harnir’s blog

I’ve recently switched a website with a couple of pages secured using SSL certificates, here’s some tips someone might find useful.

In case you didn’t know - you cannot use more than one SSL certificate on the same IP address. You can create more than one secured site on the same IP address, but only if you are using the same certificate for each (in that case the certificate should be a wildcard, like *.google.com). If you setup more than one SSL cert on the same IP address, web server (in my case Apache 2, don’t know about the others, but they’re probably the same) will pick the first one it finds and use it for the encrypted connection. And you cannot guarantee that it’s the correct one for a particular domain. Well, you could use a different port for each website, but that defeats the purpose of :443 port and https:// convenience, doesn’t it? :-)

Anyway - what happens when you try to move your website to a different domain with HTTPS (for example re-branding)? You probably will try to cheat the web browsers by putting the new domain, with new SSL certificate, on the same IP address, turning off SSLEngine options in Apache configuration and adding a Redirect permanent option to the new domain from your old website on :443 port. But this scenario will not work… The reason is, when the web browser sees https:// protocol, it automatically turns on SSL support and waits for a certificate from the server - which in this case does not arrive, SSL session is broken and web browser raises an exception ssl_error_rx_record_too_long.

Solution for that problem is to put new domain (both HTTP and HTTPS) on new IP address, leave old HTTPS with it’s SSL certificate as is and just create Redirect permanent inside the (old) secured HTTPS site. When you do this, website will connect to the old HTTPS site with correct (old) SSL certificate, see the redirection and connect to the new secured domain without a fuss.