SSL site not using the correct IP in Apache and Ubuntu

I'm trying to set up an apache-ubuntu-php webserver. My webserver will host multiple SSL sites, each SSL site will have it's own IP address (unless there's a better way to do this).

So I suppose the first step is to get apache to recognize at least two different IP addresses. Right now, I have an SSL and non-SSL version of a website which are http://mysite.com and https://mysite.com. Although both are currently running on my server, I can't get both to use different IP addresses. Right now, both are using the IP 1.1.1.1. I purchased a second IP address 2.2.2.2 but the https://mysite.com won't accept it and firefox complains with the error "ssl_error_rx_record_too_long". Here's a look at my 2 vhost files

/etc/apache2/site-enabled/000-default

#NameVirtualHost 1.1.1.1:80

#<VirtualHost 1.1.1.1:80>
<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

/etc/apache2/site-enabled/mysite.com

<VirtualHost 1.1.1.1:80>
     ServerAdmin [email protected]
     ServerName mysite.com
     ServerAlias www.mysite.com
     DocumentRoot /srv/www/mysite.com/public_html/
     ErrorLog /srv/www/mysite.com/logs/error.log
     CustomLog /srv/www/mysite.com/logs/access.log combined
</VirtualHost>
<IfModule mod_ssl.c>
#<VirtualHost 2.2.2.2:443>
<VirtualHost *:443>
     ServerAdmin [email protected]
     ServerName mysite.com
     ServerAlias www.mysite.com
     DocumentRoot /srv/www/mysite.com/public_html/
     ErrorLog /srv/www/mysite.com/logs/error.log
     CustomLog /srv/www/mysite.com/logs/access.log combined

        SSLEngine on

        SSLCertificateFile    /etc/ssl/localcerts/www.mysite.com.crt
        SSLCertificateKeyFile /etc/ssl/localcerts/www.mysite.com.pem

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0

</VirtualHost>
</IfModule>

In mysite.com, if I replace <VirtualHost *:443> with <VirtualHost 2.2.2.2:443>, Firefox complains with the error "ssl_error_rx_record_too_long".

So when I try to create and enable a /etc/apache2/site-enabled/mysite2.com with another SSL certificate on a third IP address, Apache complains about an "overlap" problem.

Can someone tell me how to get up my server so that I can host multiple SSL websites on different domains? I want the SSL certificate to work for IE 7+, FF, and Safari on the popular OS such as WinXP, Vista, Win7 and OSX.

oh, it worked...and each of the websites is using the same 1.1.1.1 IP address. So does this mean I don't need the 2.2.2.2 IP address anymore? I don't need a unique IP for each SSL domain?

You are not required to use a unique IP for each SSL domain.

Please explain why you don't need a separate IP for each domain. This goes against everything I understand about SSL...

I'm not sure what to say other than that I've used multiple wildcards certs on servers with one IP. As long as the CommonName matches the ServerName you'll be fine. Now if you're in a shared hosting environment then this may allow others to use your cert. If it worked for johnlai2004 and me... well then, what's the issue?

voretaq7 explained the reasoning on serverfault.com/questions/109800/… -- This is TSL, not SSL. SSL does require a 1:1 relationship between IP addresses and certificates. TLS does not. I just wasn't aware TLS could be used for HTTPS (yet)

I can show you how to use multiple IP's on the same server but you'll have to use different ports (ie 443, 442, 441, etc). Won't be as nice for you end users.

@josh/johnlai2004 - so will my answer/example work for you? if not I obviously didn't understand the end result you were looking for. thought you might be looking for a way to avoid multiple ip addresses.

Ah ok. This is all so unusual. The certificate works fine for all browsers on all OS except for IE on WinXP. It even works for IE on Win Vista. How do I get this to work for IE on WinXP?

In the end, I just want valid ssl certificates to work for each website when viewed through IE and FF on Windows XP and Vista and Safari on Mac OSX.

Does the answer is about TLS? Where is the fix in the code? do you mean the *:443 in the VirtualHost?

You can see what it will use with apachectl -t -D DUMP_VHOSTS. The order is first to last.