
Hosting Multiple HTTPS Domains from the Same Server with Let's Encrypt and Nginx - liquidise
https://blog.benroux.me/running-multiple-https-domains-from-the-same-server/
======
WildUtah
Ugh. Let's Encrypt will issue you a single certificate for multiple domains on
the same server. It's easy to set up, too.

It's not just for multiple subdomains like sub1.example.com and
sub2.exmaple.com. You can have any unrelated domains you want on the cert.

You don't need multiple IPs and you don't even need SNI with its legacy client
compatibility problems (now mostly well past). Just get a certificate that
covers all the domains you use.

There's no reason at all to suffer with the setup and security and resource
problems of SNI or multiple IPs outside extreme scenarios.

~~~
scrollaway
Also, plugging Caddy: [https://caddyserver.com/](https://caddyserver.com/)

I used to be a huge fan of nginx and I haven't touched it in a year now. I
don't miss it, Caddy is fantastic and handles the Let's Encrypt stuff for me.

~~~
devwastaken
I can never take caddy seriously until they get serious about updates and
start working with linux packages.

When you have to do this:
[https://gist.github.com/Jamesits/2a1e2677ddba31fae62d022ef8a...](https://gist.github.com/Jamesits/2a1e2677ddba31fae62d022ef8aa54dc)

That means your webserver is not going to receive updates until you re-do this
manually each time, which is dangerous and not at all something you should be
using proffessionally.

~~~
anc84
It's the duty of distributions to pick up and package software. Maybe you
could volunteer for the distro you use yourself? It is easier than one might
think.

------
caleblloyd
This article advocates for IP Per Domain over SNI. It's 2017, please use SNI.
There's not enough IPv4 addresses in the world. Every single major browser
supports it, and has supported it for some time:
[http://caniuse.com/#search=sni](http://caniuse.com/#search=sni)

~~~
liquidise
(author here) I would have loved to have SNI work. I wrote this article in
response to having profound struggles making it work. My iPhone 7's Safari was
routinely failing to connect to sites other browsers claimed were fine, when
relying on SNI.

The day i swapped over to IP-based connections, the problem resolved itself
immediately. If there is something i am missing i would love to know what it
is.

~~~
mholt
It must have been something else. Even Safari on iOS has supported SNI since
iOS 4.0 (2010).

~~~
ethernetsalad
The only thing I've had SNI fail under (so far) had been Netscape Navigator
3.0 and at that point, does it really matter?

~~~
simcop2387
IE on Win XP. Or at least anything using the built in crypto stuff. I think
firefox will still use it's own. Not sure about chrome.

------
hawkice
I've never had a single problem with hosting multiple https domains using
Nginx and Let's Encrypt. This article is somewhat baffling, considering his
example of clients that need this is "mobile browsers" but I've used iOS and
Android and it works just fine.

~~~
PuffinBlue
Me neither. I guess Cloudflare (to name but one service reliant on SNI) hasn't
either...

This article is a bit of an unusual response to a problem of a device not
working. When a device of mine doesn't work but others do I put it down to
there being a problem with my device, not a widely used technology (like SNI).

It's an interesting article to read though.

------
zwetan
"This means you cannot have multiple HTTPS sites hosted from the same IP
address."

Is that some kind of joke?

Yes you can, unless you want to support very old browsers [0] which would
defeat the whole purpose of using SSL/TLS in the first place.

Maybe have a look at Mozilla Security/Server Side TLS [1]

Also SSL certs are issued for FQDN, not IP addresses (unless the IP is public
and owned but still it is considered deprecated now [2]).

[0]:
[https://blogs.msdn.microsoft.com/ieinternals/2009/12/07/unde...](https://blogs.msdn.microsoft.com/ieinternals/2009/12/07/understanding-
certificate-name-mismatches/)

[1]:
[https://wiki.mozilla.org/Security/Server_Side_TLS](https://wiki.mozilla.org/Security/Server_Side_TLS)

[2]: [https://www.digicert.com/internal-
names.htm](https://www.digicert.com/internal-names.htm)

~~~
ClashTheBunny
The article explains that SNI isn't working: > But while this is widely
supported, it is not supported ubiquitously. I've personally had a hell of a
time fighting with mobile browsers when relying on SNI. On the other hand, IP
addresses are cheap. Like, $1/mo or less, cheap. So buck up and grab an
distinct IP for your HTTPS sites. Avoiding the headache of some device/browser
combos not working will pay for itself 100 times over.

