One precision: I restarted apache, and the following warning was issued:
[Tue May 29 20:30:43 2012] [warn] VirtualHost x.x.x.x:443 overlaps with VirtualHost x.x.x.x:443, the first has precedence, perhaps you need a NameVirtualHost directive
Where x.x.x.x is the same ip address
I believe that’s the apache config produced by virtualmin that’s missing the NameVirtualHost directive…
We’re running VirtualMin Pro 3.92 (installed 12/May/2012)
Thanks
MD
I confirm this is something to polish in virtualmin. For those of us who want to do SNI, we need to modify the apache directives manually (yay)
But I got it working
If you want to get SNI to work on Virtualmin, it’s a three step process:
NameVirtualHost *:443
VirtualHost *:443 (with the enclosing < and > tags)
Works like a charm. Oh, but yeah, anyone with a browser for whom SNI does not work will get an SSL certificate error even though the right site will show - but I don’t think it should be a huge deal, Windows XP is down to 27% and it’s loosing 1.5% almost every month.
For customers being turned off, we as web companie can instruct them to upgrade their browser, or accept the certificate error.
MD.
From the Apache wiki…
Prerequisites to use SNI
Use OpenSSL 0.9.8f or later
Build OpenSSL with the TLS Extensions option enabled (option enable-tlsext; OpenSSL 0.9.8k and later has this enabled by default).
Apache must have been built with that OpenSSL (./configure --with-ssl=/path/to/your/openssl). In that case, mod_ssl will automatically detect the availability of the TLS extensions and support SNI.
Apache must use that OpenSSL at run-time, which might require setting LD_LIBRARY_PATH or equivalent to point to that OpenSSL, maybe in bin/envvars. (You’ll get unresolved symbol errors at Apache startup if Apache was built with SNI but isn’t finding the right openssl libraries at run-time.)
How can you tell if your Apache build supports SNI? If you configure multiple name-based virtual hosts for an address where SSL is configured, and SNI isn’t built into your Apache, then upon Apache startup a message like “You should not use name-based virtual hosts in conjunction with SSL!!” will occur in the error log. If SNI is built in, then the error log will show “[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)”.
the second paragraph is what I had used as a first pointer, along with the directives from this website https://sni.velox.ch/
That website made it much easier.
MD
Do you still need one IP per SSL certificate in Virtualmin?
Or can you set-up multiple sites with one IP?
Thanks
Howdy,
Well, this particular thread is a few years old… Virtualmin now makes use of SNI in Apache, and can use any number of SSL certificates per IP address.
-Eric
OK Great! So I can have one Virtualmin install with several domain/SSLs within the same IP address, correct?
Is this a straightforward setup through the Manage SSLs section or do I need to edit Apache directives manually?
It should just work – it’s just a matter of enabling the SSL feature for all the domains that should have it.
Current Apache versions handle this just fine, and don’t require anything unusual for that to work properly.
-Eric
I tried to enable SSL on a 2nd top-level virtual server / website. Previously only the parent site (same Virtualmin install) had SSL enabled.
After I did this I got locked out of Virtualmin, since the parent website’s SSL got updated with the new cert mismatch. How can I avoid the parent virtual server sporting the secondary certificate?
Any clues would be greatly appreciated,
Best
Howdy,
We can certainly help out, but since this thread is over 3 years old – could you start a new thread, and there, describe the issue that’s occurring now? Thanks!
-Eric