SSL for multiple virtual domains

	I know that the official answer is "you can't use
name-based virtual hosting 
with SSL." That said, is it possible to work around
that restriction by 
having two virtual domains use a common certificate? If so,
what would that 
look like in the configuration file? My filesystem looks
like this:
/srv
	domain1
		secure
		www
	domain2
		secure
		www

	I want /srv/domain1/secure be the document root for 
https://secure.domain1.com
 and likewise /srv/domain2/secure for 
https://secure.domain2.co
m. I've already created a /srv/server.pem file that 
uses SubjectAltName; from openssl.cnf:

[ req_distinguished_name ]
0.subjectAltName                =Domain 1
0.subjectAltName_default        =DNS.domain1.com

1.subjectAltName                =Domain 2
1.subjectAltName_default        =DNS.domain2.com

[ req ]
req_extensions          = v3_req
[ v3_req ]
subjectAltName          = DNS.domain2.com


	(If I've made a mistake there, please let me know; I wasn't
sure if I should 
list *.domain1.com under subjectAltName in [v3_req].)
	I'm running lighttpd 1.4.11-3ubuntu3 (Dapper).
	Thanks,
	:Peter

SSL certificate certify that one IP match one domain. The
only trick is
to use one domain for authentifying two other subdomain.
For example, you can use secure.example.org for
authentifying, for two
website toto.example.org and machin.example.org, a domain
cooki, with a
token will identify user.
Be careful, with that trick, only what happen in
https://secure.example.org
 is secured, it can be use only for
identification.

M.
MLA (Peter Clark) a écrit :
> 	I know that the official answer is "you can't use
name-based virtual hosting 
> with SSL." That said, is it possible to work
around that restriction by 
> having two virtual domains use a common certificate? If
so, what would that 
> look like in the configuration file? My filesystem
looks like this:
> /srv
> 	domain1
> 		secure
> 		www
> 	domain2
> 		secure
> 		www
>
> 	I want /srv/domain1/secure be the document root for 
> https://secure.domain1.com
 and likewise /srv/domain2/secure for 
> https://secure.domain2.co
m. I've already created a /srv/server.pem file that 
> uses SubjectAltName; from openssl.cnf:
>
> [ req_distinguished_name ]
> 0.subjectAltName                =Domain 1
> 0.subjectAltName_default        =DNS.domain1.com

> 1.subjectAltName                =Domain 2
> 1.subjectAltName_default        =DNS.domain2.com

> [ req ]
> req_extensions          = v3_req
> [ v3_req ]
> subjectAltName          = DNS.domain2.com

>
> 	(If I've made a mistake there, please let me know; I
wasn't sure if I should 
> list *.domain1.com under subjectAltName in [v3_req].)
> 	I'm running lighttpd 1.4.11-3ubuntu3 (Dapper).
> 	Thanks,
> 	:Peter
>
>
>   

On Tuesday 27 November 2007 12:23:58 Mathieu Lecarme wrote:
> SSL certificate certify that one IP match one domain.
The only trick is
> to use one domain for authentifying two other
subdomain.
> For example, you can use secure.example.org for
authentifying, for two
> website toto.example.org and machin.example.org, a
domain cooki, with a
> token will identify user.
> Be careful, with that trick, only what happen in
> https://secure.example.org
 is secured, it can be use only for
> identification.

	Then perhaps I don't understand this page: 
http://wik
i.cacert.org/wiki/VhostTaskForce, which certainly sounds
as though 
one may authenticate two or more sites (at least virtual
domains), using 
SubjectAltName.
	:Peter

What you are looking for is Server Name Indication

bug+patch is filed in trac as #386

http://trac.
lighttpd.net/trac/ticket/386



On Nov 27, 2007 6:15 PM, MLA (Peter Clark) <mlaforrussia.org> wrote:
> On Tuesday 27 November 2007 12:23:58 Mathieu Lecarme
wrote:
> > SSL certificate certify that one IP match one
domain. The only trick is
> > to use one domain for authentifying two other
subdomain.
> > For example, you can use secure.example.org for
authentifying, for two
> > website toto.example.org and machin.example.org, a
domain cooki, with a
> > token will identify user.
> > Be careful, with that trick, only what happen in
> > https://secure.example.org
 is secured, it can be use only for
> > identification.
>
>         Then perhaps I don't understand this page:
> http://wik
i.cacert.org/wiki/VhostTaskForce, which certainly sounds
as though
> one may authenticate two or more sites (at least
virtual domains), using
> SubjectAltName.
>         :Peter
>
>

