Problem description
- Multiple websites are associated with the same IP address and port of a server.
- The server can distinguish between host headers in requests that are sent from clients.
- An SSL certificate has been applied for and installed on each website. However, when a website is visited, the system returns a message that indicates the certificate does not match.
Cause
When the server receives an HTTPS request, the server needs to decrypt the request by using the required server certificate. Each website is associated with a unique certificate. The server determines the certificate that is required to decrypt the HTTPS request based on the host header in the request. However, the host header is encrypted. Therefore, the server uses the certificate of the website that is first associated with the IP address and port to decrypt the HTTPS request. If this HTTPS request is destined for another website, the decryption fails, and the error message is returned.
Solution
This topic provides different solutions for three types of web servers.
IIS
- Associate a website with a unique port
Associate an HTTPS website with a unique port for the same IP address. For example, you can associate an HTTPS website with a port in the
[$Domain]:[$Port]
format. However, if you use a client browser to visit the website, you must manually specify the port in the address bar.Note- [$Domain]: the domain name of the website.
- [$Port]: the port.
- Associate a website with a unique IP address
Associate an HTTPS website with a unique IP address. If you use this method, no request conflicts occur, and host headers are not required in the requests. However, the costs of this method are high.
- Use a wildcard certificate
Use a wildcard certificate for websites. For example, the
example.aliyundoc.com
,demo.aliyundoc.com
, andlearn.aliyundoc.com
websites can use the certificate to which the.aliyundoc.com
domain name is bound. If you use this method, all requests destined for the websites can be decrypted by using the wildcard certificate. - Upgrade an IIS server
Upgrade an IIS server to IIS 8.0 to enable Server Name Indication (SNI). This way, the IIS server can directly read host headers in requests to determine the required certificate. For more information about how to enable SNI, see SSL Scalability.
NGINX
Add a virtual host to an NGINX server to associate multiple websites with the same IP address and port of the server. Perform the following operations:
- Log on to the NGINX server and run the following command to open the NGINX configuration
file:
vim [$Nginx_Dir]/conf/nginx.conf
Note [$Nginx_Dir] indicates the installation directory of the NGINX server. The default installation directory is /usr/local/nginx. - Modify the configuration file to the following content:
server { listen 443; server_name [$Domain1]; ssl on; ssl_certificate [$Certificate_Path1]; ssl_certificate_key [$Key_Path1]; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers [$Ciphers_Suite1]; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } }server { listen 443; server_name [$Domain2]; ssl on; ssl_certificate [$Certificate_Path2]; ssl_certificate_key [$Key_Path2]; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers [$Ciphers_Suite2]; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } }
Apache
- Log on to the Apache server and run the following command to open the ssl.conf configuration
file:
vim [$Apache_Dir]/conf.d/ssl.conf
Note- [$Apache_Dir] indicates the installation directory of the Apache server. The default installation directory is /etc/httpd.
- If the ssl.conf configuration file cannot be found, run the
yum install mod_ssl -y
command to download SSL-related modules. - After you enable SNI for the Apache server, you must add SSLStrictSNIVHostCheck off to the configuration file.
- Modify the configuration file to the following content:
Listen 443 NameVirtualHost *:443 <VirtualHost *:443> … ServerName [$Domain1] SSLCertificateFile [$Certificate_Path1]; SSLCertificateKeyFile [$Key_Path1]; SSLCertificateChainFile [$Certificate_Chain1]; … </VirtualHost> <VirtualHost *:443> … ServerName [$Domain1] SSLCertificateFile [$Certificate_Path2]; SSLCertificateKeyFile [$Key_Path2]; SSLCertificateChainFile [$Certificate_Chain2];
Note- If a certificate such as a free certificate to which the
www.example.com
andexample.com
domain names are bound is used, we recommend that you specify the domain names in the following format. Otherwise, the domain names that contain www may be inaccessible.ServerName example.com
ServerAlias www.example.com
- [$Certificate_Chain1]: the path to the bundle of the intermediate certificate for the first website.
- [$Certificate_Chain2]: the path to the bundle of the intermediate certificate for the second website.
- In Apache V2.4.8 or later, the value of SSLCertificateChainFile is replaced with that of SSLCACertificatePath.
- If a certificate such as a free certificate to which the