~~~
zwetan
So that means you will use pre TLS v1.0 to support those browsers that can not
deal with SNI.

You must feel very smart to be able to support old Android browsers like
Gingerbread which represent 1% of the Android market share [0], and iOS pre
v4.0 browsers which represent less than 0,1% of the iOS market share [1].

Now according to TLS/SSL support history of web browsers [2] your server is
vulnerable to BEAST, POODLE, CRIME, etc.

Congrats your SSL cert is useless.

[0]:
[https://developer.android.com/about/dashboards/index.html](https://developer.android.com/about/dashboards/index.html)

[1]: [https://david-smith.org/iosversionstats/](https://david-
smith.org/iosversionstats/)

[2]:
[https://en.wikipedia.org/wiki/Template:TLS/SSL_support_histo...](https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers)

~~~
liquidise
You are making incorrect assumptions and running with them.

As i stated in the article, and on this HN comment page, my issues were not
with antiquated browsers. Safari on my iPhone 7 was failing to connect to
sites other browsers were handling fine. I went down this rabbit hole of IP-
based differentiation specifically because of that issue.

There seems to be some sense that i published an article about the hardest way
to achieve this. I promise had relying on SNI worked liked i expected it to,
the IP-based section of the article would be absent. But it didn't and, like i
said, IP's are cheap. Adding 1 step to a process of ubiquitous support seems
like a reasonable approach to me.

------
cure
This article has an incorrect premise. The author should learn about SNI:
[https://en.wikipedia.org/wiki/Server_Name_Indication](https://en.wikipedia.org/wiki/Server_Name_Indication)

------
rnhmjoj
On a side note: in NixOS ACME has been integrated into the nginx
configuration. To set up a server with TLS you just do

    
    
      security.acme.certs = {
        "example.com".email = "youremail@address.com";
      };
    
      services.nginx = {
        enable = true;
        virtualHosts."example.com" = {
          enableSSL  = true;
          enableACME = true;
        };
      };
    

This fetches the certificates and set up a service and a timer to periodically
renew them.

~~~
schoen
Wow, is their nginx support portable to other OSes? Do you know who has
implemented it?

~~~
rnhmjoj
NixOS modules are built around Nix and systemd so theoretically you could
write a port for a different GNU/Linux distribution if you have those
available. I'm not aware of any though. There is however a variant for Darwin
based on launchd: [https://github.com/LnL7/nix-
darwin](https://github.com/LnL7/nix-darwin)

You can find the implementation of the nginx service here:
[https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/s...](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-
servers/nginx/default.nix)

~~~
schoen
Thanks, I'd like the people working on nginx integration for certbot to see
this!

------
tzakrajs
I use SNI for my Apache Lets Encrypt script. This allows one IP (my home IP)
to host many sites easily and monitors changes to sites-enabled to trigger
creation of new SAN certificates based on contents of ServerName and
ServerAlias. The script also will regenerate certs for sites-enabled every 30
days.

See: [https://github.com/tzakrajs/cloud-fortress-lets-
encrypt](https://github.com/tzakrajs/cloud-fortress-lets-encrypt)

~~~
tzakrajs
Included is daemontools run script, the script runs in a loop but should it
die, you want it to restart. I added supervise command to my /etc/rc.local to
make this run when the web server comes up.

------
Sektor
I've been trying to do this for a couple of weeks. I have no idea what I'm
doing and it's been hard to find any help via google. But I finished it last
friday. Without multiple external IP addresses. Funny to see this as the top
story when I woke up today. But yes, as caleblloyd says, it's 2017. Use SNI.
It's not hard, I'd never even heard of nginx or letsencrypt before I started
my project.

------
aaronpk
The only clients I've had trouble with SNI is Amazon and Apple's Java clients,
as well as python2. It's unfortunately still not possible to host a podcast
feed with an SNI HTTPS URL in iTunes, nor can you use SNI for Alexa skills.
Otherwise, I've been happily using SNI for years now.

~~~
simcop2387
Interesting, those two are very surprising to have issues. Got anything about
the alexa skill one?

------
ufmace
Interested to read this and the comments here, as I was just poking around
with doing just that. I hadn't been planning on using a second IP address for
it, and now I'm wondering how well it will work without it.

------
dawnerd
Alternately [https://github.com/JrCs/docker-letsencrypt-nginx-proxy-
compa...](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion)

------
reefwalkcuts
Can I apply this on Heroku hosted app?

