How to setup SSL with SNI feature for Domain Mapping plugin?

Hi, I am trying to install two SSLs, one for esites.pro and the other one for cursoarcgis.com.br, but when I install the second one it overwrites the first one. I am using this site to check if it is working or not: https://www.sslshopper.com/ssl-checker.html?hostname=http://cursoarcgis.com.br

Bluehost has given me this url for fixing that: https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

Would that work? Is it really that hard to get it working? The access is already granted and if my WHM and server credentials are needed, just let me know. Thank you!

  • Kasia Swiderska
    • Support nomad

    Hello diegpl,

    If your server provider give you that link then it should work. Because I’m not system administrator I’m in no place to tell you if this is hard to setup. But basing on the instructions it don’t look hard – you just need to edit your .conf file to create new virtual host, to manage second certificate.

    Of course you have to have a backup just in case something would go wrong.

    If you followed this steps here https://www.digicert.com/ssl-certificate-installation-apache.htm to set you first certificate, than you should be good to add new VirtualHost to your config file.

    Kind regards,

    Kasia

  • diegpl
    • Syntax Hero

    Through this link seems that I will need to create a new conf file for every ssl and at least three other files for each ssl. That is not practical at all:

    To use additional SSL Certificates on your server you need to create another Virtual Host. As a best practice, we recommend making a backup of your existing .conf file before proceeding. You can create a new Virtual Host in your existing .conf file or you can create a new .conf file for the new Virtual Host. If you create a new .conf file, add the following line to your existing .conf file:

    Include my_other_site.conf

    Next, in the NameVirtualHost directive list your server’s public IP address, *:443, or other port you’re using for SSL (see example below).

    Then point the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to the locations of the certificate files for each website as shown below:

    <NameVirtualHost *:443>

    <VirtualHost *:443>
    ServerName www.yoursite.com
    DocumentRoot /var/www/site
    SSLEngine on
    SSLCertificateFile /path/to/www_yoursite_com.crt
    SSLCertificateKeyFile /path/to/www_yoursite_com.key
    SSLCertificateChainFile /path/to/DigiCertCA.crt
    </VirtualHost>

    <VirtualHost *:443>
    ServerName www.yoursite2.com
    DocumentRoot /var/www/site2
    SSLEngine on
    SSLCertificateFile /path/to/www_yoursite2_com.crt
    SSLCertificateKeyFile /path/to/www_yoursite2_com.key
    SSLCertificateChainFile /path/to/DigiCertCA.crt
    </VirtualHost>

  • diegpl
    • Syntax Hero

    Hi Kasia, thank you for ur answer but it did not answer anything. There was anything on that thread about what I am asking for. Normal domains are working, but ssl domains does not. I am using a whm and cpanel, the most popular platforms and Domain Mapping is supposed to deal with SSLs, and since its for wpms it should work with SNI too. Thank you a lot!

  • Jose
    • Bruno Diaz

    Hello there @diegopl

    Hope you are doing great today.

    It is not relevant if you are using Domain Mapping or not. The SSL configuration should be the same, no matter if your sites are different single installations or a multisite mapped install.

    The only difference -if we took the vhosts approach- is that your DocumentRoot will be the same for all your virtual hosts. (it will point to the multisite install).

    Actually I want to know if there is a way to install it with SNI certificate through WHM. For me it can be easy, but not for my clients though…

    This is something that you would need to check either with your hosting or with cpanel support.

    At a first glance, it seems that it should work straightforward as long as your server OS supports it:

    https://documentation.cpanel.net/display/ALD/SSL+FAQ+and+Troubleshooting

    https://documentation.cpanel.net/display/ALD/Install+an+SSL+Certificate+on+a+Domain

    As a side note, I would keep an eye on the tool that you are using to check your certificates. There is a chance that it doesn’t support the SNI protocol.

    You should check with a browser/client that is proven to support SNI.

    Hope this helps :slight_smile:

    Cheers,

    José

  • diegpl
    • Syntax Hero

    The SSLs were installed with SNI and the tutorial is here:

    Criei os seguintes arquivos via SSH:

    /home/xxxx/certs/cursoarcgis_com_br/cursoarcgis_com_br.ca-bundle

    /home/xxxxx/certs/cursoarcgis_com_br/cursoarcgis_com_br.crt

    /home/xxxxx/certs/cursoarcgis_com_br/cursoarcgis_com_br.key

    Pelo cPanel, acessei o menu Home >> Service Configuration >> Apache Configuration >> Include Editor >> Post VirtualHost Include >> All Versions e inseri o seguinte conteúdo:

    <VirtualHost *:443>

    ServerName cursoarcgis.com.br

    ServerAlias http://www.cursoarcgis.com.br

    DocumentRoot /home/xxxx/public_html

    ServerAdmin xxxxx@xxxx

    UseCanonicalName Off

    CustomLog /usr/local/apache/domlogs/esites.pro combined

    CustomLog /usr/local/apache/domlogs/esites.pro-bytes_log “%{%s}t %I .n%{%s}t %O .”

