I am not sure if this is the best place to ask the question but since Secure Pages requires the server to have an SSL, I figured someone may have the answer here.

Anyways, I have a site under the multi install of Drupal, so the site is located at public_html/sites/example.com and the main domain located at public_html (where drupal is installed) and the main domain has the SSL. When I install the module on the multi domain (public_html/sites/example.com) it finds the SSL and everything works just fine except:

It warns that the certificate is associated with another domain address (the main domain). This is a huge problem specifically in IE because it basically tells the person to avoid the site.

I have tried creating my own SSL ("an untrusted certificate") through Cpanel with the second site's domain but the Secure Pages or just the site continues to use the SSL for the main domain.

Does anyone know how to get around this certificate issue with Multi Domain install?

Also, the secondary sites are PARKED (ex.. site2.maindomain.com) to access the same drupal install.

Comments

valthebald’s picture

Each SSL site must have separate IP address - is this the case?

cbassig’s picture

I don't believe that would be the case because in a Multi Site Install every site uses the same drupal code, there for the same IP.

Plus, its not warning me about in IP its just saying the SSL is licensed to another Domain, so I need the license to have multiple domains accepted OR probably more likely have the browser believe the parked domain IS the same as the main domain. I was reading about a possible Mod_rewrite but not sure how to do it or if that is even the solution.

valthebald’s picture

SSL certificate is issued to only one domain name. (even yoursite.com and www.yoursite.com need different certificates)
What you can do is redirect user from parked domain to the main domain, which has correct certificate and would not raise any warnings

cbassig’s picture

How would I go about redirecting to the main domain?

The problem there is I don't want the viewer to leave the site they are on.

I tried creating a SSL certificate for the second/parked domain ("untrusted"), but it won't find the second SSL. It just reads the original on the main domain.

valthebald’s picture

You're trying to reach unreachable goal. You cannot redirect and remain on the same site simultaniously :)
Once again:
a) you cannot install more than one certificate on sites sharing the same IP address. Parked domains simply point to the main domain, so they use the same IP for sure.
b) if you have domains a.com (main) and b.com (parked), there is no way to install certificate for a.com and display https://b.com without warning. You can do nothing about it. Solution is to check if visitor typed https://b.com/something.html (just an example) and redirect him in this case to https://a.com/something.html

cbassig’s picture

I was afraid of that and was in denial. You can always hope, right?

Thanks for your help.

alanburke’s picture

Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Jackie16’s picture

An SSL certificate is used for the server authentication, data encryption, and message integrity checks. With a valid SSL certificate, your Internet communications are transmitted in encrypted form. ...You can get the SSL certificate from http://www.tucktail.com/

storsvedjan’s picture

Perhaps a workaround with Apache related Webserver only with one IP:

The trick is, that you can run different SSL-Sites on the same IP, but NOT on the same IP AND Port. So, for every SSL-Vhost, we use another port (4430, 4431... with the IP 1.2.3.4 for example)

With the same "basename" (www.example.com, news.example.com...):

Create a "wildcard"-certificate. There are many HowTo, how you can create this. Only one think is important: You must answer with a "*.basename" (*.example.com) when the SSL-Tool ask you for "Common Name" or "CN".

Make a vhost-conf like this (only a example):
In example.com.inc:

  DocumentRoot /var/www/sites/multi.example.com
  ServerName www.example.com
  ServerAlias news.example.com

  <Directory /var/www/sites/multi.example.com>
    AllowOverride All
    Options MultiViews FollowSymLinks
    allow from all
    php_admin_value upload_max_filesize 20M
    php_admin_value post_max_size 24M
    php_admin_value max_execution_time 60M
    php_admin_value memory_limit 68M
  </Directory>

  ErrorLog /var/log/apache2/multi.example.com/error.log
  LogLevel error
  CustomLog /var/log/apache2/multi.example.com/access.log combined
  ServerSignature Off

In the multi.example.com-vhost-file:

<VirtualHost 1.2.3.4:80\>

  Include /etc/apache2/sites-available/example.com.inc

  RewriteEngine on

  RewriteCond %{HTTPS} off
  RewriteCond %{HTTP_HOST} ^www\.example\.com
  RewriteRule ^(.*) https://www\.example\.com:4430$1 [R=301,L]

  RewriteCond %{HTTPS} off
  RewriteCond %{HTTP_HOST} ^news\.example\.com
  RewriteRule ^(.*) https://news\.example\.com:4430$1 [R=301,L]

</VirtualHost>

###
# For SSL
###

Listen 4430

<VirtualHost 1.2.3.4:4430>

   Include /etc/apache2/sites-available/example.com.inc

  <IfModule mod_ssl.c>
    SSLEngine on
    SSLCertificateFile    /etc/apache2/certs/multi.example.com/multi.example.com.crt
    SSLCertificateKeyFile /etc/apache2/certs/multi.example.com/multi.example.com.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
  </IfModule>

</VirtualHost>

Thats all. The next SSL-Vhost with another basename as URL use the next free port (4431 in this example).

alexgreyhead’s picture

Unless I've missed something here (entirely possible), I just set up mod_ssl on our Apache server this afternoon and the ssl.conf file allows the specification of different SSL certs for different domains; here's one I made earlier:

