GlobalSign Solutions

Transcription

1 GlobalSign Solutions SNI + CloudSSL Implementation Guide Hosting Multiple SSL on a Single IP Address

2 Contents Introduction... 3 Why do hosting companies want SNI/CloudSSL?... 3 Configuration instructions... 4 Introduction... 4 Webserver specific configurations... 5 APACHE... 5 CUSTOM... 6 DIRECTADMIN... 7 NGINX... 8 POUND Frequently asked questions GETTING HELP... 16

3 Introduction SNI/CloudSSL is a solution for hosting multiple SSL certificates on a single IP address. It combines two GlobalSign products, SSL Certificates installed via Server Name Indication (SNI) and CloudSSL. The multi- domain (CloudSSL) certificate is used as fallback to support the 8-10% of users that have no support for SNI. Why do hosting companies want SNI/CloudSSL? IP shortage- There's a shortage of IPv4 addresses, APNIC and RIPE (EMEA) stock is close to zero Costs- More hosting companies are starting to ask for a monthly fee per IP. No DNS updates- When using SNI, no DNS updates have to be made when installing an SSL Certificate because multiple certificates can run on a single IP address. Simplicity- The CloudSSL Certificate is updated & maintained automatically by an application delivered by GlobalSign. SSL demand- Higher demand for SSL Certificates by regulations and requirements from sites such as Facebook (to link a website or application). Differentiation- Hosting companies can t really differentiate on storage or bandwidth anymore (already high or unlimited) Overview of Steps 1. Contact a representative to create a test account. 2. Download the application (see below) specific to your operating system. 3. Configuration 4. The initial order needs to get approved, this can be requested to api@globalsign.com 5. GlobalSign sales representative will create a production account on your behalf. Step 1.Creating a Test Account For Europe: For the USA: Step 2: Download Application Specific to your Operating System Download one of these files (for your OS), most common are the Linux 32bit (i386) and Linux 64bit (amd64): Other supported operating systems are:

4 Step 3. Configuration instructions Introduction Apache Custom DirectAdmin NIGINX Pound cpanel Introduction INSTALLATION If you encounter any problems using the program please make sure you have downloaded the right version of this program for your kernel. To determine which version of the application you need to download, you can use the command "uname -m" in a Linux-based environment. The following indicators should help you determine if you are using a 32-bit or 64-bit operating system. x86_ bit kernel i bit kernel You can also use the command "getconf LONG_BIT" which should return either 32 or 64. Then execute the following command to download and extract the application. cd /opt wget [filename] tar zxf snicloudssl.tar.gz rm snicloudssl.tar.gz Configure the program The program needs some information to request and update certificates. You also need an API user name and password. Please ask your account manager for these details and make sure that your server is whitelisted to access the production API. After your test account is activated, please start the configuration procedure.

5 cd /opt/snicloudssl/bin/./snicloudssl -configure Initiate the program You need to initiate the program to order a CloudSSL certificate for each IP address. cd /opt/snicloudssl/bin/./snicloudssl -initiate -ip Webserver Specific Configurations Please continue reading the webserver specific instructions for your server. APACHE Configuration for domain control validation Configure a global rewrite rule for the GlobalSign user agent in Apache "httpd.conf by creating a symbolic link to the file /opt/snicloudssl/etc/apache.conf in your httpd.conf directory. Command to create the symbolic link: ln -s /opt/snicloudssl/etc/apache.conf /etc/apache2/conf.d/snicloudssl.conf Then you need to make sure that all name-based virtual host websites (websites that run on a single IP address) are configured to inherit the global rewrite configuration. <VirtualHost {ip}:{port}> # Add these lines to your name-based virtual host for GlobalSign CloudSSL RewriteEngine on RewriteOptions inherit </VirtualHost> Running the program This should work on any Linux server or desktop with Apache installed. The "apachectl" program should be in the $PATH, you can check that by typing "apachectl" in the command line. Then go to the bin directory of the program and start "./snicloudssl", please note that this needs to be executed from the bin directory! cd /opt/snicloudssl/bin/;./snicloudssl When you completed the initial order and you retrieved your order ID you can schedule the following command in your scheduler (for exmaple cron). You should run this command every few hours. cd /opt/snicloudssl/bin/;./snicloudssl -ip orderid CECO After the first run After running the program for the first time you need to update the configuration of your default website for this IP address. We will configure the CloudSSL Certificate that has been requested by