    ## User xxxx # Needed for Cpanel::ApacheConf

    UserDir enabled xxxx

    # Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.

    # To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in

    # the user’s .htaccess file. For more information, please read:

    # http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilegacyexprparser

    <IfModule mod_include.c>

    <Directory “/home/xxxx/public_html”>

    SSILegacyExprParser On

    </Directory>

    </IfModule>

    <IfModule mod_suphp.c>

    suPHP_UserGroup xxxx xxxx

    </IfModule>

    <IfModule !mod_disable_suexec.c>

    <IfModule !mod_ruid2.c>

    SuexecUserGroup xxxx xxxx

    </IfModule>

    </IfModule>

    <IfModule mod_ruid2.c>

    RMode config

    RUidGid xxxx xxxx

    </IfModule>

    <IfModule itk.c>

    # For more information on MPM ITK, please read:

    # http://mpm-itk.sesse.net/

    AssignUserID xxxx xxxx

    </IfModule>

    ScriptAlias /cgi-bin/ /home/xxxx/public_html/cgi-bin/

    SSLEngine On

    SSLCertificateKeyFile /home/xxxx/certs/cursoarcgis_com_br/cursoarcgis_com_br.key

    SSLCertificateFile /home/xxxx/certs/cursoarcgis_com_br/cursoarcgis_com_br.crt

    SSLCertificateChainFile /home/xxxx/certs/cursoarcgis_com_br/cursoarcgis_com_br.ca-bundle

    </VirtualHost>

    Depois cliquei em Update >> Restart Apache.

    Instalação dos certificados para esites.pro

    Criei os seguintes arquivos via SSH:

    /home/xxxx/certs/esites_pro/bundle.crt

    /home/xxxx/certs/esites_pro/esites.pro.crt

    /home/xxxx/certs/esites_pro/private.key

    Pelo cPanel, acessei o menu Home >> Service Configuration >> Apache Configuration >> Include Editor >> Post VirtualHost Include >> All Versions e adicionei o seguinte conteúdo:

    <VirtualHost *:443>

    ServerName esites.pro

    DocumentRoot /home/xxxx/public_html

    ServerAdmin xxxx@xxxx

    UseCanonicalName Off

    CustomLog /usr/local/apache/domlogs/esites.pro combined

    CustomLog /usr/local/apache/domlogs/esites.pro-bytes_log “%{%s}t %I .n%{%s}t %O .”

    ## User xxxx # Needed for Cpanel::ApacheConf

    UserDir enabled xxxx

    # Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.

    # To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in

    # the user’s .htaccess file. For more information, please read:

    # http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilegacyexprparser

    <IfModule mod_include.c>

    <Directory “/home/xxxxx/public_html”>

    SSILegacyExprParser On

    </Directory>

    </IfModule>

    <IfModule mod_suphp.c>

    suPHP_UserGroup xxxx xxxx

    </IfModule>

    <IfModule !mod_disable_suexec.c>

    <IfModule !mod_ruid2.c>

    SuexecUserGroup xxxx xxxx

    </IfModule>

    </IfModule>

    <IfModule mod_ruid2.c>

    RMode config

    RUidGid xxxx xxxx

    </IfModule>

    <IfModule itk.c>

    # For more information on MPM ITK, please read:

    # http://mpm-itk.sesse.net/

    AssignUserID xxxx xxxx

    </IfModule>

    ScriptAlias /cgi-bin/ /home/xxx/public_html/cgi-bin/

    SSLEngine On

    SSLCertificateKeyFile /home/xxx/certs/esites_pro/private.key

    SSLCertificateFile /home/xxx/certs/esites_pro/esites.pro.crt

    SSLCertificateChainFile /home/xxx/certs/esites_pro/bundle.crt

    </VirtualHost>

    Depois cliquei em Update >> Restart Apache.

    Referências

    1. https://documentation.cpanel.net/display/EA/Advanced+Apache+Configuration

    2. https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/37/certificate-installation-apache–mod_ssl

  • diegpl
    • Syntax Hero

    Sorry for the Portuguese parts, but the hardest is done. Good luck for the next one! :wink:

    Sorry for asking, but I would be glad to receive some points about that, since I didn`t get any points for my wpmudev plugins I have published https://profiles.wordpress.org/diegpl/#content-plugins

    And please, take a look at this other problem I am about infinite looping between http and https for CoursePress Pro: https://premium.wpmudev.org/forums/topic/infinite-looping-between-http-and-https-for-coursepress-pro

    Thank you a lot!!!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.