[wp-hackers] WordPress multisite, Domain mapping and SSL

Brian Layman wp-hackers at thecodecave.com
Wed Aug 31 04:20:45 UTC 2011


And prior to this, Apache would indeed always serve the first 
certificate associated with that  IP address.

So the real restriction was 1 certificate for IP address, and not that 
you couldn't serve multiple vhosts securely.  So there was a work around 
if you were tricky.

You could create/purchase a certificate with each domain and the 
wildcard for the domain (example.com *.example.com example2.com 
*.example2.com), and thus you would always serve the valid certificate.

I can issue signed Class 2 certificates, and was able to get this to 
test this and got it work with a fair number of domains on the single 
certificate.  Apache would throw up warnings at restart (that it 
wouldn't be serving the configured certificates), but they could just be 
ignored.  If it serves the one certificate, and it's the right one, 
that's all you need.

That said, you'd probably be better off with multiple IP addresses or 
SNI. It's not cost effective for most people to purchase certificates in 
that fashion, so this "feature" isn't often used. And any little known 
feature may evaporate due through disuse. (Though if anyone did want to 
try this for fun, and or money is the driving factor, you could always 
become a StartSSL.com Verified partner and issue the certificates 
yourself upon demand).

-
Brian Layman

On 8/30/2011 9:11 PM, Doug Stewart wrote:
> Not entirely true. Apache after 2.2.12 supports SNI (Server Name
> Indication) which allows for multiple SSL certs per IP.
>
> Dig it:
> http://en.wikipedia.org/wiki/Server_Name_Indication
>
> On Tue, Aug 30, 2011 at 5:05 PM, John Blackbourn
> <johnbillion+wp at gmail.com>  wrote:
>> On 30 August 2011 21:57, Jeremy Felt<jeremy.felt at gmail.com>  wrote:
>>> James,
>>>
>>> Each SSL certificate *requires* a unique IP address on the server. This is
>>> outside the realm of WordPress configuration. The solution will depend on
>>> your network and server setup.
>> And if you're wondering why this is it's because an SSL connection is
>> negotiated before the request is read, so the server cannot know the
>> hostname being requested until the SSL connection is made. Therefore
>> you can only have one SSL virtualhost per IP address.
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>



More information about the wp-hackers mailing list