Multiple SSL-enabled websites with Apache

multi-ssl-apache2

This blog will cover how to have 2 SSL (HTTPS) websites configured and running smoothly on the same Apache2 web server (which aint easy!).

First of all, ensure you have your two websites created already (/var/www/site1 and /var/www/site2, for example). Also, ensure you have your DNS setup for those two websites to point to the same server, i.e.

site1 IN A 3.4.5.6

site2 IN A 3.4.5.6

(Where 3.4.5.6 is the external IP of my router, and I have port forwarding sending all TCP443 traffic to the internal IP of 192.168.0.2 (for example)).

Firstly, once Apache2 is installed, navigate to /etc/apache2/sites-available and create two files, ‘site1.conf’ and ‘site2.conf’ as below:

These are the two config files for your websites. Within each of these files, you will need to tell Apache2 where your actual website is (i.e. /var/www/site1 and /var/www/site2). So lets crack open site1 and populate it:

This is a very simple apache config that tells Apache we have created a virtualhost, listening on any IP that box has, for traffic on port 443. We tell Apache what our website domain is (site1.ehertz.uk) and where to go when that domain is hit (/var/www/site1). Do the same for site2, but change the names from ‘site1..’ to ‘site2..’ and your done.

Next, we need to generate the SSL certificates.

SSL

I use StartSSL.com for my certificates, as it is completely free and is very simple to use. I am not going to go through the ins and outs of signing up (as i cant remember myself!) however there is a great guide that covers it here (Start reading from: “Verify Your Domain Name with StartSSL”) and stop once your website is verified.

Now, this is VERY IMPORTANT. You cannot generate your certificates with startssl.com until you have first generated your keys on the server on which you will be hosting your website(s).

So, lets generate the keys!

Firstly, navigate to /etc/apache2/ssl and create two directories – /site1.ehertz.uk and /site2.ehertz.uk:

Next, navigate into the first directory:

Now lets go ahead and create our keys, and then create our CSR which we will then use to generate our startssl certificate. Note, after running the first command you will be prompted for some information – please ensure the FQDN of your domain is correct (i.e. it is site1.ehertz.uk if thats the name you’ll be adding in startssl.com, etc):

Next, lets go to the site2 folder in /ssl and do the same:

We now have the two .csrs required to create certificates on startssl.com. Once logged into startssl.com, navigate to ‘Certificates Wizard’ and choose ‘Web Server SSL/TLS Certificate’:

Next, enter the domain in the ‘Domain:’ field. This should be the same domain you entered in the apache config file and also the same domain you entered when creating your keys a few minutes ago (i.e. site1.ehertz.uk):

Now, go back to the command line and navigate to /etc/apache2/ssl/site1.ehertz.uk and copy the contents of the site1ehertz.csr file:

Copy the output, and then paste it into the ‘Please submit your Certificate Signing Request (CSR):’ box on startssl.com:

On clicking submit, your certicate will be generated and become available to download as a zip file via the ‘SSL/TLS Server’ column on the right hand side (simply click on the domain name):

Screenshot 2015-12-23 10.58.24

Once downloaded, unzip the file and then unzip the ‘Apache ..zip’ file also. This will give you two files:

  • 2_site1.ehertz.uk.crt
  • 1_root_bundle.crt

Copy the ‘2_site1.ehertz.uk.crt’ file to the /etc/apache2/ssl/site1.ehertz.uk/ folder (you will likely need to scp the file to the server first, then copy it).

Once the file is in there, you should be able to see three files:

Do this exact process for site2.ehertz.uk, and you will now have two valid certificates and two valid keys in each folder (1 per folder…). There is one final file we need to download before we can configure Apache.

Simply go to the directory above (/etc/apache2/ssl/) and download the ca.pem file from startssl:

And thats it! Now, lets configure Apache2.

Now, we have only one thing left to do – configure the actual apache configs for our two websites.

Within site1.conf, remove the config and add  the following config:

Do the same for site2.conf (changing ‘site1.’ to ‘site2.’ wherever mentioned) and voila, you now have two SSL enabled websites.

Next, ensure you’ve enabled both site1 and site2 by running

Run ‘apachectl configtest’ to test your configs (all should be fine), and then bounce apache2 one final time using ‘service apache2 reload’ and voila – you now have 2, SSL enabled virtualhosts on the same server.

Leave a Reply