Multiple SSL Certificates on One Apache Server

Conductor serves many different sites at the University of Notre Dame, however, not all sites in Conductor are under the nd.edu umbrella – www.holycrossusa.org is one of them.

SSL Error in Chrome on www.holycrossusa.org

SSL Error in Chrome on www.holycrossusa.org

One problem that arose is that non-administrative users needed to securely access the site.  As it was configured, anyone going to https://www.holycrossusa.org/ using the Chrome browser would see the following SSL certificate warning.  Other browsers would give even more pessimistic notifications.

What was needed was a separate SSL certificate on the Conductor for www.holycrossusa.org. The big gotcha is that most other documentation I found says to set the NameVirtualHost to the server’s IP address.  And that means the internal, or Local-IP address, as provided by the %A custom log format directive of Apache.  If you use your server’s Public-IP address, things may not work.

Below is the relevant /etc/httpd.conf entries.

# Configuration for conductor.nd.edu
NameVirtualHost [LOCAL-IP-ADDRESS-1]:80
NameVirtualHost [LOCAL-IP-ADDRESS-1]:443

<VirtualHost [LOCAL-IP-ADDRESS-1]:80>
	ServerName conductor.nd.edu
	ServerAlias *.conductor.nd.edu
	Include conf/apps/conductor.common
</VirtualHost>

<VirtualHost [LOCAL-IP-ADDRESS-1]:443>
	ServerName conductor.nd.edu
	ServerAlias *.conductor.nd.edu
	Include conf/apps/conductor.common
	RequestHeader set X_ORIGINAL_PROTOCOL https

	SSLEngine on
	SSLCertificateFile /path/to/conductor.crt
	SSLCertificateKeyFile /path/to/conductor.key
	SSLCACertificateFile /path/to/conductor.intermediate.crt
</VirtualHost>

# Configuration for www.holycrossusa.org
NameVirtualHost [LOCAL-IP-ADDRESS-2]:80
NameVirtualHost [LOCAL-IP-ADDRESS-2]:443

<VirtualHost [LOCAL-IP-ADDRESS-2]:80>
	ServerName www.holycrossusa.org
	ServerAlias www.holycrossusa.org
	Include conf/apps/conductor.common
</VirtualHost>

<VirtualHost [LOCAL-IP-ADDRESS-2]:443>
	ServerName www.holycrossusa.org
	ServerAlias holycrossusa.org
	Include conf/apps/conductor.common
	RequestHeader set X_ORIGINAL_PROTOCOL https

	SSLEngine on
	SSLCertificateFile /path/to/holycrossusa.org.crt
	SSLCertificateKeyFile /path/to/www.holycrossusa.org.key
	SSLCACertificateFile /path/to/holycross.intermediate.crt
</VirtualHost>

 

2 thoughts on “Multiple SSL Certificates on One Apache Server

  1. Thanks for posting this!

    I have also experienced a similar setup with Rackspace (which I believe you use). A managed Rackspace server with multiple public IP addresses should have a matching private IP address for each public address. I don’t remember the internal addresses exactly, but I do know that the last octet always matched between the private and public addresses.

    We also ran into a problem on one such server where Rackpace hadn’t correctly mapped the addresses, resulting in quite a bit of ineffective debugging and a quick resolution once we finally contacted support.