Using SSL with Server Alternate Names

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
tribe_of_dan's picture
Posted by tribe_of_dan on October 17, 2011 at 10:56pm

I'm developing a facebook application (page tabs) for a site I'm developing and about to launch. I needed SSL so I purchased an SSL Certificate.

The plan was to develop the App whilst the site is a dev.website.com and then migrate it www.website.com later.

I figured out that I'd need a certificate with Subject Alternate Names. So I purchase one from GeoTrust and added the appropriate subdomains e.g. (dev. stg. www.)

I only have one IP address at the moment. My question is, what is the best way to set it up to work best with BOA.

I have read: http://drupalcode.org/project/barracuda.git/blob/HEAD:/docs/SSL.

But it seems to suggest that I will need more IP addresses.

http://nginx.org/en/docs/http/configuring_https_servers.html says that

"It is good practice to configure separate servers for HTTP and HTTPS protocols from the very start. Although their functionalities currently seem equal, this may change significantly in the future and using a consolidated server may become problematic."

Also...

"There are other ways to share a single IP address between several HTTPS servers, however, all of them have drawbacks. One way is to use a certificate with several names in the SubjectAltName certificate field, for example, www.nginx.com and www.nginx.org. However, the SubjectAltName field length is limited."

Am I to summaize from http://drupal.org/node/1244318 that I should just save myself the trouble and purchase more IP's from my host (linode) and set it up as per http://drupalcode.org/project/barracuda.git/blob/HEAD:/docs/SSL.
Does that set up work with SAN?

http://library.linode.com/web-servers/nginx/configuration/ssl
says I need to edit vhosts etc but will they just be overwritten by BOA?

I'm a little confused, can anybody shed some light on how to set up BOA with SSL with Subject Alternate Names?

Categories: , , ,

Comments

In short, yes you need an ip

Posted by halcyonCorsair on October 18, 2011 at 4:09am
halcyonCorsair's picture

In short, yes you need an ip per website name.

However in the case of your dev.website.com and www.website.com, you could get a wildcard SSL certificate (eg. *.website.com) and setup a single nginx SSL vhost. eg.
https://github.com/omega8cc/nginx-for-drupal/blob/master/aegir/conf/ngin...

Thanks for the response. I

Posted by tribe_of_dan on October 18, 2011 at 7:20am
tribe_of_dan's picture

Thanks for the response. I chose SAN because it was cheaper.

So purchasing an SSL certificate with SAN was a bad idea for BOA? For instance, Linode support tells me...

"You only need as many IP addresses as you have unique certificates. If you only have one certificate, with multiple names via SAN, then you will only need a single IP address, and name based virtual hosting can be used for the sites listed on that certificate. If you have multiple certificates with a single name on each you will need one IP per certificate."

Is there no way to set it up?

What do you think my options are from here?
-Add more IP's and try to use with my SAN certificate
-Try and get Geotrust to upgrade my certificate to a wildcard
-Refund and get individual certificates? (expensive)

Thanks for your help!

You don't need to edit vhosts

Posted by omega8cc on October 18, 2011 at 8:23am
omega8cc's picture

You don't need to edit vhosts managed by Aegir.

You only need one extra IP if you wish to separate SSL enabled sites from all other sites with the extra HTTP/HTTPS proxy used in our SSL recipe.

You can also replace the self-signed cert created by Barracuda and then it will work with our standard, built-in SSL proxy, without extra IP and without another local proxy.

Note that Nginx supports TLS-SNI mode, so you could use many SSL certs on the same IP, but not all browsers support this, hence the need to use separate IP per cert.

Of course with any wildcard or multi-domain cert you need only one extra IP when using the extra proxy per our SSL how-to, or even no extra IPs when replacing the built-in SSL proxy self-signed cert.

Thanks for the

Posted by tribe_of_dan on October 20, 2011 at 3:44am
tribe_of_dan's picture

Thanks for the help and clarification. I've purchased an extra IP address and set it up the best I know how via SSL.txt

When I 'service nginx reload' I'm getting this...
# service nginx reload
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] bind() to 74.207.245.68:80 failed (99: Cannot assign requested address)
nginx: configuration file /etc/nginx/nginx.conf test failed

EDIT - I had not set up my extra IP address correctly as per http://library.linode.com/networking/configuring-static-ip-interfaces

Note: Part of these instructions was to run: apt-get remove isc-dhcp-client dhcp3-client dhcpcd (will this cause dramas for BOA?)

