With the shortage of available address space in IPv4, IPs are becoming increasingly difficult to come by, and in some cases, increasingly expensive. However, in most instances, this is not a drawback. Servers are perfectly capable of hosting multiple websites on one IP address, as they have for years.
But, there was a time when using an SSL certificate to secure traffic to your site requires having a separate IPv4 address for each secured domain. This is not because SSLs were bound to IPs, or even to servers, but because the request for SSL certificate information did not specify what domain was being loaded, and thus the server was forced to respond with only one certificate. A name mismatch caused an insecure certificate warning, and therefore, a server owner was required to have unique IPs for all SSL hosts.
Luckily, IPv4 limitations have brought new technologies and usability to the forefront, most notably, Server Name Indication (SNI).
Why Do I Need an SSL?
Secure Socket Layer (SSL) certificates allow two-way encrypted communication between a client and a server. This allows any data protection from prying eyes, including sensitive information like credit card numbers or passwords. SSLs are optionally signed by a well-known, third-party signing authority, such as GlobalSign. The most common use of such certificates are to secure web traffic over HTTPS.
When browsing an HTTPS site, rather than displaying a positive indicator, modern browsers show a negative indicator for a site that is not using an SSL. So, websites that don’t have an SSL will have a red flag right off the bat for any new visitors. Sites that want to maintain reputation are therefore forced to get an SSL.
Luckily, it is so easy to get and install an SSL, even for free, that this is reduced to a basic formality. We’ll cover the specifics of this below.
What is SNI?
Server Name Indication is a browser and web server capability in which an HTTPS request includes an extra header, server_name, to which the server can respond with the appropriate SSL certificate. This allows a single IP address to host hundreds or thousands of domains, each with their own SSL!
SNI technology is available on all modern browsers and web server software, so some 98+% of web users, according to W3, will be able to support it.
We’ll be working on a CentOS 7 VPS server that uses Nginx and PHP-FPM to host websites without any control panel (cPanel, Plesk, etc.). This is commonly referred to as a “LEMP” stack, which substitutes Nginx for Apache in the “LAMP” stack. These instructions will be similar to most other flavors of Linux, though the installation of Let’s Encrypt for Ubuntu 18.04 will be different. I’ll include side-by-side instructions for both CentOS 7 and Ubuntu 18.04.
For the remainder of the instructions, we’ll assume you have Nginx installed and set up to host multiple websites, including firewall configuration to open necessary ports (80 and 443). We are connected over SSH to a shell on our server as root.
Step 1: Enabling SNI in Nginx
Our first step is already complete! Modern repository versions of Nginx will be compiled with OpenSSL support to server SNI information by default. We can confirm this on the command line with:
This will output a bunch of text, but we are interested in just this line:
TLS SNI support enabled
If you do not have a line like this one, then Nginx will have to be re-compiled manually to include this support. This would be a very rare instance, such as in an outdated version of Nginx, one already manually compiled from source with a different OpenSSL library. The Nginx version installed by the CentOS 7 EPEL repository (1.12.2) and the one included with Ubuntu 18.04 (1.14.0) will support SNI.
Step 2: Configuring Nginx Virtual Hosts
Since you have already set up more than one domain in Nginx, you likely have server configuration blocks set up for each site in a separate file. Just in case you don’t, let’s first ensure that our domains are set up for non-SSL traffic. If they are, you can skip this step. We’ll be working on domain.com and example.com.
At the very least, insert the following options, replacing the document root with the real path to your site files, and adding any other variables you require for your sites:
A similar file should be set up for example.com, and any other domains you wish to host. Once these files are created, we can enable them with a symbolic link:
ln -s /etc/nginx/sites-available/domain.com /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
Now, we restart Nginx…
systemctl reload nginx
This reloads the configuration files without restarting the application. We can confirm that the two we just made are loaded using:
You should see your server_name line for both domain.com and example.com.
Now that we have valid running configurations, we can add the SSLs we have for these domains as new server blocks in Nginx. First, save your SSL certificate and the (private) key to a global folder on the server, with names that indicate the relevant domain. Let’s say that you chose the global folder of /etc/ssl/. Our names, in this case, will be /etc/ssl/domain.com.crt (which contains the certificate itself and any chain certificates from the signing authority), and /etc/ssl/domain.com.key, which contains the private key. Edit the configuration files we created:
Add a brand new server block underneath the end of the existing one (outside the last curly brace) with the following information:
Note the change of the listening port to 443 (for HTTPS) and the addition of the ssl_certificate and ssl_certificate_key lines. Instead of rewriting the whole block, you could copy the original server block and then add these extra lines, while changing the listen port. Save this file and reload the Nginx configuration.
systemctl reload nginx
We again confirm the change is in place using:
For some setups you’ll see two server_name lines each for domain.com and example.com, one using port 80 and one using port 443. If you do, you can skip to Step 4, otherwise continue to the next step.
Let’s next set up the free SSL provider Let’s Encrypt to automatically sign certificates for all the domains we just set up in Nginx. On Ubuntu 18.04, add the PPA and install the certificate scripts with aptitude:
apt-get install certbot python-certbot-nginx
In CentOS 7, we install the EPEL repository and install the certificate helper from there.
yum install epel-release
yum install certbot python2-certbot-nginx
On both systems, we can now read the Nginx configuration and ask the Certbot to assign us some certificates.
This will ask you some questions about which domains you would like to use (you can leave the option blank to select all domains) and whether you would like Nginx to redirect traffic to your new SSL (we would!). After it finishes it’s signing process, Nginx should automatically reload its configuration, but in case it doesn’t, reload it manually:
systemctl reload nginx
You can now check the running configuration with:
You should now instead see two server_name lines each for domain.com and example.com, one using port 80 and one using port 443.
Let’s Encrypt certificates are only valid for 90 days from issuance, so we want to ensure that they are automatically renewed. Edit the cron file for the root user by running:
The cron should look like this:
45 2 * * 3,6 certbot renew && systemctl reload nginx
Once you save this file, every Wednesday and Saturday at 2:45 AM, the certbot command will check for any needed renewals, automatically download and install the certs, followed by a reload of the Nginx configuration.
We should now check the validity of our SSLs and ensure that browsers see the certificate properly. Visit sslcheck.liquidweb.com and type in your domain names to check the site’s SSL on your server. You should see four green check marks, indicating SSL protection.
We hope you’ve enjoyed our tutorial on how to install SSLs on multiple sites within one server. Liquid Web customers have access to our support team 24/7. We can help with signed SSL or ordering a new server for an easy transfer over to Liquid Web.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.