Shared IP SSL not working correctly

d2d4j · January 9, 2014, 5:21am

Hi

I’m sorry to bother you, and we have had a client install an SSL on our shared IP used for hosting, which appears to have stopped the server SSL from been accessed.

I’m sorry if the above is not explained well, but I’ll try to explain more as follows (please note this is on a shred hosted IP):

Server SSL installed and working fine (with no other SSL installed)
Client installed their own SSL onto their domain in siteworx

When checking server SSL using qual labs, it shows the client SSL, and fails test (on trust)

I set the client to dedicated IP, all returns to normal

I copied the PK, CSR, Cert and chain, deleted the SSL and returned client back to shared IP, but when attempting to put the SSL back, it failed stating Cert does not match for private key.

I asked our client to resetup SSL from new, which they completed, and it is back to failing SSL test for server SSL, whilst the client SSL is fine, but then there is only these 2 SSL on the shared IP.

I have not taken any pictures as we don’t have permission to show clients domain.

Please could I ask if we have not completed anything correctly or if this is a bug perhaps.

Lastly, the openssl was updated this morning to ver 5.4 from ver 5.1

Thanking you all in advance

Many thanks

John

d2d4j · January 10, 2014, 1:53pm

Hi

I am pleased to let everyone know shared SSL IP works lovely, and the issue was my fault for not understanding, so it was working correctly without my realisation sorry.

For anyone who may not realise fully how shared SSL IP works, it is as follows:

On a shared IP with no SSL - all works as expected
If 1 website installs an SSL (i.e. example.url), then all https requests will display this website (see note below)
If another website installs an SSL (i.e. example2.url), then if https requests is for example2.url, SSL works fine and displays example2.url website
However, all websites without SSL set, would display the example.url if requesting https

Hence, it was my lack of understanding which made me think it was not working, sorry.

The current work around for this is to either set all SSL websites to dedicated IP (as previous) or set all SSL (even if self generated) on websites which need https access or all websites, or we created a new domain called 1.co.uk (not ours, and I’m sure someone may own it somewhere) and setup a self generated SSL, which means any website on shared without an SSL would default to this one, and we will put an informative page up to let users know why they hit that page.

Please also note, the server SSL does not take precedence over the shared IP for SSL, which again was my misunderstanding, and as such, for those who have a paid SSL, you would need to create a siteworx for the domain and complete the following (as you do not want to break the server SSL currently installed), copy the Private Key from server SSL and paste it into siteworx SSL private key, create a new CSR, copy the server cert and paste into siteworx SSL cert and complete the same for chain certs. This then allows the correct server SSL to operate on the shared IP with other SSL setup on it. Lastly, you may need to edit your ciphers as you require.

The really good news is Interworx are fully aware of this, and are actively working on making this work without the extra work needed as above.

Many thanks to IW-Robert for extremely quick help and for been patient whilst I understood it, thanks.

I hope this helps, and once agin, I’m sorry for been wrong and shared SSL IP does work.

Many thanks

John

lkarpiuk · March 16, 2015, 8:03am

[QUOTE=d2d4j;25038]The really good news is Interworx are fully aware of this, and are actively working on making this work without the extra work needed as above.[/QUOTE]Any progress/update on this?

d2d4j · March 16, 2015, 10:56am

Hi lkarpiuk

I’ve not heard anything but do believe it’s on the road map, if not already fixed.

Many thanks

John

lkarpiuk · March 16, 2015, 11:05am

We’re still seeing the cert of the first alphabetical site being used on sites without certs. Can you tell me more about your workaround solution?

d2d4j · March 16, 2015, 1:13pm

Hi ikarpiuk

We now have a registered domain called 1sh.co.uk, and created a self signed cert for the domain.

This now shows as the first if other websites tested for SSL which do not have an SSL. For those that do have an installed SSL, these test on correct domain.

Our intention is to create a holding page stating the domain your trying to reach does not have an SSL, please contact your reseller.

It works very well for us

In reality though, you could use a domain which does not exist, as it is not live, and only is referred to when a domain without SSL is referenced.

I hope that helps

Many thanks

John