Now I'm getting...

service nginx reload
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Reloading (via HUP) Nginx Server...:.

So now that worked, but I still don't have SSL working. These are my config files https://gist.github.com/1297333

Can you please tell me where I'm going wrong?

...the site seems to still be

Posted by tribe_of_dan on October 21, 2011 at 6:11am
tribe_of_dan's picture

...the site seems to still be serving the default aegir certificate:

Common Name: *.server.danlewis.me
Organisation: Aegir
Organisational Unit (1): Cloud
City/Locality: New York
State/Province: New York
Country: US

This seems to be the contents of nginx-wild-ssl.crt

How do I get this set up to work for extra_ip_ssl.conf?

EDIT - please help, I've been stuck on this all week and can't get it to work. I've exhausted all possibilities that I know how. Linode and Geotrust support can't help me because they don't know the unique BOA set up. Now my octopus instance is not working (all other sites, including aegir do) I can't figure out why. Please help.

Are you sure you have added

Posted by omega8cc on October 21, 2011 at 10:08am
omega8cc's picture

Are you sure you have added your extra IP to the server networking and you can ping it? And have you pointed your DNS A record for the domain to this IP? It is not really related (or specific) to BOA, rather to some pretty basic level sysadmin stuff..

Your config

Posted by omega8cc on October 21, 2011 at 10:14am
omega8cc's picture

Your config https://gist.github.com/1297333 looks fine and your extra IP is up, so it should just work - unless you didn't point your domain A record to the 74.207.245.68 IP yet, or it didn't propagate yet because of high TTL value probably.

It was the A records! Thanks

Posted by tribe_of_dan on October 23, 2011 at 11:22pm
tribe_of_dan's picture

It was the A records! Thanks so much Grace :)

It appears I spoke too soon.

Posted by tribe_of_dan on October 26, 2011 at 2:39am
tribe_of_dan's picture

It appears I spoke too soon. I added A records for both IP's pointing to the same domain. 'dev.stratos.com.au'.

It wasn't until I added 'A' records for the second IP address that my correct certificate was picked up. but now I believe there is confusion about which IP the name uses. Some sites work, some sites don't.

How should a zone file be set up for sites using the proxy method that BOA uses?

There is nothing BOA or proxy

Posted by omega8cc on October 26, 2011 at 8:01am
omega8cc's picture

There is nothing BOA or proxy specific here. Any proper DNS configuration will work. Make sure you have only one IP address listed in your A records.

[EDIT] "I added A records for both IP's pointing to the same domain" <-- this is obviously wrong DNS setup in this case. There should be only one SSL enabled extra IP listed.

So after reading this, you

Posted by bmx269 on February 22, 2012 at 2:24am
bmx269's picture

So after reading this, you can not install multiple certificates per ip address, like apache?

You can

Posted by omega8cc on February 22, 2012 at 4:32am
omega8cc's picture

Please read my comment above: http://groups.drupal.org/node/183789#comment-608709

If you don't care about older browsers and people still using Windows XP then you can use Nginx built-in TLS/SNI support and add as many server directives listening on the same IP but with different certs as you wish - see the example:

http://drupalcode.org/project/barracuda.git/blob/HEAD:/docs/SSL.txt

This is for separate IPs, but you get the idea, just put the same IP in every server {}

TLS/SNI

Posted by mattpaul-net on March 11, 2013 at 6:05am
mattpaul-net's picture

Does anyone have an example of this using TLS/SNI?

You just have to specify

Posted by attiks on March 11, 2013 at 8:58am
attiks's picture

You just have to specify server_name

server {
  listen                   1.2.3.4:443;
  server_name              www.server1.com;
  ssl                      on;
  ssl_certificate          /etc/ssl/private/www.server1.com.crt;
  ssl_certificate_key      /etc/ssl/private/www.server1.com.key;
  ....
}

server {
  listen                   1.2.3.4:443;
  server_name              www.anotherserver.com;
  ssl                      on;
  ssl_certificate          /etc/ssl/private/www.anotherserver.com.crt;
  ssl_certificate_key      /etc/ssl/private/www.anotherserver.com.key;
  ....
}

That did it, thanks.

Posted by mattpaul-net on March 12, 2013 at 9:07pm
mattpaul-net's picture

That did it, thanks.

BOA

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: