jesin
By:
Jesin A
We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How To Set Up Multiple SSL Certificates on One IP with Lighttpd

PostedApril 15, 2014 17.4k views Security CentOS Ubuntu

Introduction

Server Name Indication (SNI) is a feature of the TLS protocol which enables setting up multiple SSL certficates on a single IP address.

Lighttpd must already be setup and running. Read these articles to get it up.

Setup

Two domains will be used for this tutorial. Both will use self-signed SSL certificates.

Domain 1: example.com
Common Name: *.example.com

Domain 2: digitalocean.com
Common Name: www.digitalocean.com

SSL setup needs a default certificate just like a default virtual host. We will use the first domain's certificate for this.

Create private keys

Create a directory inside the /etc/lighttpd to place the keys and certificates.

mkdir /etc/lighttpd/certs

Create a private key and enter a passphrase. The second command is for removing the passphrase.

cd /etc/lighttpd/certs
openssl genrsa -des3 -out example.com.key 2048
openssl rsa -in example.com.key -out example.com.key

Do the same for the second domain too.

openssl genrsa -des3 -out digitalocean.com.key 2048
openssl rsa -in digitalocean.com.key -out digitalocean.com.key

If the passphrase isn't removed, Lighttpd will prompt for it each time it starts or restarts.

Create a Certificate Signing Request

Create a CSR for both the domain names.

cd /etc/lighttpd/certs
openssl req -new -key digitalocean.com.key -out digitalocean.com.csr
openssl req -new -key example.com.key -out example.com.csr

Fill in the details and enter a dot . if you wish to leave a field blank.

-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:NYC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DigitalOcean Inc
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:www.digitalocean.com
Email Address []:webmaster@digitalocean.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

When filling the Common Name field for example.com make sure to enter *.example.com.

-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Chennai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:*.example.com
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

We have entered a different country and city for this CSR so that it is easy to distinguish which certificate is presented.

Sign your SSL Certificates

Here again, we will set a different validity length (-days argument) for both the certificates so that we can easily differentiate between them.

cd /etc/lighttpd/certs
openssl x509 -req -days 100 -in example.com.csr -signkey example.com.key -out example.com.crt
openssl x509 -req -days 200 -in digitalocean.com.csr -signkey digitalocean.com.key -out digitalocean.com.crt

Create a .pem file from the certificates and their private keys.

cat example.com.{key,crt}> example.com.pem
cat digitalocean.com.{key,crt}> digitalocean.com.pem

Secure the files in this directory by only allowing the root user to read these files.

chmod -R 400 /etc/lighttpd/certs/

The Lighttpd daemon starts with root privileges before coming down to www-data so this should not be a problem.

Configure Lighttpd for SSL

Edit the /etc/lighttpd/lighttpd.conf file and add the following lines at the end.

$SERVER["socket"] == "0.0.0.0:443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/certs/example.com.pem"
    $HTTP["host"] =~ "(^|www\.)digitalocean.com" {
        ssl.pemfile = "/etc/lighttpd/certs/digitalocean.com.pem"
    }
}

Since the ceritifcate of example.com is the default one, we do not place it inside a host condition.

Restart the Lighttpd daemon.

service lighttpd force-reload

The service should successfully restart if you have not made errors in the certificate paths or when creating the .pem file.

Testing HTTPS

The easy way of testing this without editing the hosts file is to use curl.

This command has a --resolve argument which maps domains with IP addresses. Replace 1.1.1.1 with the IP address of your Droplet.

curl -k -o /dev/null --resolve "www.digitalocean.com:443:1.1.1.1" -s -v https://www.digitalocean.com

This will give a verbose output. The -o redirects all HTML output as we do not need it. This is the snippet we are interested in.

* SSL connection using AES256-SHA
* Server certificate:
*        subject: C=US; L=NYC; O=DigitalOcean Inc; CN=www.digitalocean.com; emailAddress=webmaster@digitalocean.com
*        start date: 2014-03-26 18:39:25 GMT
*        expire date: 2014-10-12 18:39:25 GMT
*        common name: www.digitalocean.com (matched)
*        issuer: C=US; L=NYC; O=DigitalOcean Inc; CN=www.digitalocean.com;    emailAddress=webmaster@digitalocean.com
*        SSL certificate verify result: self signed certificate (18), continuing anyway.

Examine the next domain.

curl -k -o /dev/null --resolve "www.example.com:443:1.1.1.1" -s -v https://www.example.com

Cert details from output:

* SSL connection using AES256-SHA
* Server certificate:
*        subject: C=IN; L=Chennai; CN=*.example.com; emailAddress=admin@example.com
*        start date: 2014-03-26 18:39:20 GMT
*        expire date: 2014-07-04 18:39:20 GMT
*        common name: *.example.com (matched)
*        issuer: C=IN; L=Chennai; CN=*.example.com; emailAddress=admin@example.com
*        SSL certificate verify result: self signed certificate (18), continuing anyway.

Notice the differences between both the certificates in the subject: and expire date: fields.

Try accessing the IP address directly.

user@droplet~$ curl -k -o /dev/null -s -v https://1.1.1.1

* SSL connection using AES256-SHA
* Server certificate:
*        subject: C=IN; L=Chennai; CN=*.example.com; emailAddress=admin@example.com
*        start date: 2014-03-26 18:39:20 GMT
*        expire date: 2014-07-04 18:39:20 GMT
*        common name: *.example.com (does not match '128.199.206.19')
*        issuer: C=IN; L=Chennai; CN=*.example.com; emailAddress=admin@example.com
*        SSL certificate verify result: self signed certificate (18), continuing anyway.

This should return the certificate of example.com.

Submitted by:

7 Comments

Creative Commons License