Computer Tips - Apache says "[warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!".
Q. Apache says "[warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!".
Is this for real?
A. Well, yes and no.
The Apache FAQ says (in part):
Why is it not possible to use Name-Based Virtual Hosting
to identify different SSL virtual hosts?
Name-Based Virtual Hosting is a very popular method of identifying different
virtual hosts. It allows you to use the same IP address and the same port
number for many different sites. When people move on to SSL, it seems natural
to assume that the same method can be used to have lots of different SSL
virtual hosts on the same server.
It comes as rather a shock to learn that it is impossible.
Read more at http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2
So, yes, officially you need one IP-address or port per SSL host.
But what if you aren't running a bank website and just want some encryption?
There will be warning about self-signed certificates anyways.
It would be nice to have a separate certificate file for each name-based
SSL host, like this:
However this doesn't work as expected. It just uses the first one for all.
If a user goes to https://example2.com they get a popup saying
the certificate is self-signed and for site example1.com. They can
understand that it's self-signed but being for another site?! That's
extra off-putting. So instead, I create a generic self-signed certificate
that doesn't mention any site. Just enter "no-site" or "none", etc
for the host name when creating the certificate. Setup your name-based
virtual hosts like this:
This works. Its not pretty but it works.
When you visit a site like this your browsers asks you
if you want to temporarily or permanently accept the certificate.
If you answer "temporarily" then you won't get any conflicts.
But its hard to make all your users do this.
Server Name Indication promises to fix this.