SNI on Apache: How to Host Multiple SSL Certificates on a Single IP Address

Posted on by
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

When working with web servers, it is often necessary to serve several sites protected by SSL certificates on one server.

Previously, this required a dedicated IP address for each domain, but since the invention of the Server Name Indication (SNI) technology, it has become possible to manage several certificates on a single IP address.

What is SNI and why is it needed?

SNI (Server Name Indication) is an extension of the TLS protocol that allows the server to determine for which domain the client is requesting a connection before establishing a secure channel. This allows the server to select the correct SSL certificate, even if different sites are hosted on the same IP.

Configuring SNI in Apache

To implement support for multiple SSL certificates on a single IP address on Apache, do the following:

1. Check SNI support

SNI is supported on Apache starting from version 2.2.12. It is also important that OpenSSL is version 0.9.8j or higher. You can find out the current Apache version with one of the following commands:

apache2 -v
apachectl -v
httpd -v

You can check the OpenSSL version with the command:

openssl version

2. Set up virtual hosts with SSL

Each site on the server should be configured as a separate virtual host. In the Apache configuration file (/etc/apache2/sites-available/), create or edit configuration files for the domains. For example:

<VirtualHost *:443>
ServerName site1.com
DocumentRoot /var/www/site1
SSLEngine on
SSLCertificateFile /etc/ssl/certs/site1.crt
SSLCertificateKeyFile /etc/ssl/private/site1.key
</VirtualHost>
<VirtualHost *:443>
ServerName site2.com
DocumentRoot /var/www/site2
SSLEngine on
SSLCertificateFile /etc/ssl/certs/site2.crt
SSLCertificateKeyFile /etc/ssl/private/site2.key
</VirtualHost>

For Apache servers: Confirm that the SSL module is enabled and that your virtual host configuration includes the necessary directives for SSL before <VirtualHost>.

3. Enable SSL and SNI support in Apache

Before restarting the server, make sure that the necessary SSL modules are enabled in your Apache configuration.

Then apply the changes:

sudo systemctl restart apache2

4. Check everything is working

To verify that the server is handling requests with SNI correctly, use the command:

openssl s_client -connect gogetssl.com:443 | openssl x509 -noout -text | grep DNS:

This command will return DNS records with a more concise output, making it easier to identify relevant domain information.

Browser support and limitations.

SNI is supported by most modern browsers, including Google Chrome, Firefox, Safari, and Edge. However, some older versions of Internet Explorer (such as Windows XP) do not support this technology, so users of such systems may encounter errors when visiting the site.

Conclusion

SNI is a convenient way to use multiple SSL certificates on a single server without allocating a separate IP address for each site. This reduces costs and simplifies server administration while remaining a reliable and widely supported solution.

Related posts:

  1. Dis-allowed domain names and regions
  2. How to Find the Best WooCommerce SSL Certificate
  3. SSL Certificate Price: How Much Does Website Security Cost You?
  4. How to fix the “Your connection is not private” Error in Chrome?
  5. How to install an SSL certificate on the FileZilla Server
  6. How to Fix “SSL_ERROR_RX_RECORD_TOO_LONG” Firefox Error
  7. Error Code SEC_ERROR_UNKNOWN_ISSUER — How to Fix it in Firefox
  8. What the Comodo Secure Seal is and How to Get It