Multiple websites are associated with the same IP address and port of a server. However, when I access the websites, the system prompts that the certificate does not match. What do I do? -

Problem description

The following list describes the issue:

Multiple websites are associated with the same IP address and port of a server.
The server can distinguish between host headers in requests that are sent from clients.
An SSL certificate has been applied for and installed on each website. However, when a website is visited, the system returns a message that indicates the certificate does not match.

Cause

When the server receives an HTTPS request, the server needs to decrypt the request by using the required server certificate. Each website is associated with a unique certificate. The server determines the certificate that is required to decrypt the HTTPS request based on the host header in the request. However, the host header is encrypted. Therefore, the server uses the certificate of the website that is first associated with the IP address and port to decrypt the HTTPS request. If this HTTPS request is destined for another website, the decryption fails, and the error message is returned.

Solution

This topic provides different solutions for three types of web servers.

IIS

You can use one of the following methods to address this issue for Internet Information Services (IIS) servers:

Associate a website with a unique port
Associate an HTTPS website with a unique port for the same IP address. For example, you can associate an HTTPS website with a port in the [$Domain]:[$Port] format. However, if you use a client browser to visit the website, you must manually specify the port in the address bar.
Note
- [$Domain]: the domain name of the website.
- [$Port]: the port.
Associate a website with a unique IP address
Associate an HTTPS website with a unique IP address. If you use this method, no request conflicts occur, and host headers are not required in the requests. However, the costs of this method are high.
Use a wildcard certificate
Use a wildcard certificate for websites. For example, the example.aliyundoc.com, demo.aliyundoc.com, and learn.aliyundoc.com websites can use the certificate to which the .aliyundoc.com domain name is bound. If you use this method, all requests destined for the websites can be decrypted by using the wildcard certificate.
Upgrade an IIS server
Upgrade an IIS server to IIS 8.0 to enable Server Name Indication (SNI). This way, the IIS server can directly read host headers in requests to determine the required certificate. For more information about how to enable SNI, see SSL Scalability.

NGINX

Add a virtual host to an NGINX server to associate multiple websites with the same IP address and port of the server. Perform the following operations:

Log on to the NGINX server and run the following command to open the NGINX configuration file:
```
vim [$Nginx_Dir]/conf/nginx.conf
```
Note [$Nginx_Dir] indicates the installation directory of the NGINX server. The default installation directory is /usr/local/nginx.

Modify the configuration file to the following content:

server {
    listen 443;
    server_name [$Domain1];
    ssl on;
    ssl_certificate [$Certificate_Path1];
    ssl_certificate_key [$Key_Path1];
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
    ssl_ciphers [$Ciphers_Suite1];
    ssl_prefer_server_ciphers   on;
    location / {
        root   html;
        index  index.html index.htm;
    }
}server {
    listen 443;
    server_name [$Domain2];
    ssl on;
    ssl_certificate [$Certificate_Path2];
    ssl_certificate_key [$Key_Path2];
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers [$Ciphers_Suite2];
    ssl_prefer_server_ciphers on;
    location / {
        root html;
        index index.html index.htm;
    }
}

Apache

Log on to the Apache server and run the following command to open the ssl.conf configuration file:
```
vim [$Apache_Dir]/conf.d/ssl.conf
```
Note
- [$Apache_Dir] indicates the installation directory of the Apache server. The default installation directory is /etc/httpd.
- If the ssl.conf configuration file cannot be found, run the yum install mod_ssl -y command to download SSL-related modules.
- After you enable SNI for the Apache server, you must add SSLStrictSNIVHostCheck off to the configuration file.
Modify the configuration file to the following content:
```
Listen 443
NameVirtualHost *:443
<VirtualHost *:443>
  …
ServerName [$Domain1]
SSLCertificateFile     [$Certificate_Path1];
SSLCertificateKeyFile  [$Key_Path1];
SSLCertificateChainFile  [$Certificate_Chain1];
  …
</VirtualHost>
<VirtualHost *:443>
  …
ServerName [$Domain1]
SSLCertificateFile     [$Certificate_Path2];
SSLCertificateKeyFile  [$Key_Path2];
SSLCertificateChainFile  [$Certificate_Chain2];
```
Note
- If a certificate such as a free certificate to which the www.example.com and example.com domain names are bound is used, we recommend that you specify the domain names in the following format. Otherwise, the domain names that contain www may be inaccessible.
  - ServerName example.com
  - ServerAlias www.example.com
- [$Certificate_Chain1]: the path to the bundle of the intermediate certificate for the first website.
- [$Certificate_Chain2]: the path to the bundle of the intermediate certificate for the second website.
- In Apache V2.4.8 or later, the value of SSLCertificateChainFile is replaced with that of SSLCACertificatePath.

References

Applicable scope

Certificate Management Service