Providing alias domains with own SSL certificates

Discussion in 'Developers' Forum' started by JanThiel, Aug 29, 2015.

  1. JanThiel

    JanThiel Member

    Hi all,
    I'm thinking about a clean and neat solution to allow alias domains having their own SSL certificats. There were some questions in the forum within the last years, but they were quite superficial. So I would ask for some feedback on the ideas and maybe some hints how to get this into ISPC itself
    I am running latest ISPC3 on Debian with php-fpm5.6 and nginx.

    The usecase is quite simple (but yet, maybe a bit specific): We run a software that allows customers to user their own domains with our service. As we want to offer them HTTPS there are two solutions:
    1. Use a multi-domain certificate
    2. Use one certificate per domain

    As I wrote, our service is configured as "Website" and holds all the real application configs. The customer domains are pointing to the website as alias domain.
    We tried to come along with solution 1 but found out after a short time, that it might not be the best idea to disclose all the domains we host as alias domain within the certificate ... #FAIL
    So only option 2 remains. Further more this implementation will also allow to use the mighty let's encrypt for alias-domains as soon as it reaches the web and ISPCore (my vote is totally on the feature request).

    As I quit the apache world some time ago, I didn't thought about the solveability within it yet. But with nginx my approach would look like the following:
    1. Add an SSL Checkbox + SSL Tab to the Alias Domain creation view (borrow it from the website panel)
    2. create the alias domain certs within /var/www/[SITENAME]/ssl/[ALIAS-DOMAIN].(crt|key) the same way it works for the website
    3. (now the tricky part I haven't honestly tested yet) Try to use a (very bad - I know) if within the nginx config:
    if ($http_host ~* "^(.+)\.[ALIAS-DOMAIN]$") {
            ssl_certificate /var/www/[WEBSITE]/ssl/[ALIAS-DOMAIN].crt;
            ssl_certificate_key /var/www/[WEBSITE]/ssl/[ALIAS-DOMAIN].key;
    As this if() {} check is also used for the (SEO?)rewrite, there might be a possibility to combine the $http_host check to save an extra if {} per alias domain. If the ssl_certificate doesn't work within the if - any other solutions / ideas?

    I am open and hoping for any thoughts :)
    If there is interest and my time allows, I would love to contribute the solution to the core ... if I find a feasable one.

    Thx alot already. Eager to get your input!

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig 3.1 has a function called vhost alias domains (similar to the vhost subdomain feature) which allows it to have a separate vhost file and therefor a separate ssl cert for an alias domain. You can download the 3.1 release from our git server But keep in mind that this is still dev code, so not to be used on a production server yet.
  3. JanThiel

    JanThiel Member

    That is just awesome :)
    Till, thanks again once more for this awesome piece of software. And thanks alot for the information. I'll wait for the Beta release to roll it onto a test environment.

    Have a chilling weekend,


Share This Page