This blog will cover how to have 2 SSL (HTTPS) websites configured and running smoothly on the same Apache2 web server (which aint easy!).
First of all, ensure you have your two websites created already (/var/www/site1 and /var/www/site2, for example). Also, ensure you have your DNS setup for those two websites to point to the same server, i.e.
site1 IN A 3.4.5.6
site2 IN A 3.4.5.6
(Where 3.4.5.6 is the external IP of my router, and I have port forwarding sending all TCP443 traffic to the internal IP of 192.168.0.2 (for example)).
Firstly, once Apache2 is installed, navigate to /etc/apache2/sites-available and create two files, ‘site1.conf’ and ‘site2.conf’ as below:
touch site1.conf touch site2.conf
These are the two config files for your websites. Within each of these files, you will need to tell Apache2 where your actual website is (i.e. /var/www/site1 and /var/www/site2). So lets crack open site1 and populate it:
ServerAdmin [email protected] DocumentRoot /var/www/site1 ServerName site1.ehertz.uk ServerAlias *.site1.ehertz.uk ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined
This is a very simple apache config that tells Apache we have created a virtualhost, listening on any IP that box has, for traffic on port 443. We tell Apache what our website domain is (site1.ehertz.uk) and where to go when that domain is hit (/var/www/site1). Do the same for site2, but change the names from ‘site1..’ to ‘site2..’ and your done.
Next, we need to generate the SSL certificates.
SSL
I use StartSSL.com for my certificates, as it is completely free and is very simple to use. I am not going to go through the ins and outs of signing up (as i cant remember myself!) however there is a great guide that covers it here (Start reading from: “Verify Your Domain Name with StartSSL”) and stop once your website is verified.
Now, this is VERY IMPORTANT. You cannot generate your certificates with startssl.com until you have first generated your keys on the server on which you will be hosting your website(s).
So, lets generate the keys!
Firstly, navigate to /etc/apache2/ssl and create two directories – /site1.ehertz.uk and /site2.ehertz.uk:
cd /etc/apache2/ssl mkdir site1.ehertz.uk mkdir site2.ehertz.uk
Next, navigate into the first directory:
cd site1.ehertz.uk
Now lets go ahead and create our keys, and then create our CSR which we will then use to generate our startssl certificate. Note, after running the first command you will be prompted for some information – please ensure the FQDN of your domain is correct (i.e. it is site1.ehertz.uk if thats the name you’ll be adding in startssl.com, etc):
openssl genrsa -out site1ehertz.key 2048 openssl req -new -key site1ehertz.key -out site1ehertz.csr
Next, lets go to the site2 folder in /ssl and do the same:
cd ../site2.ehertz.uk openssl genrsa -out site2ehertz.key 2048 openssl req -new -key site2ehertz.key -out site2ehertz.csr
We now have the two .csrs required to create certificates on startssl.com. Once logged into startssl.com, navigate to ‘Certificates Wizard’ and choose ‘Web Server SSL/TLS Certificate’:
Next, enter the domain in the ‘Domain:’ field. This should be the same domain you entered in the apache config file and also the same domain you entered when creating your keys a few minutes ago (i.e. site1.ehertz.uk):
Now, go back to the command line and navigate to /etc/apache2/ssl/site1.ehertz.uk and copy the contents of the site1ehertz.csr file:
cd /etc/apache2/ssl/site1.ehertz.uk cat site1ehertz.csr
Copy the output, and then paste it into the ‘Please submit your Certificate Signing Request (CSR):’ box on startssl.com:
On clicking submit, your certicate will be generated and become available to download as a zip file via the ‘SSL/TLS Server’ column on the right hand side (simply click on the domain name):
Once downloaded, unzip the file and then unzip the ‘Apache ..zip’ file also. This will give you two files:
- 2_site1.ehertz.uk.crt
- 1_root_bundle.crt
Copy the ‘2_site1.ehertz.uk.crt’ file to the /etc/apache2/ssl/site1.ehertz.uk/ folder (you will likely need to scp the file to the server first, then copy it).
Once the file is in there, you should be able to see three files:
ls -la /etc/apache2/ssl/site1.ehertz.uk total 1MB -rw-r--r-- 1 root root 1MB Dec 23 09:38 site1ehertz.key -rw-r--r-- 1 root root 1MB Dec 23 09:39 site1ehertz.csr drwxr-xr-x 2 root root 1MB Dec 23 10:03 . drwxr-xr-x 4 root root 1MB Dec 23 10:53 .. -rw-r--r-- 1 root root 1MB Dec 23 2015 2_site1.ehertz.uk.crt
Do this exact process for site2.ehertz.uk, and you will now have two valid certificates and two valid keys in each folder (1 per folder…). There is one final file we need to download before we can configure Apache.
Simply go to the directory above (/etc/apache2/ssl/) and download the ca.pem file from startssl:
cd /etc/apache2/ssl wget http://www.startssl.com/certs/sub.class1.server.ca.pem
And thats it! Now, lets configure Apache2.
Now, we have only one thing left to do – configure the actual apache configs for our two websites.
cd /etc/apache2/sites-available nano site1.conf
Within site1.conf, remove the config and add the following config:
ServerName site1.ehertz.uk ServerAlias *.site1.ehertz.uk #StartSSL config below SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS SSLHonorCipherOrder on SSLCertificateFile /etc/apache2/ssl/site1.ehertz.uk/2_site1.ehertz.uk.crt SSLCertificateKeyFile /etc/apache2/ssl/site1.ehertz.uk/site1ehertz.key SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem #### End of SSL Configuration #### DocumentRoot /var/www/site1/ Options Indexes FollowSymLinks MultiViews AllowOverride All Require all granted
Do the same for site2.conf (changing ‘site1.’ to ‘site2.’ wherever mentioned) and voila, you now have two SSL enabled websites.
Next, ensure you’ve enabled both site1 and site2 by running
a2ensite site1.conf a2ensite site2.conf
Run ‘apachectl configtest’ to test your configs (all should be fine), and then bounce apache2 one final time using ‘service apache2 reload’ and voila – you now have 2, SSL enabled virtualhosts on the same server.