SSL setup on Virtualmin on multiple sites using one public IP

30 posts / 0 new
Last post
#1 Thu, 08/18/2011 - 03:49
-eclipse-

SSL setup on Virtualmin on multiple sites using one public IP

Hi all

Is it possible to setup multiple SSL sites within the Virtualmin without using multiple public IP's? Normally we have to use on extra public IP for each SSL site created on our IIS webservers, but I just wanted to know if Apache / Virtualmin are smarter than IIS regarding the SSL setup / usage.

Looking forward to hear from anyone which could en light me on the topic above.

  • Tim
Thu, 08/18/2011 - 04:07
Locutus

Apache basically supports it, through SNI: http://en.wikipedia.org/wiki/Server_Name_Indication

Unfortunately, Virtualmin does not support that (yet), i.e. you'll have to configure Apache manually to make use of SNI.

Note though that Internet Explorer (up to version 8) on Windows XP does not support SNI, so if you were to use it on your web pages, you'd lock out a good deal of users.

Thu, 08/18/2011 - 04:20
-eclipse-

Hi Locutus

Thanks for your quick response. Hmm, so I can set it up manually but then I will cut all users on Windows XP using Internet Explorer (which is still quite many). It might be a solution if the customer accepts that the visitors should use anything else than Internet Explorer :)

Do you know when Virtualmin might support SNI through the GUI?

Secondly, I can understand that I need to use an extra public IP for each SSL site I would create on the Virtualmin. Are there an easy how2do it guide for Virtualmin :)

  • Tim
Thu, 08/18/2011 - 04:27
Locutus

Eric would be the one who can say something about if and when Virtualmin might support SNI. :) I don't know really.

To add extra IP addresses, you can put ranges to allocate from in the Server Template, section "Virtual IP Address". Then, when creating a new server, you choose "Network interface: Virtual with allocated IP" in the "IP address and forwarding" box.

Thu, 08/18/2011 - 08:04
andreychek

Well, just to clarify -- you need one IP address per SSL certificate (rather than one IP per domain). It's possible to have multiple domains or wildcards in a given SSL cert.

I unfortunately don't have a timeline on SNI, though I'll see if I can get some input on that :-)

-Eric

Thu, 08/18/2011 - 08:21
-eclipse-

Hi Eric

I am familiar with the multiple SSL certificate options, but I don't think I can persuade the customers to share SSL Certificates, especially if they someday want to move to another host :)

I am looking forward to the implementation of the SNI in Virtualmin, it would be a great option to have S

  • Tim
Thu, 08/18/2011 - 08:26
andreychek

Yup, if you're talking about multiple customers, I certainly wouldn't recommend sharing a single cert.

I'll look into that SNI support though. Thanks!

-Eric

Thu, 08/18/2011 - 14:59
andreychek

As Locutus mentioned, SNI won't work on many of the IE-based browsers on Windows XP (at least, IE6 and IE7).

Being as Windows XP only this month dropped below 50% market share, would you guys really find SNI support useful at the moment?

That's according to this article:

http://www.tgdaily.com/software-brief/57628-windows-xp-market-share-fall...

Thu, 08/18/2011 - 17:24 (Reply to #8)
sfatula

SNI requires a newer openssl that exists in the standard Centos 5 (at least) distribution. So, if you wanted to do this, you'll need to make your own openssl.

For us, it would be useful, if only for admins. Would not deploy out to public at large.

Fri, 08/19/2011 - 02:28
-eclipse-

I think it would be a perfect improvement to the Virtualmin setup. But it might be a problem in the Centos as mentioned by sfatula above regarding the OpenSSL engine. But if it could be replaced easily for admins, how2guide, then it would be a bigstep forward to use SNI in large Virtualmin hosting setups.

  • Tim
Fri, 08/19/2011 - 15:01
andreychek

Okay, so, I have some interesting news. SNI already is supported by Virtualmin :-)

I again want to clarify that SNI won't work in a lot of places... it appears that it won't work on any IE-based browser on Windows XP, which is a lot of users!

But, if that's not a problem for your userbase, you can use SNI in Virtualmin.

