Is it possible to get a wildcard cert and use SNI?

apache-2.2 https sni
8,387

If you have a wildcard certificate you can do named-based virtual hosting just like you do without SSL.

When negotiating an SSL connection, your web server needs to select a certificate BEFORE any http protocol headers have been received -- which means that, without SNI, Apache can't select between multiple name-based virtual hosts. This is why in the past you needed a separate ip address for every virtual host hosted on your system. Using SNI, the client is able to provide the server with the name of the host to which it wishes to connect. This allows the server to select the appropriate virtual host configuration, and hence the appropriate certificate.

If you're using a wildcard certificate, you sidestep this problem as long as all of your virtual hosts share a common parent domain. In this case, SNI is unnecessary. Because the certificate is valid for any of your hosts, there's no requirement that your web server is able to identify the appropriate virtual host at the beginning of the SSL negotiation...which means you can use the HTTP headers to identify the host, and proceed with normal name-based virtual hosting.

Using Apache, your configuration would look something like this:

NameVirtualHost *:443

<VirtualHost *:443>
    ServerName foo.example.com
    DocumentRoot /sites/foo.example.com/html
    SSLEngine On
    # ...other SSL parameters...
</VirtualHost>

<VirtualHost *:443>
    ServerName bar.example.com
    DocumentRoot /sites/bar.example.com/html
    SSLEngine On
    # ...other SSL parameters...
</VirtualHost>

We're been running this sort of configuration in a production situation for a few years now without problems.

Share:
8,387

Related videos on Youtube

Sheldon McGee
Author by

Sheldon McGee

Dad, Husband, Developer, Woodworker, AFOL. And of course #SOreadytohelp

Updated on September 17, 2022

Comments

  • Sheldon McGee
    Sheldon McGee almost 2 years

    I'd like to make setting up new subdomains easy (at least for the development side) and getting one wildcard cert, setting up a wildcard dns (which is done and works great) and setting up SNI (Server Name Indication) seems like it would work for our HTTPS testing but googling around I haven't found any good instructions. Is this even possible? Everything I've read about SNI says you need to setup a cert for every site and that SNI just makes it possible to deliver a different cert depending on the hostname.

  • Carlos Garcia
    Carlos Garcia over 13 years
    +1 to answer and clarity. btw, Not all the browsers support SNI.
  • Sheldon McGee
    Sheldon McGee over 13 years
    The only browser that doesn't support SNI is IE and only on Windows XP. Those users will be presented with the "this is not a valid cert" error but the site still works, right?
  • user2751502
    user2751502 over 13 years
    They all use the same certificate, yes, that was sort of the whole point of my answer. I apologize if that wasn't clear.
  • Sheldon McGee
    Sheldon McGee over 13 years
    My guess is the cert is the same for both hosts since I'm using a wildcard cert but what if I don't have a wildcard cert? How would the SNI config look?
  • user2751502
    user2751502 over 13 years
    Heck if know. Your question said you were getting a wildcard cert, and my answer was predicated on that. Since we have a wildcard cert I haven't had to look into SNI.
  • Sheldon McGee
    Sheldon McGee over 13 years
    Yeah, me either. I think even if I have separate certs I can just specify them in the VirtualHost area. We'll see! But the key here for me was the "NameVirtualHost *:443" which I was missing. I didn't know it was "built in" to apache so to speak.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache https error log
HTTPS listen on additional port apache/httpd
Setting up apache to view https pages
Apache HTTPS redirect from old domain to new HTTPS Domain
mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows)
Apache, ISPConfig3 & https to http redirection bug
Apache module "mod_jk". Setup rewrite condition for using https for specific url/context
How to redirect http to https for IP and domain on Apache2
How to setup GoDaddy SSL on Ubuntu (with Webmin)?
Why I have set HTTP_X_FORWARDED_PROTO and unset HTTPS on Apache 2.4?