On Wednesday 28 November 2007 02:05:54 Yusuf Goolamabbas
wrote:
> What you are looking for is Server Name Indication
> bug+patch is filed in trac as #386
> http://trac.
lighttpd.net/trac/ticket/386
	I wasn't very keen on patching something as important as a
web server, so I 
dug deeper, and finally got everything working to my
satisfaction. Now, I can 
access two different virtual hosts (domain1.org and
domain2.org) via HTTPS. 
Granted, they share the same certificate, and the
certificate only shows the 
name of domain1.org, so that it looks strange when visiting
domain2.org, but 
the browser (tested in Firefox 2 and Konqueror) do not show
any further 
errors. Here's what I did:
	Relevant portions of lighttpd.conf:
---
# Redirect www.domain.tld -> domain.tld
$HTTP["host"] =~ "^www.(.*)" {
 url.redirect = ( "^/(.*)" => "http://%1/$1" )
}

$HTTP["host"] =~ "(^|.)domain1.org$"
{
 server.document-root = "/srv/domain1"
 server.errorlog =
"/var/log/lighttpd/domain1/error.log"
 accesslog.filename =
"/var/log/lighttpd/domain1/access.log"
 dir-listing.activate = "disable"
}

$HTTP["host"] =~ "(^|.)domain2.org$"
{
 server.document-root = "/srv/domain2/www"
 server.errorlog =
"/var/log/lighttpd/domain2/error.log"
 accesslog.filename =
"/var/log/lighttpd/domain2/access.log"
 dir-listing.activate = "disable"
}

# How to access two or more domains, sharing the same
certificate, over HTTPS
$SERVER["socket"] ==
"81.171.111.133:443" {
 ssl.engine = "enable"
 ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
 server.document-root = ""
 $HTTP["host"] == "domain1.org" {
  server.name = "domain1.org"
  server.document-root = "/srv/domain1"
  server.errorlog =
"/var/log/lighttpd/domain1/error.log"
  accesslog.filename =
"/var/log/lighttpd/domain1/access.log"
 }
 $HTTP["host"] == "domain2.org" {
  server.name = "domain2.org"
  server.document-root = "/srv/domain2/www"
  server.errorlog =
"/var/log/lighttpd/domain2/error.log"
  accesslog.filename =
"/var/log/lighttpd/domain2/access.log"
 }
}

# Create sub-domains
$HTTP["host"] =~
"(^|.)secure.domain1.org$" {
 server.document-root = "/srv/domain1/secure"
 server.errorlog =
"/var/log/lighttpd/domain1/error.log"
 accesslog.filename =
"/var/log/lighttpd/domain1/access.log"
 dir-listing.activate = "disable"
}

$HTTP["host"] =~
"(^|.)secure.domain2.org$" {
 server.document-root = "/srv/domain2/secure"
 server.errorlog =
"/var/log/lighttpd/domain2/error.log"
 accesslog.filename =
"/var/log/lighttpd/domain2/access.log"
 dir-listing.activate = "disable"
}

# How to redirect HTTP traffic bound for specific subdomains
to HTTPS:
$SERVER["socket"] == ":80" {
 $HTTP["host"] =~
"(^|.)secure.domain1.org$" {
  url.redirect = ( "^/(.*)" => "https://secure.domain1.or
g/$1" )
  server.name = "domain1.org"
 }
 $HTTP["host"] =~
"(^|.)secure.domain2.org$" {
  url.redirect = ( "^/(.*)" => "https://secure.domain2.or
g/$1" )
  server.name = "domain2.org"
 }
}
---
	That actually took me a lot less time to figure out than I
had expected. What 
was a lot more difficult was getting certificate set up
properly. Here's my 
openSSL config (somewhat condensed):
---
[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self
signed cert
string_mask = nombstr
req_extensions = v3_req # The extensions to add to a
certificate request

[ req_distinguished_name ]
countryName                     = Country Name (2 letter
code)
countryName_default             = # Your country here
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name
(full name)
stateOrProvinceName_default     = # Your state or province
here
localityName                    = Locality Name (eg, city)
localityName_default            = # Your city here
organizationName              = Organization Name (eg,
company)
organizationName_default      = # Your company here
commonName                      = Common Name (eg, YOUR
name)
commonName_max                  = 64
commonName_default              = # Your host, ip, or name
here
emailAddress                    = Email Address
emailAddress_max                = 64
emailAddress_default            = # Your email here
SET-ex3                         = SET extension number 3

[ usr_cert ]
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated
Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature,
keyEncipherment

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

# Here's the magic line that allows you to use one
certificate with multiple 
# sites (MUST BE ON ONE LINE TO WORK)
subjectAltName          = DNS:domain1.org, DNS.domain1.org
, DNS:domain2.org, 
				   DNS.domain2.org


[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
---

Create the certificate like so: 
'openssl req -new -x509 -keyout server.pem -out server.pem
-days 3650 -nodes' 
and place the resulting server.pem where lighttpd can find
it (in my 
case, /etc/lighttpd/ssl/server.pem). Restart lighttpd, and
enjoy!
	:Peter