I am not sure if this is the best place to ask the question but since Secure Pages requires the server to have an SSL, I figured someone may have the answer here.
Anyways, I have a site under the multi install of Drupal, so the site is located at public_html/sites/example.com and the main domain located at public_html (where drupal is installed) and the main domain has the SSL. When I install the module on the multi domain (public_html/sites/example.com) it finds the SSL and everything works just fine except:
It warns that the certificate is associated with another domain address (the main domain). This is a huge problem specifically in IE because it basically tells the person to avoid the site.
I have tried creating my own SSL ("an untrusted certificate") through Cpanel with the second site's domain but the Secure Pages or just the site continues to use the SSL for the main domain.
Does anyone know how to get around this certificate issue with Multi Domain install?
Also, the secondary sites are PARKED (ex.. site2.maindomain.com) to access the same drupal install.
Comments
Comment #1
valthebaldEach SSL site must have separate IP address - is this the case?
Comment #2
cbassig commentedI don't believe that would be the case because in a Multi Site Install every site uses the same drupal code, there for the same IP.
Plus, its not warning me about in IP its just saying the SSL is licensed to another Domain, so I need the license to have multiple domains accepted OR probably more likely have the browser believe the parked domain IS the same as the main domain. I was reading about a possible Mod_rewrite but not sure how to do it or if that is even the solution.
Comment #3
valthebaldSSL certificate is issued to only one domain name. (even yoursite.com and www.yoursite.com need different certificates)
What you can do is redirect user from parked domain to the main domain, which has correct certificate and would not raise any warnings
Comment #4
cbassig commentedHow would I go about redirecting to the main domain?
The problem there is I don't want the viewer to leave the site they are on.
I tried creating a SSL certificate for the second/parked domain ("untrusted"), but it won't find the second SSL. It just reads the original on the main domain.
Comment #5
valthebaldYou're trying to reach unreachable goal. You cannot redirect and remain on the same site simultaniously :)
Once again:
a) you cannot install more than one certificate on sites sharing the same IP address. Parked domains simply point to the main domain, so they use the same IP for sure.
b) if you have domains a.com (main) and b.com (parked), there is no way to install certificate for a.com and display https://b.com without warning. You can do nothing about it. Solution is to check if visitor typed https://b.com/something.html (just an example) and redirect him in this case to https://a.com/something.html
Comment #6
cbassig commentedI was afraid of that and was in denial. You can always hope, right?
Thanks for your help.
Comment #7
alanburke commentedComment #9
Jackie16 commentedAn SSL certificate is used for the server authentication, data encryption, and message integrity checks. With a valid SSL certificate, your Internet communications are transmitted in encrypted form. ...You can get the SSL certificate from http://www.tucktail.com/
Comment #10
storsvedjan commentedPerhaps a workaround with Apache related Webserver only with one IP:
The trick is, that you can run different SSL-Sites on the same IP, but NOT on the same IP AND Port. So, for every SSL-Vhost, we use another port (4430, 4431... with the IP 1.2.3.4 for example)
With the same "basename" (www.example.com, news.example.com...):
Create a "wildcard"-certificate. There are many HowTo, how you can create this. Only one think is important: You must answer with a "*.basename" (*.example.com) when the SSL-Tool ask you for "Common Name" or "CN".
Make a vhost-conf like this (only a example):
In example.com.inc:
In the multi.example.com-vhost-file:
Thats all. The next SSL-Vhost with another basename as URL use the next free port (4431 in this example).
Comment #11
alexgreyhead commentedUnless I've missed something here (entirely possible), I just set up mod_ssl on our Apache server this afternoon and the ssl.conf file allows the specification of different SSL certs for different domains; here's one I made earlier:
I'm pretty sure we can install as many certs as we like on this box, on the same IP, serving different content depending on the HTTP Host requested.
Again, sorry if I've missed something crucial from this conversation!