If Apache/mod_ssl is compiled with SNI support, then Virtualmin will allow you to setup a different SSL certificate for multiple domains on the same IP address.

You'll see a Virtualmin warning when that occurs, since most people don't actually want to use SNI.

However, the warning won't prevent it from working -- you can continue from there by setting up as many SSL certs as you like.

I just tested that this works with CentOS 6. It should also work with Debian 6.

I do not believe it'll work in distros offering Apache versions before 2.2.12, which includes Ubuntu 10.04, CentOS 5, and Debian 5.

For anyone reading this who isn't yet familiar with SNI -- it's not a silver bullet, and we again don't think it's ready for prime-time use, since roughly half the computers on the Internet today won't work with it. But for folks with a limited or controlled userbase, and having a supported browser isn't a problem -- SNI should work just fine.

-Eric

Fri, 08/19/2011 - 17:34 (Reply to #11)
Locutus

I do not believe it'll work in distros offering Apache versions before 2.2.12, which includes Ubuntu 10.04, CentOS 5, and Debian 5.

Please note that Ubuntu 10.04 currently has APache 2.2.14.

Fri, 08/19/2011 - 17:40 (Reply to #12)
andreychek

Please note that Ubuntu 10.04 currently has APache 2.2.14.

Well, crap, you're absolutely right!

I went over to packages.ubuntu.com to test all this out before I posted, but I must have selected the wrong Ubuntu version when I searched for the "apache2" package.

Thanks for setting me straight! :-)

-Eric

Fri, 08/19/2011 - 17:46 (Reply to #13)
Locutus

You're most welcome. :-)

I tested it in the "most empirical way possible" on my hosting VM. ;)

root@orion:~# apache2 -v
Server version: Apache/2.2.14 (Ubuntu)
Server built:   Nov 18 2010 21:19:09
Fri, 08/19/2011 - 15:08
sfatula

Yes, so, what I was saying agrees with you, just goes one step further. If someone WANTED to recompile Apache on Centos 5 (at least) to enable SNI, they will fail as openssl is too old. So, they will also need to find a way to update openssl.

Had already been down that road!

Mon, 08/29/2011 - 02:36
-eclipse-

Hi Eric

So we have to be running Centos version 6 to be able to use SNI? We are currently running version 5.6

  • Tim
Mon, 08/29/2011 - 07:52 (Reply to #16)
andreychek

Correct, SNI does not work by default on CentOS 5. You would need newer Apache, mod_ssl, and openssl packages.

A newer distro such as CentOS 6 comes with packages that have SNI support.

Remember though that roughly half of the browsers in use today don't support SNI... so even if you upgrade to a newer distro, it won't work for many people.

-Eric

Tue, 05/29/2012 - 21:26
lvsys

So we're willing to bite the silver bullet and start deploying SNI

How would I go for enabling SNI on virtualmin, I am looking for a quick setup way to do this.

Not sure how to check TLS and mod_ssl with sni support is compiled.

Can you provide any pointers?

Thanks

MD

Tue, 05/29/2012 - 22:07 (Reply to #18)
andreychek

I believe that SNI is available in Apache versions 2.2.12 and after. That should be available in CentOS 6, Ubuntu 10.04, and Debian 6.

You wouldn't need to do anything to enable it -- it would just work. You'd simply need to enable multiple SSL certs on one IP address.

Just note that a number of browsers don't support that quite yet -- there's some details regarding that that were discussed above.

-Eric

Tue, 05/29/2012 - 22:38
lvsys

Thanks

I am using Chrome, which has SNI enabled, you can verify it here https://sni.velox.ch/

I have two SSL websites on one IP. Let's say abc.com and xyz.com

But when I pull https://xyz.com via https, it opens up the abc.com with a certificate error.

If there some config in virtualmin I need to modify?

MD

Tue, 05/29/2012 - 22:48
lvsys

One precision: I restarted apache, and the following warning was issued:

[Tue May 29 20:30:43 2012] [warn] VirtualHost x.x.x.x:443 overlaps with VirtualHost x.x.x.x:443, the first has precedence, perhaps you need a NameVirtualHost directive

Where x.x.x.x is the same ip address

I believe that's the apache config produced by virtualmin that's missing the NameVirtualHost directive...

