SNI Implementation Guide v7

GlobalSign Solutions

SNI + CloudSSL Implementation Guide

Hosting Multiple SSL on a Single IP Address

SNI Implementation Guide v7

Contents Introduction ........................................................................................................................................... 3

Why do hosting companies want SNI/CloudSSL? ......................................................................................... 3

Configuration instructions ............................................................................................................................ 4

Introduction ........................................................................................................................................... 4

Webserver specific configurations ......................................................................................................... 5

APACHE .................................................................................................................................................. 5

CUSTOM ................................................................................................................................................. 6

DIRECTADMIN ........................................................................................................................................ 7

NGINX ..................................................................................................................................................... 8

POUND ................................................................................................................................................. 11

Frequently asked questions ........................................................................................................................ 14

GETTING HELP ...................................................................................................................................... 16

SNI Implementation Guide v7

Introduction SNI/CloudSSL is a solution for hosting multiple SSL certificates on a single IP address. It combines two GlobalSign products, SSL Certificates installed via Server Name Indication (SNI) and CloudSSL. The multi- domain (CloudSSL) certificate is used as fallback to support the 8-10% of users that have no support for SNI.

Why do hosting companies want SNI/CloudSSL?

IP shortage- There's a shortage of IPv4 addresses, APNIC and RIPE (EMEA) stock is close to zero

Costs- More hosting companies are starting to ask for a monthly fee per IP. No DNS updates- When using SNI, no DNS updates have to be made when installing an

SSL Certificate because multiple certificates can run on a single IP address. Simplicity- The CloudSSL Certificate is updated & maintained automatically by an

application delivered by GlobalSign. SSL demand- Higher demand for SSL Certificates by regulations and requirements from

sites such as Facebook (to link a website or application). Differentiation- Hosting companies can’t really differentiate on storage or bandwidth

anymore (already high or unlimited)

Overview of Steps

1. Contact a representative to create a test account. 2. Download the application (see below) specific to your operating system. 3. Configuration 4. The initial order needs to get approved, this can be requested to api@globalsign.com 5. GlobalSign sales representative will create a production account on your behalf.

Step 1.Creating a Test Account

For Europe: https://testsystem.globalsign.com/request_en/newpremium.do?domain=systemeu.globalsign.com

For the USA: https://testsystem.globalsign.com/request_en/newpremium.do

Step 2: Download Application Specific to your Operating System

Download one of these files (for your OS), most common are the Linux 32bit (i386) and Linux 64bit (amd64):

https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-linux-386.tar.gz https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-linux-amd64.tar.gz

Other supported operating systems are:

https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-darwin-386.tar.gz

SNI Implementation Guide v7

https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-darwin-amd64.tar.gz https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-freebsd-386.tar.gz https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-freebsd-amd64.tar.gz https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-linux-arm.tar.gz https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-windows-386.tar.gz https://www.globalsign.com/downloads/cloudssl/sni/snicloudssl-windows-amd64.tar.gz

Step 3. Configuration instructions

Introduction

Apache

Custom

DirectAdmin

NIGINX

Pound

cPanel

Introduction

INSTALLATION If you encounter any problems using the program please make sure you have downloaded the right version of this program for your kernel. To determine which version of the application you need to download, you can use the command "uname -m" in a Linux-based environment. The following indicators should help you determine if you are using a 32-bit or 64-bit operating system. x86_64……...64-bit kernel i686………….32-bit kernel You can also use the command "getconf LONG_BIT" which should return either 32 or 64. Then execute the following command to download and extract the application. cd /opt wget [filename] tar zxf snicloudssl.tar.gz rm snicloudssl.tar.gz Configure the program The program needs some information to request and update certificates. You also need an API user name and password. Please ask your account manager for these details and make sure that your server is whitelisted to access the production API. After your test account is activated, please start the configuration procedure.

SNI Implementation Guide v7

cd /opt/snicloudssl/bin/ ./snicloudssl -configure Initiate the program You need to initiate the program to order a CloudSSL certificate for each IP address. cd /opt/snicloudssl/bin/ ./snicloudssl -initiate -ip 192.168.0.1

Webserver Specific Configurations

Please continue reading the webserver specific instructions for your server.

