multiple SSL-certificates for "one" website

Discussion in 'General' started by cfarnleitner, May 4, 2016.

  1. cfarnleitner

    cfarnleitner New Member

    Hey and good evening!

    First of all let me tell you that
    a) I really appreciate the work that has been done on ISPconfig till this day (and hopefully will continue :) )!
    b) I do realize this question was subject of discussion in one or the other way already, however I need to give it another try

    Problem description:
    I have multiple domain names pointing to one website where each domain got its very own SSL-certificate. In my case I got a Magento CE store with multiple store views each handling one of these domains (however, you will basically face the same problem with any other CMS, shop system or framework in general, that has to deal with multiple domains and SSL-certificates).
    In order to draw you a better picture, that's what I would want to achieve:
    - domain1.com (the actual webspace in ISPconfig | got a SSL-certificate) [/var/www/clients/client1/web1]
    - domain2.com (an alias pointing at domain1.com| got another SSL-certificate) [edit: note, this is what I wanted it to be initially]
    - domain3.com (another alias pointing at domain1.com | no SSL-certificate)

    My approach so far (yes, not a good idea, but I needed a quick - let's call it hack since it's surely not a solution as per now):

    domain1.com:
    /var/www/clients/client1/web1/web/ ... containing the source
    /var/www/clients/client1/web1/ssl/ ... containing the SSL-certificate for domain1.com and domain2.com
    domain2.com:
    /var/www/clients/client1/web2/web/ ... is a (manually created) sym-link to /var/www/clients/client1/web1/web/
    /var/www/clients/client1/web2/ssl/ ... is a (manually created) sym-link to /var/www/clients/client1/web1/ssl/
    domain3.com:
    Is a proper alias according to ISPconfig

    "domain1.com" is set up as a website; it's .htaccess handles the requests from different domains onto this website by using
    Code:
    [...]
    # "MAGE_RUN_CODE" and "MAGE_RUN_TYPE" for pointing to the relevant store/scope
    SetEnvIf Host domain1\.com MAGE_RUN_CODE=base_domain1
    SetEnvIf Host domain1\.com MAGE_RUN_TYPE=website
    SetEnvIf Host domain2\.com MAGE_RUN_CODE=base_domain2
    SetEnvIf Host domain2\.com MAGE_RUN_TYPE=website
    SetEnvIf Host domain3\.com MAGE_RUN_CODE=base_domain3
    SetEnvIf Host domain3\.com MAGE_RUN_TYPE=website
    [...]
    "domain1.com" ssl-folder looks like this:
    Code:
    usr@webserver05:/var/www/domain1.com/ssl# ls -l
    total 40
    -rw-r--r-- 1 web1 client1 6710 Dec  9 16:44 domain1.com.bundle
    -rw-r--r-- 1 web1 client1 1894 Dec  9 16:44 domain1.com.crt
    -rw-r--r-- 1 web1 client1 1814 Dec  9 16:44 domain1.com.csr
    -r-------- 1 web1 client1 3292 Dec  9 16:44 domain1.com.key
    -rw-r--r-- 1 web2 client1 5144 May  3 22:24 domain2.com.bundle
    -rw-r--r-- 1 web2 client1 1828 May  3 22:24 domain2.com.crt
    -rw-r--r-- 1 web2 client1 1008 May  3 22:24 domain2.com.csr
    -r-------- 1 web2 client1 1704 May  3 22:24 domain2.com.key
    
    hence "domain2.com" currently looks like this:
    Code:
    usr@webserver05:/var/www/domain2.com# ls -l
    total 28
    drwxr-xr-x 2 web2 client1 4096 Apr  9  2014 cgi-bin
    drwxr-xr-x 2 root   root    4096 May  4 00:00 log
    drwx--x--- 2 web2 client1 4096 Apr  9  2014 private
    lrwxrwxrwx 1 root   root      35 May  4 00:03 ssl -> /var/www/clients/client1/web1/ssl
    drwxrwxrwx 2 web2 client1 4096 Apr  9  2014 tmp
    lrwxrwxrwx 1 root   root      35 May  3 22:58 web -> /var/www/clients/client1/web1/web
    drwx--x--- 2 web2 client1 4096 Apr  9  2014 webdav
    
    Just for the record: "domain3.com" obviously does not exist since it's an alias.


    The setup I'm running:
    ISPConfig version: 3.0.5.4p8 (note: it's a multi server setup)
    Debian GNU/Linux 7 running Apache2

    Now, my point is, this setup is actually working and surviving an Apache restart, however I'm rather worried about someone feeling the urge of modifying the config of website "domain2.com" in ISPconfig since I haven't completely checked its behavior in that case.
    What I can tell is, that the "web-folder" as such remains this way (with sym-links) when for example changing the website's domain. Also, the "ssl-folder" remains a sym-link when updating fields in the websites's SSL-tab in ISPconfig *.
    Due to my observations and testing I'm now curious whether this way could be seen as a proper workaround for the multiple SSL-certificates with "one" website or not. Does anything (beside the fact that this setup is not reflecting in the other servers managed by ISPconfig) speak against this configuration even though the relevant vhost files look pretty neat? Is there a reason to worry about any particular update process?

    * Here however one problem is that when changing the "SSL Domain" in the SSL-tab and submitting it with the option "Save certificate" this name change is not reflecting the certificate names located in the "symlinked" ssl-folder (which I guess would not be a problem when the ssl-folder actually remains as in a default ISPconfig website creation, which in my case also would be ok)
     
    Last edited: May 4, 2016
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Just one quick thought as I read that last paragraph, what if you ditched the symlinks and instead used bind mounts? Maybe worth a quick try for that issue specifically, not the overall best way to handle this.
     
    cfarnleitner likes this.
  3. cfarnleitner

    cfarnleitner New Member

    Hey Jesse!

    Bullseye - mount --bind would actually sort out even my last problem about not having the certificate files properly updated via ISPConfig, so you can state the above problem 'resolved'.
    However, I'm afraid that this approach might cause troubles in future to us due to the reason that you wont be able to identify the binding when ls -s'ing. So for the moment I guess I'll go with the sym-links and keep a README-file within web1/ and web2/; or maybe I missed out on anything in your hint?
     

Share This Page