6 the program on the default website for this IP address. The default website for an IP address is the configuration file that will be loaded first, for example 000_default.conf. When the webserver could not find a match based on the host header or the SNI indicator (when available), the webserver will show the default (first) website. More information on Apache virtual hosts: The default virtualhost (000_default.conf) should be configured to load the CloudSSL certificate from the "/opt/snicloudssl/ssl" directory. NameVirtualHost :443 <VirtualHost :443> SSLEngine on SSLCertificateFile /opt/snicloudssl/ssl/ pem SSLCertificateKeyFile /opt/snicloudssl/ssl/ key SSLCertificateChainFile /opt/snicloudssl/ssl/ ca.pem </VirtualHost> Apache FAQ Q: The program is giving an error message that "apache2ctl" can't be found. A: Make sure that the Apache "apachectl" command is listed in your PATH environment (for example: "export PATH=$PATH:/opt/apache2/bin") If you are running the program from crontab make sure that this PATH is included in your config or that you specify the file with "-file=/opt/apache2/bin/apachectl". Q: When I run the program from the crontab it's not working. A: Make sure that your "apachectl" is available in the current PATH. You might need to set the PATH variable in the crontab file. CUSTOM Legacy support program for Server Name Indication (SNI) This file contains some information on how to get started when using an Nginx webserver. Please read the general README file before you continue reading here. If you are using a unsupported webserver or load balancer you can still use this program to generate and maintain the CloudSSL Certificate. In this case you can use a text file that contains one public resolving site per line. The program will extract all Subject Alternative Names for the certificates installed on these websites and request a GlobalSign CloudSSL Certificate. When using this custom implementation you can create a custom script (for example via bash) to copy or upload the resulting certificate to your webserver or load balancer. Running the program

7 When you completed the initial order and you retrieved your order ID you can schedule the following command in your scheduler (for example cron). You should run this command every few hours, optionally followed by your custom script(s) to upload the new certificate to your server or load balancer. cd /opt/snicloudssl/bin/;./snicloudssl -ip orderid CECO source=text -file=/tmp/sites.txt DIRECTADMIN Configuration for domain control validation First you need to check if you are using a custom configuration file. If you are using a custom config a file named "virtual_host2.conf" should be located in "/usr/local/directadmin/data/templates/custom". If you have no custom configuration we need to create one with the following command (only if you don't have a custom config already): cd /usr/local/directadmin/data/templates cp virtual_host2*.conf custom cd custom Now we can modify the custom configuration by opening the file "virtual_host2.conf" in your favorite editor and add the "Rewrite..." lines to the virtualhost section to inherit the global rewrite configuration. When you re finished editing "virtual_host2.conf" you have to make the same change to "virtual_host2_sub.conf". <VirtualHost IP : PORT_80 MULTI_IP > # Add these lines to your name-based virtual host template for GlobalSign CloudSSL RewriteEngine on RewriteOptions inherit </VirtualHost> As we only changed the template we have to ask DirectAdmin to rewrite all configuration files by running the following command. echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue Now add the following line to "/etc/httpd/conf/extra/httpd-includes.conf" and reload the httpd server. Include /opt/snicloudssl/etc/apache.conf Scheduler Run this command once a hour (or less) from your scheduler (for example cron) cd /opt/snicloudssl/bin;./snicloudssl -ip orderid CECO > /opt/snicloudssl/lastrun.log 2>&1

8 DirectAdmin configuration Add the following line to you DirectAdmin configuration at "/usr/local/directadmin/conf/directadmin.conf". enable_ssl_sni=1 Now add the following default virtual host to "/etc/httpd/conf/extra/httpd-includes.conf". <IfModule mod_ssl.c> <VirtualHost :443> ServerName host123.youserver.com SSLEngine on SSLCertificateFile /opt/snicloudssl/ssl/ pem SSLCertificateKeyFile /opt/snicloudssl/ssl/ key SSLCertificateChainFile /opt/snicloudssl/ssl/ ca.pem </VirtualHost> </IfModule> And then move the following lines up under the line that loads "httpd-ssl.conf" in "/etc/httpd/conf/httpd.conf" # For user configurations not maintained by DirectAdmin. Empty by default. Include conf/extra/httpd-includes.conf NGINX Legacy support program for Server Name Indication (SNI) This file contains some information on how to get started when using an Nginx webserver. Please read the general README file before you continue reading here. Example Configuration of SNI-based SSL sites The server blocks below show the basic configuration of SSL-based websites configured to run multiple SSL Certificates on a single IP address. For readability we have skipped all non SSL related information from the example. server { listen :443; ## listen for ipv4 server_name ssl on; ssl_certificate /etc/ssl/ ssl_certificate_key /etc/ssl/

