Setting up SNI with Apache 2.4

Welcome,

In this tutorial we will look at setting up SNI with Apache 2.4. With SNI you can use multiple SSL certificates in Apache with one IP-address.

Since Apache v2.2.12 and OpenSSL v0.9.8j and later you can use a transport layer security (TLS) called SNI. SNI can secure multiple Apache sites using a single SSL Certificate and use multiple SSL Certificates to secure various websites on a single domain (e.g. www.yourdomain.com, site2.yourdomain.com) or across multiple domains (www.domain1.com, www.domain2.com)—all from a single IP address. The benefits of using SNI are obvious: you can secure more websites without purchasing more IP addresses or additional hardware.

SNI is supported by many common browsers:

Desktop Browsers
Internet Explorer 7 and later
Firefox 2 and later
Opera 8 with TLS 1.1 enabled
Google Chrome:
Supported on Windows XP on Chrome 6 and later
Supported on Vista and later by default
OS X 10.5.7 in Chrome Version 5.0.342.0 and later
Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).

Note: No versions of Internet Explorer on Windows XP support SNI

Mobile Browsers
Mobile Safari for iOS 4.0 and later
Android 3.0 (Honeycomb) and later
Windows Phone 7 and later

Now, looking at our Apache installation at location /etc/apache2/mods-available we can see that the ssl-module is in there ready to be enabled:

root@ubuntu01:/etc/apache2/mods-available# ls -al
...
-rw-r--r-- 1 root root  3404 Jan  7  2014 ssl.conf
-rw-r--r-- 1 root root    97 Jan  3  2014 ssl.load

Determining if the ssl-module is already enabled can be done with the following command…

root@ubuntu01:/etc/apache2/mods-available# apachectl -M

…or by listing the /etc/apache2/mods-enabled folder

root@ubuntu01:/etc/apache2/mods-enabled# ls -al

We can see that it’s not enabled already so let’s enable it:

root@ubuntu01:/etc/apache2/mods-enabled# a2enmod ssl

Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart

To verify that the symlinks now have been created we can list the content of mods-enabled folder:

root@ubuntu01:/etc/apache2/mods-enabled# ls -al
...
lrwxrwxrwx 1 root root   26 Jul  6 11:53 ssl.conf -> ../mods-available/ssl.conf
lrwxrwxrwx 1 root root   26 Jul  6 11:53 ssl.load -> ../mods-available/ssl.load

Now create a folder where we will put the certificates and keys. I chose to call it ssl-stuff:

root@ubuntu01:/etc/apache2# mkdir ssl-stuff

Copy your certificate www_example_com.crt, your unencrypted key www_example_com.key and your Authority’s certificate file ca.crt

Please note:

  • If the contained private key is encrypted, the pass phrase dialog is forced at startup time.
  • SSLCertificateChainFile became obsolete with Apache version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

Since we are using Apache 2.4.7 the obsolete SSLCertificateChainFile  directive is not concerning us.

Set the permissions so that only the owner can read/write the decrypted key in ssl-stuff

root@ubuntu01:/etc/apache2/ssl-stuff# chmod 600 www_example_com.key

Now edit your vhosts file:

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerName www.example.com
    DocumentRoot /var/www/example
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    <Directory /var/www/example>
      Options Indexes FollowSymLinks
      AllowOverride None
      Require all granted
    </Directory>
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl-stuff/www_example_com.crt
    SSLCertificateKeyFile /etc/apache2/ssl-stuff/www_example_com.key
    SSLCertificateChainFile /etc/apache2/ssl-stuff/ca.crt
    JkMount /manager/* ajp13_worker
    JkMount /manager ajp13_worker
    JkMount /examples/* ajp13_worker
    JkMount /examples ajp13_worker
 </VirtualHost>
</IfModule>

Now restart Apache and access the https site from a browser that supports SNI. If you set it up correctly, you will access the site without any warnings or problems. You can add as many websites or SSL Certificates as you need adding more VirtualHost-configurations similar to above.

root@ubuntu01:/etc/apache2/sites-available# service apache2 restart

Leave a Reply

Your email address will not be published. Required fields are marked *