APACHE

Configuration for domain control validation Configure a global rewrite rule for the GlobalSign user agent in Apache "httpd.conf” by creating a symbolic link to the file /opt/snicloudssl/etc/apache.conf in your httpd.conf directory. Command to create the symbolic link: ln -s /opt/snicloudssl/etc/apache.conf /etc/apache2/conf.d/snicloudssl.conf Then you need to make sure that all name-based virtual host websites (websites that run on a single IP address) are configured to inherit the global rewrite configuration. <VirtualHost {ip}:{port}> # Add these lines to your name-based virtual host for GlobalSign CloudSSL RewriteEngine on RewriteOptions inherit </VirtualHost> Running the program This should work on any Linux server or desktop with Apache installed. The "apachectl" program should be in the $PATH, you can check that by typing "apachectl" in the command line. Then go to the bin directory of the program and start "./snicloudssl", please note that this needs to be executed from the bin directory! cd /opt/snicloudssl/bin/; ./snicloudssl When you completed the initial order and you retrieved your order ID you can schedule the following command in your scheduler (for exmaple cron). You should run this command every few hours. cd /opt/snicloudssl/bin/; ./snicloudssl -ip 192.168.0.1 -orderid CECO1211191692 After the first run After running the program for the first time you need to update the configuration of your default website for this IP address. We will configure the CloudSSL Certificate that has been requested by

SNI Implementation Guide v7

the program on the default website for this IP address. The default website for an IP address is the configuration file that will be loaded first, for example 000_default.conf. When the webserver could not find a match based on the host header or the SNI indicator (when available), the webserver will show the default (first) website. More information on Apache virtual hosts: http://httpd.apache.org/docs/current/vhosts/examples.html#ip The default virtualhost (000_default.conf) should be configured to load the CloudSSL certificate from the "/opt/snicloudssl/ssl" directory. NameVirtualHost 92.243.31.204:443 <VirtualHost 92.243.31.204:443> SSLEngine on SSLCertificateFile /opt/snicloudssl/ssl/192-168-0-1.pem SSLCertificateKeyFile /opt/snicloudssl/ssl/192-168-0-1.key SSLCertificateChainFile /opt/snicloudssl/ssl/192-168-0-1-ca.pem </VirtualHost>

Apache FAQ Q: The program is giving an error message that "apache2ctl" can't be found. A: Make sure that the Apache "apachectl" command is listed in your PATH environment (for example: "export PATH=$PATH:/opt/apache2/bin") If you are running the program from crontab make sure that this PATH is included in your config or that you specify the file with "-file=/opt/apache2/bin/apachectl". Q: When I run the program from the crontab it's not working. A: Make sure that your "apachectl" is available in the current PATH. You might need to set the PATH variable in the crontab file. http://askubuntu.com/questions/23009/reasons-why-crontab-does-not-work

CUSTOM

Legacy support program for Server Name Indication (SNI) This file contains some information on how to get started when using an Nginx webserver. Please read the general README file before you continue reading here. If you are using a unsupported webserver or load balancer you can still use this program to generate and maintain the CloudSSL Certificate. In this case you can use a text file that contains one public resolving site per line. The program will extract all Subject Alternative Names for the certificates installed on these websites and request a GlobalSign CloudSSL Certificate. When using this custom implementation you can create a custom script (for example via bash) to copy or upload the resulting certificate to your webserver or load balancer. Running the program

SNI Implementation Guide v7

When you completed the initial order and you retrieved your order ID you can schedule the following command in your scheduler (for example cron). You should run this command every few hours, optionally followed by your custom script(s) to upload the new certificate to your server or load balancer. cd /opt/snicloudssl/bin/; ./snicloudssl -ip 192.168.0.1 -orderid CECO1211191692 -source=text -file=/tmp/sites.txt

