Securing a WordPress Network with Multiple SSL Certificates using Apache SNI & Name-Based Virtual Hosts

Configuring multiple SSL certificates on a single-IP server requires some advanced steps within an SSH connection to your web server. Usually, Apache only supports a single SSL listing in the configuration, and many of the posts I found online directed readers towards a wildcard certificate for using a single certificate for the entire network. I needed domain-specific certificates to display and allow secure checkout on each website that I manage. After digging deeper into the web, I found a solution that I was able to put in place on my Amazon EC2 instance running a WordPress network on Amazon Linux.

This article applies to Apache version 2.2.12 and later, which uses SNI (Server Name Indication) to manage multiple SSL entries.

Previous Steps:

  • Purchase an SSL certificate
  • Connect to your Linux Web Server via SSH
  • Generate a 2048-bit RSA key via SSH
  • Provide registrar with CSR data
  • Install CA and intermediate certificates

 

Once the above steps have been completed, navigate to the Apache (httpd) configuration directory:

cd /etc/httpd/conf/
 

I use a file named httpd-vhosts.conf to control Virtual Hosts on my server, and that file is referenced in at the bottom of the httpd.conf file. So, open your vhosts file.. (with sudo priviledges)

sudo su  (to gain root access)
 
vi httpd-vhosts.conf
 

Once inside the file, confirm that there are no VirtualHost entries for “*:443″. Then press ‘i’ to enter INSERT mode.

Format the following information to match your specific needs. I needed two domains to use the same IP and separate SSL certificates.

I reference the WordPress network origin (the main URL) as the only port 80 virtual host. All other domains are mapped with the native Domain Mapping function within WordPress’ Tools tab. Be sure to include the Directory tags underneath each VirtualHost tag, with the closing VirtualHost tag after the closing Directory tag for proper routing within the network.

# Listen for virtual host requests on all IP addresses
NameVirtualHost *:80<VirtualHost *:80>
ServerAdmin webmaster@nbbdoc.com
DocumentRoot “/var/www/html”
ServerName nbbdoc.com
ServerAlias www.nbbdoc.com

<Directory “/var/www/html”>
Options Indexes MultiViews +FollowSymLinks
AllowOverride all
Order allow,deny
Allow from all

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]

# uploaded files
RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ – [L]
RewriteRule . index.php [L]
</Directory>
</VirtualHost>

 

# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443

# Accept connections from non-SNI clients
SSLStrictSNIVHostCheck off

<VirtualHost *:443>
ServerAdmin webmaster@nbbdoc.com
DocumentRoot “/var/www/html”
ServerName nbbdoc.com:443
ServerAlias www.nbbdoc.com
SSLEngine on
SSLProtocol all
SSLCertificateFile /etc/pki/tls/certs/www-nbbdoc-com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www-nbbdoc-com.key
SSLCACertificateFile /etc/pki/tls/certs/nbbdoc-intermediate.crt
<Directory “/var/www/html”>
Options Indexes MultiViews +FollowSymLinks
AllowOverride all
Order allow,deny
Allow from all

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]

# uploaded files
RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ – [L]
RewriteRule . index.php [L]
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@nbbdoc.com
DocumentRoot “/var/www/html”
ServerName munook.com:443
ServerAlias www.munook.com
SSLEngine on
SSLProtocol all
SSLCertificateFile /etc/pki/tls/certs/www-munook-com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www-munook-com.key
SSLCACertificateFile /etc/pki/tls/certs/munook-intermediate.crt
<Directory “/var/www/html”>
Options Indexes MultiViews +FollowSymLinks
AllowOverride all
Order allow,deny
Allow from all

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]

# uploaded files
RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ – [L]
RewriteRule . index.php [L]
</Directory>
</VirtualHost>

 

After formatting the above information and pasting it into your vhosts file, press Esc to exit INSERT mode. Then enter this command:

:wq      (colon opens menu, ‘w’ writes changes, ‘q’ quits vi)
 

Restart the httpd service on your server

service httpd restart
 

If all of the information was entered properly, you now have multiple domains using unique SSL certificates within one Apache instance on a single IP. If you received an error when restarting the httpd service, then one of your filepaths or variables is not configured properly. I will gladly assist anyone experiencing issues for a small fee. I have configured multiple servers from the base OS image up to a fully-functioning eCommerce network operating on WordPress.

 

 
 

 

 

Tags: , , , , , , , , , , , , , , , , , , , , ,