     91     SSLEngine on
     92 ########################################################## for titi.org (I add the 3 lines below)
     93     SSLCertificateChainFile /home/e-smith/ssl.crt/bundle.crt
     94     SSLCertificateFile /home/e-smith/ssl.crt/my-server-name.titi.org.crt
     95     SSLCertificateKeyFile /home/e-smith/ssl.key/my-server-name.titi.org.key
     96
     97     RewriteEngine on
     98     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
     99     RewriteRule .* - [F]
    100 ...
    101 </VirtualHost>
    102 #############################################

[warren]

Hi Michel-André

I dont think this is possible at present ( i see that a NFR was raised for it )

https://forums.contribs.org/index.php/topic,51285.msg260489.html#msg260489

NFR  https://bugs.contribs.org/show_bug.cgi?id=8693  and related  https://bugs.contribs.org/show_bug.cgi?id=5450  & https://bugs.contribs.org/show_bug.cgi?id=8185

[janet]

michelandre

AFAIUI you have to incorporate all your domains into the one certificate (ie when you first create or request a commercial certificate).
If you add a domain to your server, then you need to recreate teh certificate with teh additional domain.

There is work being done here
https://wiki.contribs.org/Letsencrypt
which I believe will allow addition of certificates/domains more easily
but this is still a work in progress

Also see
https://forums.contribs.org/index.php/topic,51285.msg260489.html#msg260489
and
https://forums.contribs.org/index.php/topic,50665.msg255758.html#msg255758

[michelandre]

Hi all,

- Thank you Warren.
I saw the page: https://wiki.contribs.org/Letsencrypt but it looked complicated. I prefer the free CAcert certificates. They are good for 6 months and they worked like a charm. It is possible to renew without a new CSR, just login, renew and install the new certificate for another 6 months with no need to reboot the server. It should be possible to script the new installation with the link sent with the renewall. I will look later at this.

- Thank you also Janet.

But again according to: https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm, it is possible by modifying the http.conf file.
Apache is Apache for all Linux, so it should work...

I restored my server in VirtualBox and made the NIC cards as HostOnly.

I can acces my second domain with no problem. The https gives the original certificate.

Now I modified the /etc/httpd/conf/httpd.conf file and added the 3 lines after the:

# SSL Directives
   SSLEngine on

   SSLCertificateChainFile /home/e-smith/ssl.crt/titi.chain.crt  ############# 1
   SSLCertificateFile /home/e-smith/ssl.crt/titi_pub.crt ################## 2
   SSLCertificateKeyFile amo.priv.key /home/e-smith/ssl.key/titi.priv.key ####### 3

To make them permanent, I tried with
# signal-event post-upgrade ; signal event-reboot
and the modifications are lost.

How can I make the 3 lines permanent???

- The link above gives another way: "Include my_other_site.conf"
- Then it should be possible to add a personnal template or something like it???

Thank you,

Michel-André

[janet]

michelandre

Re Letsencrypt, I recall reading that there is support for multiple certificates/domains, that's why I mentioned it, because that is what you were wanting.

....according to: https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm, it is possible by modifying the http.conf file. Apache is Apache for all Linux, so it should work...

As it is be default, SME server does not support what you want, but the links I gave you do refer to SNI, & Xavier gave some code.
So following the SNI concept should be possible.

Now I modified the /etc/httpd/conf/httpd.conf file and added the 3 lines after the:
# SSL Directives
........ 
To make them permanent, I tried with
# signal-event post-upgrade ; signal event-reboot
and the modifications are lost.

That is where you are going wrong, directly editing conf files is a no no on SME server as all changes will be lost upon reboot.
The recommended approach is to create a custom template, & your changes will be retained after a reconfigure & reboot.

Please see
https://wiki.contribs.org/Template_Tutorial
& more particularly
https://wiki.contribs.org/Template_Tutorial#httpd.conf

These are examples, so you will have to modify them to suit your needs, but the approach is the same & straight forward.

[michelandre]

Hi all,

Thank you again Janet.

I think I found the way following: http://howto.landure.fr/gnu-linux/debian-4-0-etch/creer-un-certificat-ssl-multi-domaines

It is possible to have a multi domain certificate. I followed what is in that link and I got a multi domain certificate. The main site is *.toto.org then titi.org, titi-1.org, titi-2.org etc. I also tried with a dynamic dns (titi.no-ip.com) that point to toto.org and it is also included in the certificate.

I tested all in my virtual host using HostOnly NIC. It gives a black lock in FireFox but if I look at the certificate, all the domains are included.

I will test on my live site in a few days to confirm it is working and I will try with toto.org for the main site without the "*".

The best forum, just a few hours and I am on the right track already. 

CAcert at http://www.cacert.org is the best CA... 

Thank you all

Michel-André

[janet]

michelandre

Please add your steps to the wiki or just post them here to the forum & someone from the Documentation team will make it into a wiki article

Thanks in advance, as many people would like this facility & the easy steps to implement it.

[michelandre]

Hi all,

For the main site: It works perfectly with Firefox, Chrome & IE . Green lock and certificate id OK but the certificate displays *toto.org

Other domains: Google Chrome: (net::ERR_CERT_COMMON_NAME_INVALID), problem related to the chain (I will regenerate the chain next time.)
Other domains: IE, Red bar across the full URL field.