LoadModule ssl_module modules/mod_ssl.so
Listen *:443

<VirtualHost www.somewhere.com:443>
  DocumentRoot "/sites/www.somewhere.com/httpdocs"
  ServerName www.somewhere.com:443
  SSLEngine on
  SSLCertificateFile /sites/www.somewhere.com/httpdocs/sites/www.somewhere.com/ssl/www.somewhere.com.crt
  SSLCertificateKeyFile /sites/www.somewhere.com/httpdocs/sites/www.somewhere.com/ssl/www.somewhere.com.key
  SSLCACertificateFile /sites/www.somewhere.com/httpdocs/sites/www.somewhere.com/ssl/AlphaSSLroot.crt
</VirtualHost>                                  

I'm pretty sure we can install as many certs as we like on this box, on the same IP, serving different content depending on the HTTP Host requested.

Again, sorry if I've missed something crucial from this conversation!

:o)

valthebald’s picture

The short answer is: you are wrong:)
In more details, hostname-based site distinction (by ServerName/ServerAlias, NameVirtualHost directive) is working on HTTP (application) level of TCP/IP protocol stack. Just because it is necessary to analyze Host header, which is part of HTTP header set.
However, SSL certificate, which is necessary to encode/decode HTTPS traffic, is working on TLS/SSL level.
In other words, when web server gets bulk of data, it has first to decide which SSL certificate to use. Only when SSL certificate is chosen, web server can analyze data (including headers and other stuff). For that reason, you cannot use NameVirtualServers on SSL sites. This is platform-independent behavior, but not something specific for Apache.

Jurgen8en’s picture

Hi,

I have installed a SSL-certificate "Comodo PositiveSSL MDC". (Fixed ip-adress)
I can access my main and parked domain through https://www.main.com and https://www.parked.com

Looks like it is possible?

My next step is installing "Secure Pages".

luti’s picture

If I understand this issue right, it was not possible to achieve the goal with mod_ssl in the past.

However, this should not be an issue with newer versions of Apache / OpenSSL:
It is possible, but only if using a 2.2.12 or later web server, built with 0.9.8j or later OpenSSL. This is because it requires a feature that only the most recent revisions of the SSL specification added, called Server Name Indication (SNI).

If you have an older version of Apache / OpenSSL, you still have a chance to resolve this issue.

With mod_gnutls-0.2.0 (used in this article), I've had an issue - for all virtual sites the same certificate was used. However, using the last versions of GnuTLS and mod_gnutls resolved this issue (seems to work well at my site now).

You have some nice reading about this issue also here and here.

I hope this is enough for you to get an idea about how you may try to resolve your issue (I have CentOS 5.4 with the latest Apache, and it seems to work well with GnuTLS / mod_gnutls...).

Now, it is on you to google out a solution suitable for your particular environment... ;-)

brianmercer’s picture

SNI also needs support on the browser.

No SNI on Internet Explorer 6, no SNI on any Internet Explorer version on Windows XP, as well as several other browsers on Windows XP.

That's a pretty decent chunk of users there, and enough to make SNI a mediocre solution at best.

charlie-s’s picture

You can certainly access both, as apache is serving HTTPS requests from the same SSL directory, but are they both using an authorized certificate? (in other words, is the user being warned about the certificate when they visit https://www.parked.com?)

espirates’s picture

I tried it on my multi-install and you can access https from both certificate and non-certificate domain but a dialog warns of mismatch domain. SSL Certificates are baloney anyway, there's no validity to them at all and a wast of money. I only bought one to test it out but I regret it now that I know I can do without them.

https vs http makes no difference in security.

Here's another thing that sucks about SSL, multi-domain and dedicated IP address. If you have multiple domains on a shared hosting with one drupal install and you want to to add SSL to each domain you'll have to separate each domain. They each would need their own account, cpanel, ftp, etc

You can say goodbye to wonderful drupal multi-site one codebase , now you'll need to install drupal separate on each domain.

Bartuc’s picture

A site I made uses securepages with multi sites (Although its drupal 6.x). I have a wildcard SSL cert so all subdomains are covered. To get all of the sites to use securepages properly I just commented out a bit of the code in securepages.module.

function securepages_baseurl($secure = TRUE) {
  global $base_url;
  
/*  if ($secure) {
    $url = variable_get('securepages_basepath_ssl', NULL);
  }
  else {
    $url = variable_get('securepages_basepath', NULL);
  }

  if (!empty($url)) {
    return $url;
  } */

  // No url has been set, so convert the base_url from 1 to the other
  return preg_replace('/http[s]?:\/\//i', ($secure ? 'https://' : 'http://'), $base_url, 1);
}

The only lines in this function are the first and last. The last line will use the base url so when you switch from site to site it will pick that url up rather than the $url variable set by securepages. I hope this saves someone a lot of time.

espirates’s picture

startssl has ssl certificates that work on shared server multi-site one ip address, works great can do multiple domains on one certificate.

vajjh’s picture

Version: 5.x-1.6 » 6.x-1.8
Component: Code » Documentation
Category: support » task

For #18 I think you can accomplish the same thing in the settings page by just leaving the "Non-secure Base URL" and "Secure Base URL" fields blank. Those map to the variables that have been commented out. Works for me with a wildcard SSL cert.