DIRECTADMIN

Configuration for domain control validation First you need to check if you are using a custom configuration file. If you are using a custom config a file named "virtual_host2.conf" should be located in "/usr/local/directadmin/data/templates/custom". If you have no custom configuration we need to create one with the following command (only if you don't have a custom config already): cd /usr/local/directadmin/data/templates cp virtual_host2*.conf custom cd custom Now we can modify the custom configuration by opening the file "virtual_host2.conf" in your favorite editor and add the "Rewrite..." lines to the virtualhost section to inherit the global rewrite configuration. When you’re finished editing "virtual_host2.conf" you have to make the same change to "virtual_host2_sub.conf". <VirtualHost |IP|:|PORT_80| |MULTI_IP|> # Add these lines to your name-based virtual host template for GlobalSign CloudSSL RewriteEngine on RewriteOptions inherit </VirtualHost> As we only changed the template we have to ask DirectAdmin to rewrite all configuration files by running the following command. echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue Now add the following line to "/etc/httpd/conf/extra/httpd-includes.conf" and reload the httpd server. Include /opt/snicloudssl/etc/apache.conf Scheduler Run this command once a hour (or less) from your scheduler (for example cron) cd /opt/snicloudssl/bin; ./snicloudssl -ip 192.168.1.7 -orderid CECO1303012883 > /opt/snicloudssl/lastrun.log 2>&1

SNI Implementation Guide v7

DirectAdmin configuration Add the following line to you DirectAdmin configuration at "/usr/local/directadmin/conf/directadmin.conf". enable_ssl_sni=1 Now add the following default virtual host to "/etc/httpd/conf/extra/httpd-includes.conf". <IfModule mod_ssl.c> <VirtualHost 192.168.1.7:443> ServerName host123.youserver.com SSLEngine on SSLCertificateFile /opt/snicloudssl/ssl/192-168-1-7.pem SSLCertificateKeyFile /opt/snicloudssl/ssl/192-168-1-7.key SSLCertificateChainFile /opt/snicloudssl/ssl/192-168-1-7-ca.pem </VirtualHost> </IfModule> And then move the following lines up under the line that loads "httpd-ssl.conf" in "/etc/httpd/conf/httpd.conf" # For user configurations not maintained by DirectAdmin. Empty by default. Include conf/extra/httpd-includes.conf

NGINX

Legacy support program for Server Name Indication (SNI)

This file contains some information on how to get started when using an Nginx webserver.

Please read the general README file before you continue reading here.

Example Configuration of SNI-based SSL sites

The server blocks below show the basic configuration of SSL-based websites configured to run

multiple SSL Certificates on a single IP address. For readability we have skipped all non SSL related

information from the example.

server {

listen 192.168.1.144:443; ## listen for ipv4

server_name www.example1.com;

ssl on;

ssl_certificate /etc/ssl/www.example1.com.pem;

ssl_certificate_key /etc/ssl/www.example1.com.key;

SNI Implementation Guide v7

include /opt/snicloudssl/etc/nginx.conf;

}

server {

listen 192.168.1.144:443; ## listen for ipv4

server_name www.example2.com;

ssl on;

ssl_certificate /etc/ssl/www.example2.com.pem;

ssl_certificate_key /etc/ssl/www.example2.com.key;

include /opt/snicloudssl/etc/nginx.conf;

}

Configuration for domain control validation

To configure the rewrite on all virtual hosts the following include line should be added to

the "server {}" block.

include /opt/snicloudssl/etc/nginx.conf;

If you don't want to use an include statement you can also decide to include the contents of

this file directly in the server configuration block.

Running the program

When you completed the initial order and you retrieved your order ID you can schedule the

following command in your scheduler (for exmaple cron). You should run this command every few

hours.

cd /opt/snicloudssl/bin/; ./snicloudssl -ip 192.168.0.1 -orderid CECO1211191692

-source=nginx -file=/etc/nginx/nginx.conf

After the first run

After running the program for the first time you need to update the configuration of your default

SNI Implementation Guide v7

website for this IP address. We will configure the CloudSSL Certificate that has been requested by

the program on the default website for this IP address. The default website for an IP address is

the server that has "default_server" option in your listener. When the webserver could not find a

match on the SNI indicator or when this header is not available, it will present the SSL Certificate

configured for the default website.

server {

listen 192.168.1.144:443 default_server;

server_name cloudssl1.myserver.com;

ssl on;

ssl_certificate /opt/snicloudssl/ssl/192-168-0-1.pem;

ssl_certificate_key /opt/snicloudssl/ssl/192-168-0-1.key;

}

Make sure you apply these other optimizations

The ssl_protocols, ssl_ciphers and ssl_prefer_server_ciphers settings are best practice

and have nothing to do with Server Name Indication in itself. If your server does

not yet support TLSv1.2 and/or TLSv1.1 Nginx will ignore them.