I think it will work for toto.org, titi.toto.org, titi-1.toto.org. If all are sub-domain???
I did the CSR with *toto.org

I tried to generate the CSR with www.toto.org and I was still able to add the other domains in the request.

I will try again in 1 or 2 days.

Michel-André 

[michelandre]

Hi all,

After many trials and errors, I definitely need "Server Name Indication" (SNI) wich is beyond my capacities.

Here is the command to generate a multi-domains CSR to submit at http://www.cacert.org
REFERENCE: http://howto.landure.fr/gnu-linux/debian-4-0-etch/creer-un-certificat-ssl-multi-domaines

Create a directory and cd into it.

# wget http://howto.landure.fr/gnu-linux/debian-4-0-etch/creer-un-certificat-ssl-multi-domaines/ca_openssl.cnf

# wget http://howto.landure.fr/gnu-linux/debian-4-0-etch/creer-un-certificat-ssl-multi-domaines/cert_manager.sh

# chmod +x cert_manager.sh

# ./cert_manager.sh --init
##### Enter your data

# ./cert_manager.sh --generate-csr="www.toto.org"
You will now be asked to give informations for your certificate authority.
Description du domaine [défaut : Toto-corp]: [ENTER]
Type de serveur [défault : HTTP server]: HTTPS server
Code de votre pays [défaut : CA]: [ENTER]
Nom de votre région [défaut : QC]: [ENTER]
Nom de votre ville [défaut : Montreal]: [ENTER]
Email de l'administrateur [défaut : toto@toto.org]: [ENTER]
Nom de votre domaine [défaut : www.toto.org]: [ENTER]
Noms de domaines supplémentaires, un par ligne. Finissez par une ligne vide.
SubjectAltName: DNS: titi-1.toto.org
SubjectAltName: DNS: titi-2.toto.org
SubjectAltName: DNS: [ENTER]
Generating a 2048 bit RSA private key
..................................................................+++
..........................................+++
writing new private key to './PRIVATE_KEYS/www.toto.org_key.pem'
-----
-----BEGIN CERTIFICATE REQUEST-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
...
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
-----END CERTIFICATE REQUEST-----

This should work if all the secondary domains are sub-dommains of toto.org

Thank you all,

Michel-André

PS:
I want to test my setup.
Anyone interested in CAcert can get a PDF howto for SME server.
https://www.micronator.org/?product=sme-9-x-certificat-ssl-de-cacert

- Free of charge until end of April 2016 if you pay with Stripe using the credit card below.

Numéro de la carte *: 4242424242424242
Date d'expiration (MM/AA) *: any date in the future
Pictogramme *: 123

[DanB35]

After many trials and errors, I definitely need "Server Name Indication" (SNI) wich is beyond my capacities.

Why do you need SNI?  What in particular needs separate certificates for different hosts?  You can have any number of hostnames on a single cert using SAN, and they don't have to be under the same domain (I have 10 hostnames across 3 different domains on one cert using Letsencrypt).

[michelandre]

Hi all,

Thank you DanB35 for your answer.

According to: https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

While Apache can renegotiate the SSL connection later after seeing the hostname in the request (and does), that's too late to pick the right server certificate to use to match the request hostname during the initial handshake, resulting in browser warnings/errors about certificates having the wrong hostname in them.
 

That is exactly the result I have after I generated a CSR with different domain names. The CSR got generated and signed by CAcert without error or warning . Yes all domains are working with Firefox but not with Chrome or IE for the other domains.

Comment by Janet:

As it is be default, SME server does not support what you want, but the links I gave you do refer to SNI, & Xavier gave some code.
So following the SNI concept should be possible.

Also: https://bugs.contribs.org/show_bug.cgi?id=8693
Bug 8693 - moving SSL httpd certificate to virtual host and allow multiple certificates

the purpose is to allow individual SSL certificates for each domain as a Virtualhost basis for httpd.
Default certificate could be available for Primary domain and virtualhost without any dedicated certificate and SSL activated.
Specific certificate path could be defined in db domains and if defined overrules default certificate.

All other services will keep using the default certificate.

to do :
- modify current httpd fragment and move certificate info to Virtualhost folder.

I tried the custom template but to no avail. Maybe I am doing it the wrong way as this is the first time I play with custom template.

(I have 10 hostnames across 3 different domains on one cert using Letsencrypt).

Question:
- How you did that?
- You tried with Chrome and IE?
- I have only 1 hostname and 3 different domains. Did you add something in /etc/hosts with a custom template?
- Are you using completely separate domain names or are they sub-domains?
- All in only one server and only one IP address?

Seeing Is Believing. Can you post the URL so I will see for myself.

Thank you,

Michel-André

[DanB35]

I haven't tried with IE (I use a Mac), but it works just fine with Chrome.  You can check it out on www.familybrown.org, www.brownlawoffice.us, and www.interociter-enterprises.com.  I used Let's Encrypt, following the instructions on the wiki.  Both the official client and letsencrypt.sh work, though I think the letsencrypt.sh is simpler at this point.

[michelandre]

Hi all,

Thank you so much DanB35,

You are giving me hope. 

What version of SME are you using?

Can you give me the URL of the wiki please?

Again, thank you for giving me hope,

Michel-André

[DanB35]

I'm using SME 9.1.  Janet already gave the address of the wiki page above.

[ReetP]

You can still get the source for the contrib here:

https://github.com/reetp/smeserver-letsencrypt/tree/smeserver-letsencrypt-0.1

It is easy to compile