Forum

SSL certificate handling problem for multiple sites

Rodney Hester
12 February 2015, 21:41
I am in the process of migrating from one domain to another, each of which has a SSL certificate, but I'm having difficulty getting both to work (i.e. if the user comes into https://a.com/, I am redirecting them to https://b.com/, which means the certs for a.com and b.com both have to be presented to the client).

If I do this (non-essential elements stripped):
Binding {
Port = 443
Interface = ::
}
UrlToolkit {
ToolkitID = a
Match (.*) Redirect //b.com$1
}
VirtualHost {
Hostname = a.com
SSLcertFile = a.com.pem
UseToolkit = a
}
VirtualHost {
Hostname = b.com
SSLcertFile = b.com.pem
}

it will not work. However, if I move a.com's SSLcertFile into the binding, like so:
Binding {
Port = 443
Interface = ::
SSLcertFile = a.com.pem
}
UrlToolkit {
ToolkitID = a
Match (.*) Redirect //b.com$1
}
VirtualHost {
Hostname = a.com
UseToolkit = a
}
VirtualHost {
Hostname = b.com
SSLcertFile = b.com.pem
}

it works, which doesn't seem to match the documentation (i.e. it should never fall back to the SSLcertFile in the binding, because a virtual host _is_ defined for the domain).

Any clues as to why the 'proper' configuration doesn't work?

Rodney
Hugo Leisink
12 February 2015, 22:01
A binding that is supposed to talk HTTPS always needs a certificate. Specifying them via all the virtual hosts is not sufficient, because what certificate should be used when another hostname is being used in the HTTP request?
Rodney Hester
12 February 2015, 22:06
If a hostname is being used that isn't in any virtual host, it could just as easily be ignored, because it's going to fall through to the default webroot anyway.

The better question is, what certificate should appear in the binding PEM, if every vhost has its own? (Is it sufficient to place a 'dummy' self-signed certificate there? If so, what common name should it have?)

Rodney
Hugo Leisink
12 February 2015, 22:11
Ignored or not, Hiawatha still needs a certificate, because it is supposed to talk HTTPS. A dummy (self signed) certificate with, for example, the IP address of the binding should do.
Rodney Hester
12 February 2015, 23:10
I put a common name of 'localhost' in the 'dummy' PEM and it seems to be perfectly happy. =) Thank you!
This topic has been closed.