9 include /opt/snicloudssl/etc/nginx.conf; } server { listen :443; ## listen for ipv4 server_name ssl on; ssl_certificate /etc/ssl/ ssl_certificate_key /etc/ssl/ include /opt/snicloudssl/etc/nginx.conf; } Configuration for domain control validation To configure the rewrite on all virtual hosts the following include line should be added to the "server {}" block. include /opt/snicloudssl/etc/nginx.conf; If you don't want to use an include statement you can also decide to include the contents of this file directly in the server configuration block. Running the program When you completed the initial order and you retrieved your order ID you can schedule the following command in your scheduler (for exmaple cron). You should run this command every few hours. cd /opt/snicloudssl/bin/;./snicloudssl -ip orderid CECO source=nginx -file=/etc/nginx/nginx.conf After the first run After running the program for the first time you need to update the configuration of your default

10 website for this IP address. We will configure the CloudSSL Certificate that has been requested by the program on the default website for this IP address. The default website for an IP address is the server that has "default_server" option in your listener. When the webserver could not find a match on the SNI indicator or when this header is not available, it will present the SSL Certificate configured for the default website. server { listen :443 default_server; server_name cloudssl1.myserver.com; ssl on; ssl_certificate /opt/snicloudssl/ssl/ pem; ssl_certificate_key /opt/snicloudssl/ssl/ key; } Make sure you apply these other optimizations The ssl_protocols, ssl_ciphers and ssl_prefer_server_ciphers settings are best practice and have nothing to do with Server Name Indication in itself. If your server does not yet support TLSv1.2 and/or TLSv1.1 Nginx will ignore them. Add the following lines to your "http {}" block: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH; ssl_prefer_server_ciphers ssl_session_cache on; shared:ssl:10m; ssl_session_timeout 10m;

11 Adding OCSP stapling will improve the performance of your website. The resolver needs to be configured to perfom DNS lookup to the OCSP server. This can be any DNS resolver you have access to, is an open revolver provided by Google. resolver ; ssl_stapling on; POUND Pound is a reverse proxy, load balancer and HTTPS front-end for Web servers. Server Name Indication (SNI) has been available since June 2010 as of the 2.6 series of Pound. You need to configure the CloudSSL Certificate as the first certificate on your IP number so that it will act as a fallback when no specific certificate can be located (for example because of a missing server name in the SSL/TLS handshake). The "Cert" configuration option of pound is pointing to a PEM certificate store. You can simply create a PEM store by listing your key and certificates as a base64 encoded DER certificate in the order: Server Certificate -> Intermediate Certificate(s) -> Private key. A base64 encoded DER certificate is enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". The file "/opt/snicloudssl/html/index.html" needs to be served by a local webserver on the loopback address Please be aware that Pound has issues handling SSL Certificates with Subject Alternative Names in combination with Server Name Indication (SNI). This issue does not affect the default website, where the CloudSSL certificate is installed. Example Configuration ListenHTTPS Address Port 443 Cert Cert "/opt/pound/ssl/cloudssl.pem" "/opt/pound/ssl/site01.pem"

12 Cert Cert "/opt/pound/ssl/site02.pem" "/opt/pound/ssl/site03.pem" # Return this file only to the GlobalSign user-agent # when running the SNI/CloudSSL program locally # /opt/snicloudssl/html/index.html Service HeadRequire "User-Agent:.*GlobalSign.*" BackEnd Address Port 80 End End Service HeadRequire "Host:.*site01.demo1.oneclickssl.eu.*" BackEnd Address Port 80 End End Service BackEnd Address Port 80 End

