A certificate may be applicable to multiple domains and we should let multiple sites use the same certificate (provided they have access to it).

This depends on #537016: simple certificate management, #537020: create SSL certificate content type, #537022: domain-restricted certificates and #537004: "SSL site" option.

Currently, multiple domains may use multiple sites, but Aegir enforces a check that each SSL site has a unique IP address.

Comments

adrian’s picture

Version: 6.x-0.3-rc2 » 6.x-0.4-alpha3
Status: Active » Needs work

we kind of allow this implicitly now in HEAD.

Or rather, we don't enforce which domains they can be assigned to, so it is up to the admin to decide how he wants to associate them.
The access at the moment is based entirely on clients.

At the very least i'm going to put this as needs work.

adrian’s picture

Status: Needs work » Fixed

these are supported.

Status: Fixed » Closed (fixed)
Issue tags: -aegir-ssl

Automatically closed -- issue fixed for 2 weeks with no activity.

SocialNicheGuru’s picture

Issue summary: View changes

can someone explain how this is done in aegir2?

I keep getting errors around needing to add more IP addresses

milovan’s picture

As SocialNicheGuru I have exactly the same problem on Aegir 2. I cannot use one key for all sites like I was able to on Aegir 1. This is a clean Aegir 2 install as upgrade from aegir 1.11 to Aegir 2.0 failed.

SocialNicheGuru’s picture

Version: 6.x-0.4-alpha3 » 6.x-2.x-dev
Status: Closed (fixed) » Active

Upgrading from 6.04 to 6.x-2.x

xurizaemon’s picture

Issue summary: View changes

Use case: Wildcard cert for example.org, and wish to provision new sites @ http://sitename.example.org. (Or I have a cert with subject altname.)

Aegir refuses to provision a second site and recycle the certificate unless the server has a free IP address. Using SNI I should be able to do this. (Noted, will not work for non-SNI browsers so no IE7+Windows XP or old Android clients.)

The notice and error messages from Aegir when trying to save the site are,

  • Any changes will take effect once the scheduled Verify task has been processed.
  • Task verify was added to the queue. Next queue run is 07:43:12+1300, server time is 07:42:57+1300.
  • cleaning up unused certificate 0 associated with site 1185
  • Site site1.example.org has been updated.
  • (error)Unable to allocate IP address for certificate, disabling SSL. Allocate more IP addresses to this server then try to enable SSL again.

Check for this is in hosting_ssl_save_key() in web_server/ssl/hosting_ssl.nodeapi.inc, and hosting_ip_allocate() is in server/hosting.ip.inc

anarcat’s picture

Status: Active » Closed (fixed)

Please. This feature request was closed *four* years ago. Can you open a bug report instead?

xurizaemon’s picture