mikeboost
By:
mikeboost

Can I load several domains with SSL on a single IP?

December 27, 2014 2k views

I have Ubuntu 14.04 and 3 domains that I want to host on it. Each of these needs SSL support. I have purchased 3 Symantec EV certificates for the www.domain.com of them. I only have one IP on that server.

(Note that I've done the DigOc recommended self-signed cert stuff for Apache2 and it works.)

  1. Is it possible to load a separate SSL certificate for each domain, even on the single IP? Or, would I need separate IPs?

  2. Is it possible even with an EV certificate on each domain? Or, would I need separate IPs?

  3. Anyone got a tutorial on how to load the SSL on each separate domain? Or is it as simple as creating a separate conf for each domain and just loading the SSL stuff in there?

1 Answer

It looks like a "no" when I read this DigOc post about setting this up on Ubuntu 12.04, even though I have 14.04:

https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04

The reason? SNI is not supported in Windows XP. Most of our customers will be elderly, but will at least be on IE7 or greater, which SNI needs, but SNI doesn't ship with XP and requires Vista or greater, which poses a problem.

http://en.wikipedia.org/wiki/Server_Name_Indication#Web_browsers.5B6.5D

It looks like I'll have to purchase separate IPs for each SSL. Or, setup an arrangement where the domain SSL is mounted on some separate hardware (like a load balancer or firewall) and then gets sent down to the server.

DigOc does not currently support purchasing multiple IPs per server as of 2014 Dec 27:

"Do you support adding multiple IPs per virtual server? How can I get an additional IP?"
https://www.digitalocean.com/help/technical/setup/

EDIT: I found an answer. We use Incapsula for DDOS protection, but now will be switching to CloudFlare. Both of these services require that you mount the SSL certificates on them and do not need SSL mounted on your IP. Thus, I can load several SSL on CloudFlare and then have it all point to a single IP on the server. At least I think I can. I'll let you know.

by Etel Sverdlov
Although hosting several sites on a single virtual private server is not a challenge with the use of virtual hosts, providing separate SSL certificates for each site traditionally required separate IP addresses. The process has recently been simplified through the use of Server Name Indication (SNI), which sends a site visitor the certificate that matches the requested server name.
  • I contacted CloudFlare support. They do have a plan to support multiple SSL (EV certs or otherwise) all going to a single IP. That's because each cert would be on a separate IP at CloudFlare, pointing back to the single IP at DigOc.

    As well, Incapsula (CloudFlare's competitor) also supports this.

Have another answer? Share your knowledge.