13 End End cpanel Before you get started you need to check if you are running a version of cpanel & WHM of that provides support for Server Name Indication (SNI). It's also important that you are using an operating system that comes with a version of OpenSSL that has support for SNI. CentOS 6+ is the first release of CentOS that ships with support for SNI. Configure a rewrite rule for the GlobalSign user agent in Apache by creating a symbolic link to the file /opt/snicloudssl/etc/apache.conf in your user data standard virtual host includes directory. Execute the following commands to create an includes directory, a symbolic link and rebuild the httpd.conf: mkdir -p /usr/local/apache/conf/userdata/std ln -s /opt/snicloudssl/etc/apache.conf /usr/local/apache/conf/userdata/std/snicloudssl.conf /scripts/rebuildhttpdconf Finally you have to restart the Apache webserver. You can do this from the WHM control panel or by resarting Apache with the following command. service httpd restart Now you got issued the first CloudSSL certificate you can change the default virtual host that will only be used to serve an SSL Certifite to users that do not include the Server Name Indication header. The virtual host will not be used to provide any web content. Login to your Web Host Manager (WHM) and go to Service Configuration >> Apache Configuration >> Include Editor. Add the following options (modified to use your own IP address) to the Pre VirtualHost Include for

14 All Versions of Apache as shown in the screenshot below. <VirtualHost :443> SSLEngine on SSLCertificateFile /opt/snicloudssl/ssl/ pem SSLCertificateKeyFile /opt/snicloudssl/ssl/ key SSLCertificateChainFile /opt/snicloudssl/ssl/ ca.pem </VirtualHost> Frequently Asked Questions Can I run this program on my Windows server? Can I use this solution in combination with CPANEL? Does the program also support wildcard certificates? Will a site/name be removed from the CloudSSL Certificate if it is down?

15 How many sites can be hosted on a single IP address? Where can I find actual statistics about the Windows XP market share? Why not use the CloudSSL certificate alone? Can I run this program on my Windows server? You can run the program on Windows but it can t communicate with IIS directly. While you probably could import the generated certificate with the Microsoft PowerShell we have no examples for this. Microsoft IIS has Server Name Indication support from version 8 and later. Can I use this solution in combination with CPANEL? Yes, from cpanel & WHM they overhauled the SSL Management system (for Apache). These changes will bring full support for SNI to allow hosting multiple SSL Certificates on the same IP address (among others). cpanel will require CentOS/RHEL 6 on the server side, as the ship with SNI support in OpenSSL. d= &commentid= &trk=view_disc&ut=1hk7rqnkuf9bi1 Does the program also support wildcard certificates? Yes, but the domain should resolve to the same IP address (eg. *.domain.com has the same IP address as domain.com) Will a site/name be removed from the CloudSSL Certificate if it is down? The FQDN will be removed from the certificate when the site has been down or returning an invalid certificate more than 5 times. How many sites can be hosted on a single IP address? With Server Name Indication you can host as many sites as you like, but as we need CloudSSL for the legacy users we are limited to the technical size limit of the TLS handshake. GlobalSign supports up to 300 names in a certificate, but keep in mind that many certificates are valid for and domain.com, and would take two places on the CloudSSL certificate. Where can I find actual statistics about the Windows XP market share? You can calculate the actual percentage by taking the percentage of Internet Explorer users (30%) of the percentage of Windows XP users (24%). In January 2013 this number was 7.2%. Including some other clients that do not support SNI, the number falls between 8-10% of the clients. You can download these percentages on Why not use the CloudSSL certificate alone? The CloudSSL solution on its own has a few disadvantages. It only allows issuing Domain Validated certificates. This is because of the following reason: There will be one certificate, issued to the hosting company, validated on an organization level. Because domains use extensions of this certificate, they can only be validated on domain level. Partners would not be able to sell OV or EV certificates to their customers using CloudSSL. This setup also means that if a visitor to a CloudSSL

16 secured site clicks on the certificate details, they would see the hosting company s details and all other sites listed in the certificate. GETTING HELP Every GlobalSign enterprise customer has a dedicated Account Manager who is on hand to help with any commercial and technical queries you may have about reselling SSL. GlobalSign also provides technical support through our Client Service departments around the world. GlobalSign US & Canada Tel: sales-us@globalsign.com GlobalSign FR Tel: ventes@globalsign.com GlobalSign EU Tel: sales@globalsign.com GlobalSign DE Tel: verkauf@globalsign.com GlobalSign UK Tel: sales@globalsign.com GlobalSign NL Tel: verkoop@globalsign.com