We're running VirtualMin Pro 3.92 (installed 12/May/2012)

Thanks

MD

Tue, 05/29/2012 - 23:01
lvsys

I confirm this is something to polish in virtualmin. For those of us who want to do SNI, we need to modify the apache directives manually (yay)

But I got it working

If you want to get SNI to work on Virtualmin, it's a three step process:

1) modify the /etc/apache2/apache2.conf file and make sure you have at least one line like this:

NameVirtualHost *:443

2) modify your virtualhosts in /etc/apache2/abc.com.conf (and all other .conf sharing the same ip) by changing the 443 virtualhost line to:

VirtualHost *:443 (with the enclosing < and > tags)

3) restart apache.

Works like a charm. Oh, but yeah, anyone with a browser for whom SNI does not work will get an SSL certificate error even though the right site will show - but I don't think it should be a huge deal, Windows XP is down to 27% and it's loosing 1.5% almost every month.

For customers being turned off, we as web companie can instruct them to upgrade their browser, or accept the certificate error.

MD.

Tue, 05/29/2012 - 23:09 (Reply to #22)
sfatula

From the Apache wiki...

Prerequisites to use SNI

Use OpenSSL 0.9.8f or later Build OpenSSL with the TLS Extensions option enabled (option enable-tlsext; OpenSSL 0.9.8k and later has this enabled by default). Apache must have been built with that OpenSSL (./configure --with-ssl=/path/to/your/openssl). In that case, mod_ssl will automatically detect the availability of the TLS extensions and support SNI. Apache must use that OpenSSL at run-time, which might require setting LD_LIBRARY_PATH or equivalent to point to that OpenSSL, maybe in bin/envvars. (You'll get unresolved symbol errors at Apache startup if Apache was built with SNI but isn't finding the right openssl libraries at run-time.)

How can you tell if your Apache build supports SNI? If you configure multiple name-based virtual hosts for an address where SSL is configured, and SNI isn't built into your Apache, then upon Apache startup a message like "You should not use name-based virtual hosts in conjunction with SSL!!" will occur in the error log. If SNI is built in, then the error log will show "[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)".

Wed, 05/30/2012 - 00:42
lvsys

the second paragraph is what I had used as a first pointer, along with the directives from this website https://sni.velox.ch/

That website made it much easier.

MD

Mon, 10/26/2015 - 16:26
azcunaga

Do you still need one IP per SSL certificate in Virtualmin?

Or can you set-up multiple sites with one IP?

Thanks

Mon, 10/26/2015 - 17:13 (Reply to #25)
andreychek

Howdy,

Well, this particular thread is a few years old... Virtualmin now makes use of SNI in Apache, and can use any number of SSL certificates per IP address.

-Eric

Mon, 10/26/2015 - 19:56 (Reply to #26)
azcunaga

OK Great! So I can have one Virtualmin install with several domain/SSLs within the same IP address, correct?

Is this a straightforward setup through the Manage SSLs section or do I need to edit Apache directives manually?

Mon, 10/26/2015 - 22:24 (Reply to #27)
andreychek

It should just work -- it's just a matter of enabling the SSL feature for all the domains that should have it.

Current Apache versions handle this just fine, and don't require anything unusual for that to work properly.

-Eric

Mon, 10/26/2015 - 22:32
azcunaga

I tried to enable SSL on a 2nd top-level virtual server / website. Previously only the parent site (same Virtualmin install) had SSL enabled.

  • Reissued fresh certificates
  • Added the .crt (certificate) file
  • Added the .ca-bundle (certificate authority) file

After I did this I got locked out of Virtualmin, since the parent website's SSL got updated with the new cert mismatch. How can I avoid the parent virtual server sporting the secondary certificate?

Any clues would be greatly appreciated, Best

Tue, 10/27/2015 - 10:46 (Reply to #29)
andreychek

Howdy,

We can certainly help out, but since this thread is over 3 years old -- could you start a new thread, and there, describe the issue that's occurring now? Thanks!

-Eric

Topic locked