SSL, single IP, multiple domains, no SNI, self-signed... arrrrgh!

[davidtg]

Hi, all --

I've tried to search the forums & knowledgebase to make sure that I've done as much as possible on my own, but I'm still stuck. I have a single IP, a few customers with a 1 to 3 domains (and often lots of sub-sites) each, currently no SNI support, and would like to have https available for every site under one or more self-signed SSL certs.

The virtual server I've been given is running OpenSuSE 12.1 and Plesk 11.0.9 Update #60. I checked my RPMs and do not see 'sni', so I ran the Plesk autoinstaller but also couldn't see how to add it in there. While it would be a bonus to have separate SSL certs per domain (or even per site), it's not a requirement.

I saw that I can in Tools & Settings > SSL Certificates create a default self-signed cert to apply to all sites, and I had actually done that as part of my exploration. In addition to noting another post saying that that's apparently problematic and not a good idea, it also doesn't seem to do much for me.

I went to the CustomerA account, created a self-signed cert, went to the CustomerA domain, checked the SSL box, and specified that cert in the pulldown.
I went to the CustomerB account, created a[nother] self-signed cert, went to the CustomerB domain, checked SSL, and specified.

Neither domain answers on port 443, although that default-for-all SSL appears to be working for the base IP, since a convenience name pointer to the machine's IP (because I keep forgetting it gets me there and the server answers.

I am so lost /2 In the past, I've simply configured NameVirtualHost for both IP and IP:443 and then defined both <VirtualHost IP> and <VirtualHost IP:443> with a ServerName param in each. I don't know where Plesk keeps its templates for rebuilding the httpd config every time, though, so I haven't been able to try that yet. And, of course, I'd rather use a better way if there is one. Can anyone provide any pointers?

- Can I even do this under Plesk 11?
- Do I *have* to get the SNI RPM, and if so will that confuse Plesk?
- Any recommendations for someone on both an IP (only one) and dollars (no real certs) budget?


TIA & Merry Christmas

:-D
--
David T-G

 

[IgorG]

First of all, have you read this documentation about using SNI feature - http://download1.parallels.com/Ples...inistrator-guide/index.htm?fileName=68308.htm ?

 

[davidtg]

Igor, et al --

First of all, have you read this documentation about using SNI feature - http://download1.parallels.com/Ples...inistrator-guide/index.htm?fileName=68308.htm ?

Well, yes and no... I don't think that I've seen that specific page, but nothing on it was new after my searching to date. In particular,

Note that in cases when SNI is not supported, assigning an SSL certificate to a site hosted on a shared IP address will associate that certificate with all other sites hosted on the same IP address.

is not a deal-breaker for me in the slightest.

My problem is that, even though I have told Plesk to enable SSL for a couple of domains, I do not get a response from the web server domainname:443.


TIA again & Merry Christmas

:-D
--
David T-G

 

[davidtg]

or, will installing the SNI RPM confuse plesk?

It's awfully quiet out there. If I'm barking up the wrong tree, then let's fall back to SNI config. I didn't find SNI in the Plesk autoinstaller; did I miss it? If I install the SNI RPM manually, will that confuse Plesk?


TIA & Merry Christmas to all

:-D
--
David T-G

 

[IgorG]

Make sure that you have enabled following option:

# cat /etc/psa/psa.conf | grep SNI
# SNI
SNI_SUPPORT true

 

[IgorG]

Also check that SNI support exists with something like:

# strings /usr/lib//apache2/modules/mod_ssl.so | grep -i sni
SSLStrictSNIVHostCheck
Strict SNI virtual host checking
SSL_TLS_SNI
Hostname %s provided via SNI, but no hostname provided in HTTP request
Hostname %s provided via SNI and hostname %s provided via HTTP are different
No hostname was provided via SNI for a name based virtual host
Non-default virtual host with SSLVerify set to 'require' and VirtualHost-specific CA certificate list is only available to clients with TLS server name indication (SNI) support

 

[davidtg]

Make sure that you have enabled following option:

# cat /etc/psa/psa.conf | grep SNI
# SNI
SNI_SUPPORT true
​

Yes, I do see that SNI is true. So... will Plesk be happy if I manually install the SNI RPM? Or can I convince the autoinstaller to do so?


:-D
--
David T-G

 

[davidtg]

Also check that SNI support exists with something like:

# strings /usr/lib//apache2/modules/mod_ssl.so | grep -i sni
SSLStrictSNIVHostCheck
Strict SNI virtual host checking
SSL_TLS_SNI
Hostname %s provided via SNI, but no hostname provided in HTTP request
Hostname %s provided via SNI and hostname %s provided via HTTP are different
No hostname was provided via SNI for a name based virtual host
Non-default virtual host with SSLVerify set to 'require' and VirtualHost-specific CA certificate list is only available to clients with TLS server name indication (SNI) support
​

This one is uglier; 1) I found my mod_ssl.so in /usr/lib64/apache2-prefork/mod_ssl.so rather than where you indicated and 2a) I don't, believe it or not, have strings(1) installed on this box, but 2b) I do see those strings when I look with vim. I'm going to have to poke at strings]/i] with the hosting provider, so I'll get back to you on this... Let me know, though, if a 64-bit build changes anything.


Thanks again!

:-D
--
David T-G

 

[IgorG]

I manually install the SNI RPM?

What exactly SNI rpm do you mean?

 

[davidtg]

Igor, et al --

I manually install the SNI RPM?

What exactly SNI rpm do you mean?

Well, maybe I don't know. I thought that SNI support was added on via an RPM and is missing on my server. If that's not the case, then I really REALLY don't know why I can't get https to work.

I'm in your capable hands HELP!!! Yes, I seriously need education.


Thanks again & Happy Holidays

:-D
--
David T-G

 

[davidtg]

SOLVED : SSL, single IP, multiple domains, no SNI, self-signed... arrrrgh!

Hi again, all --

I've finally resolved the strange problem of https and Plesk on my Linux server. It had nothing to do with the SSL certs or SNI or site/domain config. It was all about ... firewall rules!

I didn't realize that I had any firewall rules already configured or even that Plesk would manage them, and even moreso didn't realize that my hosting company or Plesk as part of the site config did not plan for port 443, and so of course nothing was getting in. The clue finally came when I installed the lynx RPM and was able to connect locally and get the expected site result (which, of course, I couldn't do with just GET / input to a telnet to port 443 as one can on port 80); that told me that httpd and Plesk *were* behaving properly and that it must be a host or network config issue. Since I had tried from other hosts both at home and in another datacenter, I ruled out anything outside of my hosting company, gave 'em a call, and had an answer in 5 minutes. Yay!

Sorry for the confusion -- but, for everyone in the future trying to figure out how to get https on a shared IP working, now we all know to check the connectivity as well!


Thanks again to all (especially Igor!) and Happy Holidays