:o)
Comment #12
valthebaldThe short answer is: you are wrong:)
In more details, hostname-based site distinction (by ServerName/ServerAlias, NameVirtualHost directive) is working on HTTP (application) level of TCP/IP protocol stack. Just because it is necessary to analyze Host header, which is part of HTTP header set.
However, SSL certificate, which is necessary to encode/decode HTTPS traffic, is working on TLS/SSL level.
In other words, when web server gets bulk of data, it has first to decide which SSL certificate to use. Only when SSL certificate is chosen, web server can analyze data (including headers and other stuff). For that reason, you cannot use NameVirtualServers on SSL sites. This is platform-independent behavior, but not something specific for Apache.
Comment #13
Jurgen8en commentedHi,
I have installed a SSL-certificate "Comodo PositiveSSL MDC". (Fixed ip-adress)
I can access my main and parked domain through https://www.main.com and https://www.parked.com
Looks like it is possible?
My next step is installing "Secure Pages".
Comment #14
luti commentedIf I understand this issue right, it was not possible to achieve the goal with mod_ssl in the past.
However, this should not be an issue with newer versions of Apache / OpenSSL:
It is possible, but only if using a 2.2.12 or later web server, built with 0.9.8j or later OpenSSL. This is because it requires a feature that only the most recent revisions of the SSL specification added, called Server Name Indication (SNI).
If you have an older version of Apache / OpenSSL, you still have a chance to resolve this issue.
With mod_gnutls-0.2.0 (used in this article), I've had an issue - for all virtual sites the same certificate was used. However, using the last versions of GnuTLS and mod_gnutls resolved this issue (seems to work well at my site now).
You have some nice reading about this issue also here and here.
I hope this is enough for you to get an idea about how you may try to resolve your issue (I have CentOS 5.4 with the latest Apache, and it seems to work well with GnuTLS / mod_gnutls...).
Now, it is on you to google out a solution suitable for your particular environment... ;-)
Comment #15
brianmercer commentedSNI also needs support on the browser.
No SNI on Internet Explorer 6, no SNI on any Internet Explorer version on Windows XP, as well as several other browsers on Windows XP.
That's a pretty decent chunk of users there, and enough to make SNI a mediocre solution at best.
Comment #16
charlie-s commentedYou can certainly access both, as apache is serving HTTPS requests from the same SSL directory, but are they both using an authorized certificate? (in other words, is the user being warned about the certificate when they visit https://www.parked.com?)
Comment #17
espirates commentedI tried it on my multi-install and you can access https from both certificate and non-certificate domain but a dialog warns of mismatch domain. SSL Certificates are baloney anyway, there's no validity to them at all and a wast of money. I only bought one to test it out but I regret it now that I know I can do without them.
https vs http makes no difference in security.
Here's another thing that sucks about SSL, multi-domain and dedicated IP address. If you have multiple domains on a shared hosting with one drupal install and you want to to add SSL to each domain you'll have to separate each domain. They each would need their own account, cpanel, ftp, etc
You can say goodbye to wonderful drupal multi-site one codebase , now you'll need to install drupal separate on each domain.
Comment #18
Bartuc commentedA site I made uses securepages with multi sites (Although its drupal 6.x). I have a wildcard SSL cert so all subdomains are covered. To get all of the sites to use securepages properly I just commented out a bit of the code in securepages.module.
The only lines in this function are the first and last. The last line will use the base url so when you switch from site to site it will pick that url up rather than the $url variable set by securepages. I hope this saves someone a lot of time.
Comment #19
espirates commentedstartssl has ssl certificates that work on shared server multi-site one ip address, works great can do multiple domains on one certificate.
Comment #20
vajjh commentedFor #18 I think you can accomplish the same thing in the settings page by just leaving the "Non-secure Base URL" and "Secure Base URL" fields blank. Those map to the variables that have been commented out. Works for me with a wildcard SSL cert.