I'm trying to apply a wildcard ssl certificate to my Aegir sites. I was able to follow these directions and get ssl working for one of my sites but trying to do so on a second site fails (which I expected). I tried to add in the VirtualDocumentRoot trick from this thread but that's not going to work since in Aegir the files in vhost.d also contain the database values for the respective sites, and also because I can't point traffic to the respective multisite folders in the same way -- (the equivalent would be VirtualDocumentRoot /var/aegir/platforms/drupal-6.15/%1/ , which doesn't work). There are probably other things stopping it from working too.
Do people have this working somehow? The instructions page mentions needing additional IP addresses for additional secure sites, but that's the same warning I ran in to with normal multisite before i got the wildcard cert going, so it seems that isn't really necessary (nor do I have a bunch of IPs to use). I need to have ssl for secure login and forms, among other things. Any suggestions would be greatly appreciated! Thanks!
Comments
You need a custom module
Apache 2.2 added support for SNI, but at the same time they dropped support for global ssl certificates, which makes things a little more annoying. I had planned to use a global wildard certificate and stock aegir vhosts configs. Now to make this work you need to create a custom module in ~/.drush.
I created a file
which contains the following code
function zzzdhc_hacks_provision_apache_vhost_config($url, $options)
{
list($host) = explode('.', $url);
$config = array(
"ErrorLog /var/log/apache2/{$host}.error_log",
"CustomLog /var/log/apache2/{$host}.access.log combined",
'HostnameLookups Off',
'ServerSignature Off'
);
if ( !empty($options['ssl']) ) {
$config += array(
'SSLEngine on',
'SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP',
'SSLCertificateFile /etc/ssl/wildcard.crt',
'SSLCertificateKeyFile /etc/ssl/wildcard.key',
'SSLCACertificateFile /etc/ssl/ca.pem',
'SSLVerifyClient None');
}
return $config;
}
Note: I haven't tested this code, it is based on my notes from creating a previous version I accidentally deleted from a dev box, "rm -rf" should know what important stuff needs to be kept ;)
Thank you! I will need to
Thank you! I will need to learn a lot more about drush before I understand what to do with this, but thanks for sharing your work. If you end up using this, please let us know the results. This makes me wonder though: Are no Aegir-managed sites using SSL for multiple sites with a single IP? Or has everyone worked up their own private solution like the above?
Thanks skwashd .. that looks
Thanks skwashd .. that looks very interesting.
It would be awesome to have some bits along those lines in the WIKI.
Cheers!
Another alternative/hack
I had the same problem and requirement for our sites. I outlined how I worked around the problem with a common ssl.conf file to include in each virtualhost. This only works if you are using a wildcard SSL certificate.
http://drupal.org/node/712958#comment-2682156
-Tim