October 17, 2012

Advanced

How To Set Up Multiple SSL Certificates on One IP with Nginx on Ubuntu 12.04

Tagged In: Nginx, Ubuntu

You can host multiple SSL certificates on one IP Address using Server Name Identification (SNI).

About SNI


Although hosting several sites on a single virtual private server is not a challenge with the use of virtual hosts, providing separate SSL certificates for each site traditionally required separate IP addresses. The process has recently been simplified through the use of Server Name Indication (SNI), which sends a site visitor the certificate that matches the requested server name.

Note:


SNI can only be used for serving multiple SSL sites from your web server and is not likely to work at all on other daemons, such as mail servers, etc. There are also a small percentage of older web browsers that may still give certificate errors. Wikipedia has an updated list of software that does and does not support this TLS extension.

Set Up

SNI does need to have registered domain names in order to serve the certificates.

The steps in this tutorial require the user to have root privileges. You can see how to set that up in the Initial Server Setup Tutorial in steps 3 and 4.

Nginx should already be installed and running on your VPS.

If this is not the case, you can download it with this command:

sudo apt-get install nginx

You can make sure that SNI is enabled on your server:

 nginx -V

After displaying the nginx version, you should see the line:

 TLS SNI support enabled

Step One—Create Your SSL Certificate Directories


For the purposes of this tutorial, both certificates will be self-signed. We will be working to create a server that hosts both example.com and example.org.

The SSL certificate has 2 parts main parts: the certificate itself and the public key. To make all of the relevant files easy to access, we should create a directory for each virtual host’s SSL certificate.

mkdir -p /etc/nginx/ssl/example.com
mkdir -p /etc/nginx/ssl/example.org

Step Two—Create the Server Key and Certificate Signing Request


First, create the SSL certificate for example.com.

Switch into the proper directory:

cd /etc/nginx/ssl/example.com

Start by creating the private server key. During this process, you will be asked to enter a specific passphrase. Be sure to note this phrase carefully, if you forget it or lose it, you will not be able to access the certificate.

sudo openssl genrsa -des3 -out server.key 1024

Follow up by creating a certificate signing request:

sudo openssl req -new -key server.key -out server.csr

This command will prompt terminal to display a lists of fields that need to be filled in.

The most important line is "Common Name". Enter your official domain name here or, if you don't have one yet, your site's IP address. Leave the challenge password and optional company name blank.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:NYC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Awesome Inc
Organizational Unit Name (eg, section) []:Dept of Merriment
Common Name (e.g. server FQDN or YOUR name) []:example.com                  
Email Address []:[email protected]

Step Three—Remove the Passphrase


We are almost finished creating the certificate. However, it would serve us to remove the passphrase. Although having the passphrase in place does provide heightened security, the issue starts when one tries to reload nginx. In the event that nginx crashes or needs to reboot, you will always have to re-enter your passphrase to get your entire web server back online.

Use this command to remove the password:

sudo cp server.key server.key.org
sudo openssl rsa -in server.key.org -out server.key

Step Four—Sign your SSL Certificate


Your certificate is all but done, and you just have to sign it.

Keep in mind that you can specify how long the certificate should remain valid by changing the 365 to the number of days you prefer. As it stands this certificate will expire after one year.

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

You are now done making the certificate for your first host.

To create the second certificate, switch into the second directory:

cd /etc/nginx/ssl/example.org

Repeat the previous three steps for the second certificate. Once both are squared away, you can start adding the certificates to your virtual hosts.

Step Five—Create the Virtual Hosts


Once you have the certificates saved and ready, you can add in your information in the virtual host file.

Although it’s not required, we can create two virtual host files to store virtual hosts in a separate files.

sudo nano /etc/nginx/sites-available/example.com

Each file will then contain the virtual host configuration (make sure to edit the server_name, ssl_certificate, and ssl_certificate_key lines to match your details):

 server {

        listen   443;
        server_name example.com;

        root /usr/share/nginx/www;
        index index.html index.htm;

        ssl on;
        ssl_certificate /etc/nginx/ssl/example.com/server.crt;
        ssl_certificate_key /etc/nginx/ssl/example.com/server.key;
}

You can then put in the appropriate configuration into the other virtual host file.

sudo nano /etc/nginx/sites-available/example.org

 server {

        listen   443;
        server_name example.org;

        root /usr/share/nginx/www;
        index index.html index.htm;

        ssl on;
        ssl_certificate /etc/nginx/ssl/example.org/server.crt;
        ssl_certificate_key /etc/nginx/ssl/example.org/server.key;
}

Step Six—Activate the Virtual Hosts


The last step is to activate the hosts by creating a symbolic link between the sites-available directory and the sites-enabled directory.