Add the following lines to your "http {}" block:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers

AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;

ssl_prefer_server_ciphers on;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;

SNI Implementation Guide v7

Adding OCSP stapling will improve the performance of your website. The resolver needs to be

configured to perfom DNS lookup to the OCSP server. This can be any DNS resolver you have access

to, 8.8.8.8 is an open revolver provided by Google.

resolver 8.8.8.8;

ssl_stapling on;

POUND

Pound is a reverse proxy, load balancer and HTTPS front-end for Web servers. Server Name

Indication (SNI) has been available since June 2010 as of the 2.6 series of Pound.

http://www.apsis.ch/pound

You need to configure the CloudSSL Certificate as the first certificate on your IP number so that it

will act as a fallback when no specific certificate can be located (for example because of a missing

server name in the SSL/TLS handshake).

The "Cert" configuration option of pound is pointing to a PEM certificate store. You can simply

create a PEM store by listing your key and certificates as a base64 encoded DER certificate in the

order: Server Certificate -> Intermediate Certificate(s) -> Private key.

A base64 encoded DER certificate is enclosed between "-----BEGIN CERTIFICATE-----" and "-----END

CERTIFICATE-----".

The file "/opt/snicloudssl/html/index.html" needs to be served by a local webserver on the

loopback address 127.0.0.1.

Please be aware that Pound has issues handling SSL Certificates with Subject Alternative Names in

combination with Server Name Indication (SNI). This issue does not affect the default website,

where the CloudSSL certificate is installed.

Example Configuration

ListenHTTPS

Address 192.168.1.144

Port 443

Cert "/opt/pound/ssl/cloudssl.pem"

Cert "/opt/pound/ssl/site01.pem"

SNI Implementation Guide v7

Cert "/opt/pound/ssl/site02.pem"

Cert "/opt/pound/ssl/site03.pem"

# Return this file only to the GlobalSign user-agent

# when running the SNI/CloudSSL program locally

# /opt/snicloudssl/html/index.html

Service

HeadRequire "User-Agent:.*GlobalSign.*"

BackEnd

Address 127.0.0.1

Port 80

End

End

Service

HeadRequire "Host: .*site01.demo1.oneclickssl.eu.*"

BackEnd

Address 74.125.132.100

Port 80

End

End

Service

BackEnd

Address 157.166.255.18

Port 80

End

SNI Implementation Guide v7

End

End

cPanel

Before you get started you need to check if you are running a version of cPanel & WHM of 11.38+

that provides support for Server Name Indication (SNI). It's also important that you are using an

operating system that comes with a version of OpenSSL that has support for SNI. CentOS 6+ is the

first release of CentOS that ships with support for SNI.

Configure a rewrite rule for the GlobalSign user agent in Apache by creating a symbolic

link to the file /opt/snicloudssl/etc/apache.conf in your user data standard virtual host

includes directory.

Execute the following commands to create an includes directory, a symbolic link and rebuild

the httpd.conf:

mkdir -p /usr/local/apache/conf/userdata/std

ln -s /opt/snicloudssl/etc/apache.conf /usr/local/apache/conf/userdata/std/snicloudssl.conf

/scripts/rebuildhttpdconf

Finally you have to restart the Apache webserver. You can do this from the WHM control panel or

by resarting Apache with the following command.

service httpd restart

Now you got issued the first CloudSSL certificate you can change the default virtual host that will

only be used to serve an SSL Certifite to users that do not include the Server Name Indication

header. The virtual host will not be used to provide any web content.

Login to your Web Host Manager (WHM) and go to Service Configuration >> Apache Configuration >>

Include Editor.

