SSL problem

Discussion in 'Installation/Configuration' started by LeoLinux, Mar 9, 2007.

  1. LeoLinux

    LeoLinux New Member


    I want to use more then one website in combination with SSL Certs ....

    It perfectly works for one site ... but not for a second one ... it says that it's not possible for this IP anymore ... ?

    I've just read some threads like this in the howtoforge forum:

    what exactly does that mean?

    just for understanding... :

    My ISPconfig Servers internal IP: (the Server is behind a NAT with public IP T-Com)

    when I create a new web I have a option to chose a IP Adress for the web.... but it only gives me one example ( do I have to create a virtual IP for each more SSL Cert I want to use? Or do I really have to dedicate a new public IP address?!

    I just don't really understand why its only possible to run one Cert under one IP because in reallity there are allready more then one cert running ... for example my first one: https://server1:81 for the ISPconfig Webinterface and the second one in a costumers web ...

    So it would be nice if somebody could help and describe me a little the way how SSL works and how I might solve this problem ;-)

    Thanks a lot ... and btw. ... espacelly to Falko and Till!!!! ;-)

  2. martinfst

    martinfst ISPConfig Developer ISPConfig Developer

    Behind NAT, you're not able to have multiple certificates, because you can forward port 80 only to one IP address. You will need to have mulitiple (external accessible) IP addresses. That's a restriction of SSL, Nothing can be done about that. It ensures a server with a certificate is the server is says it is.

    You have two certs now, because you use two different ports (and two different Apapche webservers). But the default webserver port is port 80 and you only have one of that. Port 81 is special, because of the dedicated webservre that comes with ISPConfig.

    If you search the Internet, you will find some obscure possibilities to use one IP and multiple certs, but these all require a special setup and in general break the purpose of SSL.
  3. LeoLinux

    LeoLinux New Member

    Hi and thanks for this good description !! ;-)

    How would such an network without a NAT and multible IP's look like?!
    I mean for each IP you'll need a DSL modem more or how does that work?? Has anybody a good link to learn more about this kind of networktopology without NAT but with much public IPS on one machine?
    Would be greate ;-)

    Thanks !!

  4. Hawker

    Hawker New Member

    In very simple terms, one modem/router can have multiple IP addresses and one network card can also have multiple IP addresses. That is the use of ifcfg-eth0:X where X is a number. It allows assigning multiple IP addresses to your network card.

    As an example I have 5 IP addresses on my line.
    4 are used by the web server (2 dedicated to SSL sites, 1 for shared sites, 1 free).
    1 is used by my windows system.
    When a request for a given IP address comes in only the computer/network card that's configured to that IP will answer.
  5. LeoLinux

    LeoLinux New Member

    ok makes sence what yu tell me ;-)

    so a simple way to solve my problem would look like:

    Modem-----conected with my Debian ISPconfig Server ---->dial in with ppoe daemon---> give the ethernet card which is used for the ppoe dial in some virtual IPs which I dedicated by any provider...

    and then I would be able to chose betwen the IP adresses when I create a new web in my ISPconfig webinterface?!

    ok... should be possible to fix this ... but anyway ... I'm just interested how bigger companys like 1&1 or strato solve this in their serverfarms?! don't they have a NAT behind their modem? How is it possible to give each standalone machine a public IP during they all share the same "DSL" Line?



  6. Hawker

    Hawker New Member

    The IPs used for SSL must be public IP addresses.

    As an example, my modem/router has 5 useable addresses. Let's say they are through

    My server uses these addresses...
    ifcfg-eth0 =
    ifcfg-eth0:0 =
    ifcfg-eth0:1 =
    ifcfg-eth0:2 =

    My windows machine uses

    These are all assigned on the server and windows machines themselves.

    NAT does not come into play when you use public IP addresses. NAT only comes into effect when you have multiple computers on a private network behind a public IP.
    Last edited: Mar 11, 2007
  7. LeoLinux

    LeoLinux New Member

    .... I think I got it ...

    anyway only tow more questions:

    1. I guess there is no way to use this option which is given by my router:

    2. I just don't understand how you can give two different machines different public IPs with only ONE used MODEM I mean how do you share this modem with your windows box?!?!?! HOW does that work?! can any body please draw me a picture ;-)) I might be to stupid to understand it written down ;-)

  8. Hawker

    Hawker New Member

    My modem is also a router. I have NAT turned off and all ports a open (not blocked) on an ADSL line.

    A single DSL Line connects to Modem/Router

    Network cables connect like this...
    Modem/Router Network Port 1 - Server (IPs 1 through 4)
    Modem/Router Network Port 2 - Windows machine (IP 5)
    Modem/Router Network Port 3 - unused
    Modem/Router Network Port 4 - unused

    I guess the way to explain it is that IP addresses are a software function, not a hardware one.

    I'm sorry if I'm confusing you. :eek:
  9. martinfst

    martinfst ISPConfig Developer ISPConfig Developer

    In most countries you only get one public IP address on your home connection, unless you have some business grade line.
  10. LeoLinux

    LeoLinux New Member

    ok - makes sence to disable the NAT function.
    What kind of Router are you using?

    I hope I can do the same with my pfsense router - because I still want to use loadbalancing between two DSL connections




    ahhh I found something ...:


    I think I'm on the right way .. because this option disables NAT?

    does my router from now on work like a IP forwarding machine which lets me use my public / dedicated IPs on my Debian?

    can somebody maybe give me an example how it should look like if my dedicated public IP would be and my internal Debians IP with this screenshot?

    that would be very helpfully!! ;-)


    or is it maybe the not the NAT outbound but the 1:1 option what we are looking for?:


    thx for helping ;-)

    Last edited: Mar 11, 2007
  11. LeoLinux

    LeoLinux New Member

    does nobody use a Firewall like this in front of his Webserver?

  12. falko

    falko Super Moderator ISPConfig Developer

    I'm afraid I can't help with this one... :(
  13. LeoLinux

    LeoLinux New Member

    That's ok - if just found some good threads in the pfsense forum at

    Anyway - thanks to all of you!!


Share This Page