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/example.com
sudo ln -s /etc/nginx/sites-available/example.org /etc/nginx/sites-enabled/example.org

With all of the virtual hosts in place, restart nginx.

sudo service nginx restart

You should now be able to access both sites, each with its own domain name and SSL certificate.

You can view the sites both with and without the signed SSL certificates by typing in just the domain (eg. example.com or example.org) or the domain with the https prefix (https://example.com or https://example.org).



By Etel Sverdlov

Share this Tutorial

Vote on Hacker News

Try this tutorial on an SSD cloud server.

Includes 512MB RAM, 20GB SSD Disk, and 1TB Transfer for $5/mo! Learn more

Create an account or login:

20 Comments

Write Tutorial
  • Gravatar Martin Dahl-Larsen over 1 year

    Great wizard! it really helped me:-)

  • Gravatar carlosespejo about 1 year

    Another great tutorial, this site has now become my go to resource for NGINX help :-)

  • Gravatar Moisey about 1 year

    Awesome, thanks for the kind words =]

  • Gravatar Vincent Balingan about 1 year

    is this tut also fully applicable for Centos 6.3 if i followed this one here, https://www.digitalocean.com/community/articles/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-6 ? thanks.

  • Gravatar Moisey about 1 year

    You can check out our CentOS section: https://www.digitalocean.com/community/community_tags/centos

  • Gravatar Atendimento TI about 1 year

    I know that most users reading this tutorial has already followed other tutorials which explain the nano editor commands to save (ctrl+x, y, enter), but mentioning them here will be useful for novice.

  • Gravatar sysadmin about 1 year

    Apparently from what you instruct here port 80 continues to work after invoking 443?... I have existing directives and upgraded from Ubuntu 10.04. Sorry for the noob question, but is the new directive in addition to, append or replace what I had.

  • Gravatar me about 1 year

    Possibly the best Nginx tutorial I've ever read (even better than the original Slicehost guides) - well written and sufficiently detailed without being overly verbose. Thanks!

  • Gravatar mnordhoff 11 months

    Quick critiques while skimming the openssl aspects of this guide: * 1024-bit keys? That's not especially secure, is it? Aren't they deprecated in favor of 2048 nowadays? I'm not sure all CAs even accept them anymore... * Why do you create an encrypted key in one step, and then decrypt it a couple steps later? Why not...not encrypt it in the first place? In general, it seems like pretty much all of steps 2 through 4 could be replaced with one: openssl req -days 365 -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr Trying to help with SSL while I should be in the shower'ly yours, Matt Nordhoff

  • Gravatar pbbowner 8 months

    Im running 2 domains with on IP Location on nginx reverse proxy setup, but i have on problems. i only want to browse the on domain name, but using the second domain without to access the browse funktion. so i browse the website with the first domainname, and the second domain name only access to the host without browsing. how to

  • Gravatar Kamal Nasser 8 months

    @pbbowner: I'm not sure I understand your question -- do you mean that you have http://domain1.com and https://domain2.com and do not want people to be able to access https://domain1.com?

  • Gravatar Ben Bishop 7 months

    Worth noting, in case anyone else has this issue, I had setup UFW (Ultimate FireWall) and had only left open my web and SSH ports. Thus SSL on 443 or whatever post you use, didn't work. Dont forget to add this rule to UFW or IPTABLES!!

  • Gravatar a.w.king 7 months

    Would this same method work with multiple subdomains from other hosting accounts all pointed to the same IP address of a digital ocean droplet?

  • Gravatar Kamal Nasser 7 months

    @aaron.w.king: It should work as long as the domain is pointing to your droplet.

  • Gravatar dylan about 1 month

    Is it true that SNI is not supported by XP with Internet Explorer?

  • Gravatar moreips about 1 month

    @dylan it's true, and who knows why DO won't allow buying more IPs per droplet

  • Gravatar barkatu.83 28 days

    What if cert is for wildcard?

  • Gravatar gustav 28 days

    Could you please explain how this is possible. Well it shouldn't be! TSL handshaking is done before the http-headers are sent. Therefore nginx does not know what virtualhost to use.

  • Gravatar gustav 28 days

    This tutorial is not correct, you must be running on separate IPs for several TSL certificates to work. http://forum.nginx.org/read.php?2,42666,42666

  • Gravatar Kamal Nasser 17 days

    @gustav: SNI is an extension to the TLS protocol that fixes the said issue: http://en.wikipedia.org/wiki/Server_Name_Indication. So, assuming the browser supports SNI (which most do), you should be able to run multiple SSL-enabled virtualhosts on a single IP address.

Leave a Comment

Create an account or login:
Ajax-loader