Add the following options (modified to use your own IP address) to the “Pre VirtualHost Include” for

SNI Implementation Guide v7

“All Versions” of Apache as shown in the screenshot below.

<VirtualHost 192.168.1.188:443>

SSLEngine on

SSLCertificateFile /opt/snicloudssl/ssl/192-168-1-188.pem

SSLCertificateKeyFile /opt/snicloudssl/ssl/192-168-1-188.key

SSLCertificateChainFile /opt/snicloudssl/ssl/192-168-1-188-ca.pem

</VirtualHost>

Frequently Asked Questions

Can I run this program on my Windows server? Can I use this solution in combination with CPANEL? Does the program also support wildcard certificates? Will a site/name be removed from the CloudSSL Certificate if it is down?

SNI Implementation Guide v7

How many sites can be hosted on a single IP address? Where can I find actual statistics about the Windows XP market share? Why not use the CloudSSL certificate alone?

Can I run this program on my Windows server? You can run the program on Windows but it can’t communicate with IIS directly. While you probably could import the generated certificate with the Microsoft PowerShell we have no examples for this. Microsoft IIS has Server Name Indication support from version 8 and later.

Can I use this solution in combination with CPANEL? Yes, from cPanel & WHM 11.38 they overhauled the SSL Management system (for Apache). These changes will bring full support for SNI to allow hosting multiple SSL Certificates on the same IP address (among others). cPanel will require CentOS/RHEL 6 on the server side, as the ship with SNI support in OpenSSL.

http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&discussionID=223328914&gid=2124565&commentID=129128475&trk=view_disc&ut=1hK7rQnkuF9BI1

http://blog.cpanel.net/ssl-improvements-for-cpanel-whm/

Does the program also support wildcard certificates? Yes, but the domain should resolve to the same IP address (eg. *.domain.com has the same IP address as domain.com)

Will a site/name be removed from the CloudSSL Certificate if it is down? The FQDN will be removed from the certificate when the site has been down or returning an invalid certificate more than 5 times.

How many sites can be hosted on a single IP address? With Server Name Indication you can host as many sites as you like, but as we need CloudSSL for the legacy users we are limited to the technical size limit of the TLS handshake. GlobalSign supports up to 300 names in a certificate, but keep in mind that many certificates are valid for www.domain.com and domain.com, and would take two places on the CloudSSL certificate.

Where can I find actual statistics about the Windows XP market share? You can calculate the actual percentage by taking the percentage of Internet Explorer users (30%) of the percentage of Windows XP users (24%). In January 2013 this number was 7.2%. Including some other clients that do not support SNI, the number falls between 8-10% of the clients. You can download these percentages on http://gs.statcounter.com/.

Why not use the CloudSSL certificate alone? The CloudSSL solution on its own has a few disadvantages. It only allows issuing Domain Validated certificates. This is because of the following reason: There will be one certificate, issued to the hosting company, validated on an organization level. Because domains use extensions of this certificate, they can only be validated on domain level. Partners would not be able to sell OV or EV certificates to their customers using CloudSSL. This setup also means that if a visitor to a CloudSSL

SNI Implementation Guide v7

secured site clicks on the certificate details, they would see the hosting company’s details and all other sites listed in the certificate.

GETTING HELP Every GlobalSign enterprise customer has a dedicated Account Manager who is on hand to help with any

commercial and technical queries you may have about reselling SSL. GlobalSign also provides technical support

through our Client Service departments around the world. www.globalsign.com/support

GlobalSign US & Canada

Tel: 1-877-775-4562

www.globalsign.com

sales-us@globalsign.com

GlobalSign EU

Tel: +32 16 891900

www.globalsign.eu

sales@globalsign.com

GlobalSign UK

Tel: +44 1622 766766

www.globalsign.co.uk

sales@globalsign.com

GlobalSign FR

Tel: +33 1 82 88 01 24

www.globalsign.fr

ventes@globalsign.com

GlobalSign DE

Tel: +49 30 8878 9310

www.globalsign.de

verkauf@globalsign.com

GlobalSign NL

Tel: +31 20 8908021

www.globalsign.nl

verkoop@globalsign.com