Solution for x 2 SSL's sitting on same architecture?

spessex's picture

Hi

I was hoping someone might be able to help with an issue that I have.

Basically I want two different SSL's (as they belong to two different and independent companies) to sit on my AWS architecture but my architect is trying to tell me this is not possible, which I personally can't quite believe.

The current system has been working perfectly for around 6 months using the x 1 SSL cert, but now I want to use a 2nd SSL cert this is where the problem has raised its head.

The system was built with the main requirement to cope with massive spikes in traffic, hence why the system uses an autoscale group to spin-up spot instances when required (and then shut down when traffic drops off).

The current setup can be seen in the diagram on the attachment.

The system consists of an ELB (with the current x 1 SSL cert on it) that connects to 1 x EC2, 2 x EC2 Spot Instances (which is essentially an Autoscale Group), with the Autoscale group being connected to an RDS Instance and NFS Instance.

If any one has any ideas of how I can get 2 x SSL's on this system (even if the system requires reconfiguring/tweaking) or would love to hear from you.

AttachmentSize
autoscale.pdf22.19 KB

Comments

Two methods I can think of

adammalone's picture

Two methods I can think of:

  1. Create a UC cert. Each domain you're using will be lumped in as a SAN and that'll cover multiple domains.
  2. Use something like Pound which is compatible with SNI so you can literally just add a bunch of separate SSL certs to it and it'll just work.

As a shameless self promotion, I've written about using Pound in front of Drupal in case you wished to follow that route.

Thank you for this. I will

spessex's picture

Thank you for this. I will take a look at these and pass them to my architect.

Comments regarding my own NGINX recipe

Amstercad's picture

FWIW, I use a different recipe with good results. I am using BOA servers hosted both at Digital Ocean and Linode with very good results.

BOA Server:
https://github.com/omega8cc/boa

There are documents for doing this, using BOA:

https://github.com/omega8cc/boa/blob/master/docs/SSL.txt

...but my configured version of /var/aegir/config/server_master/nginx/pre.d/extra_ip.conf differs, (so I am Breaking BOA).

I haven't tried to document this publicly, partly because you're asking about AWS which I have never tried and also because I'm not comfortable doing so publicly, at least not yet. But for many months I've enjoyed using a single $85 wildcard certificate and (am still) scoring A+ at https://www.ssllabs.com.

BTW, yesterday I checked JP Morgan Bank's SSL and they scored a C. Today they are scoring an F. I am still scoring A+. For more info why, read http://it.slashdot.org/story/14/12/09/0423210/poodle-flaw-returns-this-t...

https://www.ssllabs.com/ssltest/analyze.html?d=jpmorgan.com&hideResults=on

It can certainly be done, and affordably! (I am using several different certs on this server also, not just the wildcard cert. which gives me unlimited secure domains and wildcard-subdomains, using only a single IP address)

You can't use 2 SSLs

Jorgee's picture

You can't use 2 SSLs certificates for the same IP.

I've read that nginx has something that allows that now, but you have to recompile it.-

fact check

adammalone's picture

You can't use 2 SSLs certificates for the same IP.

This is 100% false.

Refer to KPA's answer below.

Jorgee's picture

Refer to KPA's answer below.

I've done this, here's how:

SNI

kpa's picture

You CAN use multiple HTTPS certificates on the same IP, but there are some limitations. For example, it's not supported by all browsers, nor by all web servers. (Though, the latest versions of most servers do support it)

The feature is called Server Name Indication (https://en.wikipedia.org/wiki/Server_Name_Indication).

The reason that it's a new(ish) "feature", rather than it being out-of-the-box, is to do with encryption, and the point at which the headers are encrypted/decrypted. This image http://blog.layershift.com/wp-content/uploads/2014/10/TLS_handshake.png explains it very well, taken from http://blog.layershift.com/sni-ssl-production-ready/ which gives a pretty good overview.

It mostly depends on your clients, however. For me, some of my clients are using IE8 on WinXP (Still, I know...). Internet Explorer on WindowsXP does NOT support SNI (though Chrome and Firefox on WinXP do), so we can't use SNI. There are also some older versions of android phones that can't

There's a list of supported/unsupported browsers/servers at the bottom of the wikipedia article above.

I'm not sure how AWS works with extra IP addresses, but our hosting partners are quite happy to give us extra IP addresses for the purpose of HTTPS. Obviously, we have to pay for them, but the advantage is that all of our clients can access our HTTPS websites.

Another (possible) solution would be to use a SAN certificate. This would have all of the URLs encoded into one certificate, and are used commonly by people like CloudFlare. An example of a SAN certificate is at https://www.learnthat.org/ - see https://www.evernote.com/l/AOvl06S-TJFCAqx6sY-DqQeIcbeotFgV0X0. With a SAN, you can encode up to 200 different domains. The disadvantage is that anyone inspecting the certificate can see all of the other domains, so it has a potential impact on client privacy, depending on who your clients are (and whether they care).

Hope this helps!