I'm developing a facebook application (page tabs) for a site I'm developing and about to launch. I needed SSL so I purchased an SSL Certificate.
The plan was to develop the App whilst the site is a dev.website.com and then migrate it www.website.com later.
I figured out that I'd need a certificate with Subject Alternate Names. So I purchase one from GeoTrust and added the appropriate subdomains e.g. (dev. stg. www.)
I only have one IP address at the moment. My question is, what is the best way to set it up to work best with BOA.
I have read: http://drupalcode.org/project/barracuda.git/blob/HEAD:/docs/SSL.
But it seems to suggest that I will need more IP addresses.
http://nginx.org/en/docs/http/configuring_https_servers.html says that
"It is good practice to configure separate servers for HTTP and HTTPS protocols from the very start. Although their functionalities currently seem equal, this may change significantly in the future and using a consolidated server may become problematic."
Also...
"There are other ways to share a single IP address between several HTTPS servers, however, all of them have drawbacks. One way is to use a certificate with several names in the SubjectAltName certificate field, for example, www.nginx.com and www.nginx.org. However, the SubjectAltName field length is limited."
Am I to summaize from http://drupal.org/node/1244318 that I should just save myself the trouble and purchase more IP's from my host (linode) and set it up as per http://drupalcode.org/project/barracuda.git/blob/HEAD:/docs/SSL.
Does that set up work with SAN?
http://library.linode.com/web-servers/nginx/configuration/ssl
says I need to edit vhosts etc but will they just be overwritten by BOA?
I'm a little confused, can anybody shed some light on how to set up BOA with SSL with Subject Alternate Names?
Comments
In short, yes you need an ip
In short, yes you need an ip per website name.
However in the case of your dev.website.com and www.website.com, you could get a wildcard SSL certificate (eg. *.website.com) and setup a single nginx SSL vhost. eg.
https://github.com/omega8cc/nginx-for-drupal/blob/master/aegir/conf/ngin...
Thanks for the response. I
Thanks for the response. I chose SAN because it was cheaper.
So purchasing an SSL certificate with SAN was a bad idea for BOA? For instance, Linode support tells me...
Is there no way to set it up?
What do you think my options are from here?
-Add more IP's and try to use with my SAN certificate
-Try and get Geotrust to upgrade my certificate to a wildcard
-Refund and get individual certificates? (expensive)
Thanks for your help!
You don't need to edit vhosts
You don't need to edit vhosts managed by Aegir.
You only need one extra IP if you wish to separate SSL enabled sites from all other sites with the extra HTTP/HTTPS proxy used in our SSL recipe.
You can also replace the self-signed cert created by Barracuda and then it will work with our standard, built-in SSL proxy, without extra IP and without another local proxy.
Note that Nginx supports TLS-SNI mode, so you could use many SSL certs on the same IP, but not all browsers support this, hence the need to use separate IP per cert.
Of course with any wildcard or multi-domain cert you need only one extra IP when using the extra proxy per our SSL how-to, or even no extra IPs when replacing the built-in SSL proxy self-signed cert.
Thanks for the
Thanks for the help and clarification. I've purchased an extra IP address and set it up the best I know how via SSL.txt
When I 'service nginx reload' I'm getting this...
# service nginx reloadnginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] bind() to 74.207.245.68:80 failed (99: Cannot assign requested address)
nginx: configuration file /etc/nginx/nginx.conf test failed
EDIT - I had not set up my extra IP address correctly as per http://library.linode.com/networking/configuring-static-ip-interfaces
Note: Part of these instructions was to run: apt-get remove isc-dhcp-client dhcp3-client dhcpcd (will this cause dramas for BOA?)
Now I'm getting...
service nginx reload
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Reloading (via HUP) Nginx Server...:.
So now that worked, but I still don't have SSL working. These are my config files https://gist.github.com/1297333
Can you please tell me where I'm going wrong?
...the site seems to still be
...the site seems to still be serving the default aegir certificate:
Common Name: *.server.danlewis.me
Organisation: Aegir
Organisational Unit (1): Cloud
City/Locality: New York
State/Province: New York
Country: US
This seems to be the contents of nginx-wild-ssl.crt
How do I get this set up to work for extra_ip_ssl.conf?
EDIT - please help, I've been stuck on this all week and can't get it to work. I've exhausted all possibilities that I know how. Linode and Geotrust support can't help me because they don't know the unique BOA set up. Now my octopus instance is not working (all other sites, including aegir do) I can't figure out why. Please help.
Are you sure you have added
Are you sure you have added your extra IP to the server networking and you can ping it? And have you pointed your DNS A record for the domain to this IP? It is not really related (or specific) to BOA, rather to some pretty basic level sysadmin stuff..
Your config
Your config https://gist.github.com/1297333 looks fine and your extra IP is up, so it should just work - unless you didn't point your domain A record to the 74.207.245.68 IP yet, or it didn't propagate yet because of high TTL value probably.
It was the A records! Thanks
It was the A records! Thanks so much Grace :)
It appears I spoke too soon.
It appears I spoke too soon. I added A records for both IP's pointing to the same domain. 'dev.stratos.com.au'.
It wasn't until I added 'A' records for the second IP address that my correct certificate was picked up. but now I believe there is confusion about which IP the name uses. Some sites work, some sites don't.
How should a zone file be set up for sites using the proxy method that BOA uses?
There is nothing BOA or proxy
There is nothing BOA or proxy specific here. Any proper DNS configuration will work. Make sure you have only one IP address listed in your A records.
[EDIT] "I added A records for both IP's pointing to the same domain" <-- this is obviously wrong DNS setup in this case. There should be only one SSL enabled extra IP listed.
So after reading this, you
So after reading this, you can not install multiple certificates per ip address, like apache?
You can
Please read my comment above: http://groups.drupal.org/node/183789#comment-608709
If you don't care about older browsers and people still using Windows XP then you can use Nginx built-in TLS/SNI support and add as many server directives listening on the same IP but with different certs as you wish - see the example:
http://drupalcode.org/project/barracuda.git/blob/HEAD:/docs/SSL.txt
This is for separate IPs, but you get the idea, just put the same IP in every server {}
TLS/SNI
Does anyone have an example of this using TLS/SNI?
You just have to specify
You just have to specify server_name
server {
listen 1.2.3.4:443;
server_name www.server1.com;
ssl on;
ssl_certificate /etc/ssl/private/www.server1.com.crt;
ssl_certificate_key /etc/ssl/private/www.server1.com.key;
....
}
server {
listen 1.2.3.4:443;
server_name www.anotherserver.com;
ssl on;
ssl_certificate /etc/ssl/private/www.anotherserver.com.crt;
ssl_certificate_key /etc/ssl/private/www.anotherserver.com.key;
....
}
That did it, thanks.
That did it, thanks.