How to setup SSL with SNI feature for Domain Mapping plugin?

Hi, I am trying to install two SSLs, one for esites.pro and the other one for cursoarcgis.com.br, but when I install the second one it overwrites the first one. I am using this site to check if it is working or not: https://www.sslshopper.com/ssl-checker.html?hostname=http://cursoarcgis.com.br
Bluehost has given me this url for fixing that: https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm
Would that work? Is it really that hard to get it working? The access is already granted and if my WHM and server credentials are needed, just let me know. Thank you!

  • Kasia Swiderska
    • Support nomad

    Hello diegpl,

    If your server provider give you that link then it should work. Because I'm not system administrator I'm in no place to tell you if this is hard to setup. But basing on the instructions it don't look hard - you just need to edit your .conf file to create new virtual host, to manage second certificate.
    Of course you have to have a backup just in case something would go wrong.
    If you followed this steps here https://www.digicert.com/ssl-certificate-installation-apache.htm to set you first certificate, than you should be good to add new VirtualHost to your config file.

    Kind regards,
    Kasia

  • diegpl
    • Syntax Hero

    Through this link seems that I will need to create a new conf file for every ssl and at least three other files for each ssl. That is not practical at all:

    To use additional SSL Certificates on your server you need to create another Virtual Host. As a best practice, we recommend making a backup of your existing .conf file before proceeding. You can create a new Virtual Host in your existing .conf file or you can create a new .conf file for the new Virtual Host. If you create a new .conf file, add the following line to your existing .conf file:

    Include my_other_site.conf

    Next, in the NameVirtualHost directive list your server's public IP address, *:443, or other port you're using for SSL (see example below).

    Then point the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to the locations of the certificate files for each website as shown below:

    <NameVirtualHost *:443>
    
    <VirtualHost *:443>
     ServerName http://www.yoursite.com
     DocumentRoot /var/www/site
     SSLEngine on
     SSLCertificateFile /path/to/www_yoursite_com.crt
     SSLCertificateKeyFile /path/to/www_yoursite_com.key
     SSLCertificateChainFile /path/to/DigiCertCA.crt
    </VirtualHost>
    
    <VirtualHost *:443>
     ServerName http://www.yoursite2.com
     DocumentRoot /var/www/site2
     SSLEngine on
     SSLCertificateFile /path/to/www_yoursite2_com.crt
     SSLCertificateKeyFile /path/to/www_yoursite2_com.key
     SSLCertificateChainFile /path/to/DigiCertCA.crt
    </VirtualHost>
  • diegpl
    • Syntax Hero

    Hi Kasia, thank you for ur answer but it did not answer anything. There was anything on that thread about what I am asking for. Normal domains are working, but ssl domains does not. I am using a whm and cpanel, the most popular platforms and Domain Mapping is supposed to deal with SSLs, and since its for wpms it should work with SNI too. Thank you a lot!

  • Jose
    • Bruno Diaz

    Hello there @diegopl

    Hope you are doing great today.

    It is not relevant if you are using Domain Mapping or not. The SSL configuration should be the same, no matter if your sites are different single installations or a multisite mapped install.
    The only difference -if we took the vhosts approach- is that your DocumentRoot will be the same for all your virtual hosts. (it will point to the multisite install).

    Actually I want to know if there is a way to install it with SNI certificate through WHM. For me it can be easy, but not for my clients though...

    This is something that you would need to check either with your hosting or with cpanel support.
    At a first glance, it seems that it should work straightforward as long as your server OS supports it:
    https://documentation.cpanel.net/display/ALD/SSL+FAQ+and+Troubleshooting
    https://documentation.cpanel.net/display/ALD/Install+an+SSL+Certificate+on+a+Domain

    As a side note, I would keep an eye on the tool that you are using to check your certificates. There is a chance that it doesn't support the SNI protocol.
    You should check with a browser/client that is proven to support SNI.

    Hope this helps :slight_smile:

    Cheers,
    José

  • diegpl
    • Syntax Hero

    The SSLs were installed with SNI and the tutorial is here:

    Criei os seguintes arquivos via SSH:
    /home/xxxx/certs/cursoarcgis_com_br/cursoarcgis_com_br.ca-bundle
    /home/xxxxx/certs/cursoarcgis_com_br/cursoarcgis_com_br.crt
    /home/xxxxx/certs/cursoarcgis_com_br/cursoarcgis_com_br.key
    Pelo cPanel, acessei o menu Home >> Service Configuration >> Apache Configuration >> Include Editor >> Post VirtualHost Include >> All Versions e inseri o seguinte conteúdo:
    <VirtualHost *:443>
    ServerName cursoarcgis.com.br
    ServerAlias http://www.cursoarcgis.com.br
    DocumentRoot /home/xxxx/public_html
    ServerAdmin xxxxx@xxxx
    UseCanonicalName Off
    CustomLog /usr/local/apache/domlogs/esites.pro combined
    CustomLog /usr/local/apache/domlogs/esites.pro-bytes_log "%{%s}t %I .\n%{%s}t %O ."
    ## User xxxx # Needed for Cpanel::ApacheConf
    UserDir enabled xxxx

    # Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
    # To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
    # the user's .htaccess file. For more information, please read:
    # http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilegacyexprparser
    <IfModule mod_include.c>
    <Directory "/home/xxxx/public_html">
    SSILegacyExprParser On
    </Directory>
    </IfModule>

    <IfModule mod_suphp.c>
    suPHP_UserGroup xxxx xxxx
    </IfModule>
    <IfModule !mod_disable_suexec.c>
    <IfModule !mod_ruid2.c>
    SuexecUserGroup xxxx xxxx
    </IfModule>
    </IfModule>
    <IfModule mod_ruid2.c>
    RMode config
    RUidGid xxxx xxxx
    </IfModule>
    <IfModule itk.c>
    # For more information on MPM ITK, please read:
    # http://mpm-itk.sesse.net/
    AssignUserID xxxx xxxx
    </IfModule>

    ScriptAlias /cgi-bin/ /home/xxxx/public_html/cgi-bin/

    SSLEngine On
    SSLCertificateKeyFile /home/xxxx/certs/cursoarcgis_com_br/cursoarcgis_com_br.key
    SSLCertificateFile /home/xxxx/certs/cursoarcgis_com_br/cursoarcgis_com_br.crt
    SSLCertificateChainFile /home/xxxx/certs/cursoarcgis_com_br/cursoarcgis_com_br.ca-bundle
    </VirtualHost>

    Depois cliquei em Update >> Restart Apache.

    Instalação dos certificados para esites.pro

    Criei os seguintes arquivos via SSH:
    /home/xxxx/certs/esites_pro/bundle.crt
    /home/xxxx/certs/esites_pro/esites.pro.crt
    /home/xxxx/certs/esites_pro/private.key
    Pelo cPanel, acessei o menu Home >> Service Configuration >> Apache Configuration >> Include Editor >> Post VirtualHost Include >> All Versions e adicionei o seguinte conteúdo:
    <VirtualHost *:443>
    ServerName esites.pro
    DocumentRoot /home/xxxx/public_html
    ServerAdmin xxxx@xxxx
    UseCanonicalName Off
    CustomLog /usr/local/apache/domlogs/esites.pro combined
    CustomLog /usr/local/apache/domlogs/esites.pro-bytes_log "%{%s}t %I .\n%{%s}t %O ."
    ## User xxxx # Needed for Cpanel::ApacheConf
    UserDir enabled xxxx

    # Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
    # To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
    # the user's .htaccess file. For more information, please read:
    # http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilegacyexprparser
    <IfModule mod_include.c>
    <Directory "/home/xxxxx/public_html">
    SSILegacyExprParser On
    </Directory>
    </IfModule>

    <IfModule mod_suphp.c>
    suPHP_UserGroup xxxx xxxx
    </IfModule>
    <IfModule !mod_disable_suexec.c>
    <IfModule !mod_ruid2.c>
    SuexecUserGroup xxxx xxxx
    </IfModule>
    </IfModule>
    <IfModule mod_ruid2.c>
    RMode config
    RUidGid xxxx xxxx
    </IfModule>
    <IfModule itk.c>
    # For more information on MPM ITK, please read:
    # http://mpm-itk.sesse.net/
    AssignUserID xxxx xxxx
    </IfModule>

    ScriptAlias /cgi-bin/ /home/xxx/public_html/cgi-bin/

    SSLEngine On
    SSLCertificateKeyFile /home/xxx/certs/esites_pro/private.key
    SSLCertificateFile /home/xxx/certs/esites_pro/esites.pro.crt
    SSLCertificateChainFile /home/xxx/certs/esites_pro/bundle.crt
    </VirtualHost>

    Depois cliquei em Update >> Restart Apache.

    Referências

    1. https://documentation.cpanel.net/display/EA/Advanced+Apache+Configuration
    2. https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/37/certificate-installation-apache--mod_ssl

  • diegpl
    • Syntax Hero

    Sorry for the Portuguese parts, but the hardest is done. Good luck for the next one! :wink:

    Sorry for asking, but I would be glad to receive some points about that, since I didn`t get any points for my wpmudev plugins I have published https://profiles.wordpress.org/diegpl/#content-plugins

    And please, take a look at this other problem I am about infinite looping between http and https for CoursePress Pro: https://premium.wpmudev.org/forums/topic/infinite-looping-between-http-and-https-for-coursepress-pro

    Thank you a lot!!!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.