Hi,

Can Aegir handle a setup for multi-site drupal that uses a *single* IP address and a *single* subject alternative name certificate with rewrite rules for Mass SSL vhosts (Our Setup). Our home scripted setup for new sites is something like:

  1. Create new site's database
  2. Setup drupal site folder structure
  3. Update SAN cert (manual update per site)
  4. Add new host as CNAME to DNS
  5. Update ssl.map entry (see below) 
# All drupal sites share the same codebase and index.php for dispatching URLs
drupal7default.domain.ie    /var/www/drupal7.domain/
subdomain.domain.ie          /var/www/drupal7.domain/

http.conf and ssl.conf are never updated in our setup as the ssl.map file, dns cname and SAN cert update are all that is needed.

This is related but not identical to the "Some SSL Questions" discussion on the Aegir forms and also #537032: wildcard and multi-domain certificate support (n to n) .

Thanks in advance for any information on this matter.

Paul.

Comments

mccrodp’s picture

mccrodp CreditAttribution: mccrodp commented
Category: bug » support
theMusician’s picture

theMusician CreditAttribution: theMusician commented

Hi Paul,

Aegir can do this but you need to comment out a few lines in several files in .drush/provision/http and .drush/provision/http/apache_ssl.

I manage many sites that have full SSL provided by a single cert with SAN. In my experience this has worked really well except for migrations occasionally drop the SSL knowledge in /server_name/ssl/ and you have to manually put it back in. That has improved however since I have been making sure a sitename.drush.inc file exists for each site.

A good discussion is occurring here, https://drupal.org/node/1126640, for the 2.0 branch. It kind of died off after my last post.

http://community.aegirproject.org/node/29/talk#comment-1136 has a patch for doing what I describe above. Also make sure to read, http://community.aegirproject.org/node/29, particularly the notes for commercial ssl users.

We do not use the ssl.map file, though it sounds interesting and I'll be looking into it. Aegir automatically updates the vhost files so that you don't have to manage http.conf or ssl.conf.

I hope that helps in some small way.

mccrodp’s picture

mccrodp CreditAttribution: mccrodp commented

Thanks for this!
Haven't had a proper chance to go through this yet, but the info you provided looks like a great start!

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Issue summary: View changes
Status: Active » Postponed (maintainer needs more info)

Isn't this a dupe of #1926520: Support Server Name Indication (SNI) for SSL?

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic at Ergon Logic Enterprises for Aegir Cooperative commented
Status: Postponed (maintainer needs more info) » Closed (outdated)

The 6.x-2.x branch will go EOL along with Drupal this week. So I'm closing this issue. If it remains a confirmed issue in 7.x-3.x, feel free to re-open, or better yet, create a new issue referencing this one.