SSL for multiple sites

I have multiple clients who have GoDaddy SSL Certificates. These Clients have domains hosted on the same physical server (hx202.sapphiresolutionsltd.com).

How do I accomplish getting separate SSL Certificates installed on the same physical server?

I have one physical server (hx201.sapphiresolutionsltd.com) which hosts a single domain with multiple variations of the same domain, as sub-domains.

How do I install an SSL Certificate so that it covers the entire server?

How do I separate the domains hosted on each server so they can have un-secure content on the http side and secure content on the https side?

Status: 
Active

Comments

How do I accomplish getting separate SSL Certificates installed on the same physical server?

The way SSL works, you need an IP address for each SSL certificate.

So for each additional SSL certificate you'd like to add, you'd obtain a new IP address from your ISP, then setup that IP to work with the Virtual Server who will use the SSL cert.

To add the IP to a Virtual Server, you can go into Edit Virtual Server -> IP address and interfaces, and add the new IP where it says "Virtual interface".

How do I install an SSL Certificate so that it covers the entire server?

In order to do that, you'd need to obtain a wildcard SSL cert. GoDaddy sells SSL certificates that can work with domains such as *.example.com. Virtualmin supports wildcard SSL certs, you'd just add it to each of the sub-domains you want to use it.

Since a wildcard SSL certificate is a single certificate, you only need one IP address for it... you can setup all those sub-domains to work on the same IP address.

How do I separate the domains hosted on each server so they can have un-secure content on the http side and secure content on the https side?

Well, it doesn't work that way by default... by default, both secure and non-secure point at the same DocumentRoot. I'm not aware of a simple way to do what you're asking now -- though, you could always manually change the DocumentRoot to point to, say, $HOME/public_html/ssl.

Another option would be to setup a .htaccess file to redirect to another directory.

The way SSL works, you need an IP address for each SSL certificate.

So for each additional SSL certificate you'd like to add, you'd obtain a new IP address from your ISP, then setup that IP to work with the Virtual Server who will use the SSL cert.

To add the IP to a Virtual Server, you can go into Edit Virtual Server -> IP address and interfaces, and add the new IP where it says "Virtual interface".

Can an SSL Certificate be tied to a Virtual IP? Because I'm almost positive when my company wasn't it's own host, we had two web sites (completely different domains), hosted on the same IP Address, both having a different SSL Certificate.

In order to do that, you'd need to obtain a wildcard SSL cert. GoDaddy sells SSL certificates that can work with domains such as *.example.com. Virtualmin supports wildcard SSL certs, you'd just add it to each of the sub-domains you want to use it.

Since a wildcard SSL certificate is a single certificate, you only need one IP address for it... you can setup all those sub-domains to work on the same IP address.

This is related to my questions over at: https://www.virtualmin.com/node/15181

Well, it doesn't work that way by default... by default, both secure and non-secure point at the same DocumentRoot. I'm not aware of a simple way to do what you're asking now -- though, you could always manually change the DocumentRoot to point to, say, $HOME/public_html/ssl.

Another option would be to setup a .htaccess file to redirect to another directory.

I've set a server up before where there was completely different web pages on the http and https sides. I did it with Debian GNU/Linux (Sarge), running the Apache web server. It was a manual process, though not very complicated. So why isn't this an option which can easily be added to virtualmin and managed via the control panel?

I have another question related to SSL Certificates and the servers they are installed on.

The physical machine running the 10-user license of Virtualmin and Cloutmin together is getting ready to go online as a live (ready to be used) server. When I'm ready, I will start with a complete re-installation of the OS, all the way down to your Virtualmin and Cloudmin packages.

Of course, I will be using Debian GNU/Linux (I'm just a really big fan of Debian). When I do, the installer will ask for a hostname and domain name. The Virtualmin Control Panel picks this up and displays it under System Information > System > System hostname:

As you know, you end up with something like hostname.domainname.com and my existing server uses hx202.sapphiresolutionsltd.com for the naming convention.

sapphiresolutionsltd.com is my company domain (and web site). I will be moving all the related sites to this new server when it is finished. In keeping with my naming convention, I'll probably use hx200.sapphiresolutionsltd.com (hx200 for the hostname and sapphiresolutionsltd.com as the domain name).

Should I be registering each of these as official sub-domains of sapphiresolutionsltd.com?

Should I add a web site on each server (hx200, hx201 & hx202) for each of these sub-domains?

Will any of this have any impact on a Wildcard SSL Certificate, being installed on the hx200.sapphiresolutionsltd.com server?

Should I be registering each of these as official sub-domains of sapphiresolutionsltd.com?

Well, that doesn't matter at all, unless you want SSL to work for those sub-domains. If you want SSL to work, you'd need to have the domain setup as a Virtual Server of some sort (though, an alias server should work just fine, I believe).

Can an SSL Certificate be tied to a Virtual IP? Because I'm almost positive when my company wasn't it's own host, we had two web sites (completely different domains), hosted on the same IP Address, both having a different SSL Certificate.

Well, UCC SSL certificates can have two domains within one certificate. In that regard, the rule of "one IP address per SSL certificate" is still met. Could that have been how things were setup?

It was a manual process, though not very complicated. So why isn't this an option which can easily be added to virtualmin and managed via the control panel?

Hrm, digging around a little bit, this might be simpler than I initially realized.

If you select your SSL enabled domain from the drop-down on the top-left, and go into Services -> "Configure Website for SSL", look at the bottom of the page where it says "Virtual Server Details".

You can set a different "Document Root" there... the only thing you'd need to do is create the directory.

Would that do what you're after?

Hrm, digging around a little bit, this might be simpler than I initially realized.

If you select your SSL enabled domain from the drop-down on the top-left, and go into Services -> "Configure Website for SSL", look at the bottom of the page where it says "Virtual Server Details".

You can set a different "Document Root" there... the only thing you'd need to do is create the directory.

Would that do what you're after?

Awesome...

I think that might actually get the job done.

Can you create a separate directory in that same area of the Virtualmin Control Panel?

Before, when doing the configuration manually, I would use public_html as the http directory and ssl_html as the https directory. Now, once the ssl_directory is created, I can point to it with the steps you listed above.

Also, how do you define what web site shows by default if you go to the Virtual Server's IP Address (I.E. http://173.165.231.55/)?

I would like to be able to choose which site is shown or redirect to another site.

Can you create a separate directory in that same area of the Virtualmin Control Panel?

I believe you can choose any directory you want (within the users home directory), but that screen assumes the directory already exists. If you run into any problems doing that, let us know!

Also, how do you define what web site shows by default if you go to the Virtual Server's IP Address

You can set that by going into Server Configuration -> Website Options, and set "Default website for IP address" to "Yes".

If you have any other questions, feel free to let us know.

Thank you makoka. I'll definitely be giving that article some attention.

Have you done this before?

Bamajr, I did not do it before. Because I read it after production site was installed. And so far no clients require to use SSL. So there is only hosting webmail uses secure connection. Hopefully you'll dig this topic and next my server will be build with support of SNI.

Regards