11

I have two domain names pointing to the same ip, I am currently not using virtual host in my apache configuration. I simply use /var/www/html/ as root of the app. do I need to buy 2 godaddy certificates, one for each domain? It seems that godaddy certificate is tied to a domain, not ip, can someone clarify?

user121196
  • 30,032
  • 57
  • 148
  • 198

3 Answers3

12

That is correct, SSL certificates are tied to a domain, not an IP address. The problem is that people type domain names into their browser address bar, not IP addresses (usually) and it's what you type into the address bar that is validated against the certificate (that is, the certificate validates that what you type into the address bar is what you're actually getting).

Dean Harding
  • 71,468
  • 13
  • 145
  • 180
  • 1
    Certificates are not tied to an IP, but you cannot have more then one certificate configured per IP address on a single (address+port). SSL is negotiated before before any HTTP happens, there is no way for the server to respond with a certificate for the correct domain. – Zoredache Sep 12 '12 at 00:05
  • 3
    @Zoredache, actually, there is a way, with Server Name Indication (although not all clients support it yet). – Bruno Oct 06 '12 at 12:51
4

The SSL certificate has to match whatever host is typed in the browser's URL bar. If you type in a domain name, then the SSL cert has to match the domain name. If people use two different domain names, then you need two different SSL certificates (or one certificate that's valid for multiple domains). If you expect users to type in an IP address in the browser, then the cert would have to match the IP address.

However, in order to buy a certificate for an IP address from a reputable vendor (if the vendor will sign it at all), you need to be the owner of the netblock according publicly held records (e.g. ARIN, RIPE, etc.). See for example the GobalSign FAQ.

tylerl
  • 30,197
  • 13
  • 80
  • 113
  • 1
    Good explanation. However, I read somewhere that some reputable CAs are offering certs for IP addresses. Presumably you must somehow prove that you own the IP address for the life of the certificate. I can't remember where I read this. Anyway, users never type IP addresses into their browsers address bar, so this wouldn't help the OP. – President James K. Polk May 18 '10 at 23:59
  • When you connect with SSL using an IP-address, a [Reverse loopup](http://en.wikipedia.org/wiki/Domain_Name_System#Reverse_lookup) should be done to loop up what domain name resides on that address and the Certificate must be for that IP-address. – Jonas Sep 06 '11 at 17:22
  • @Jonas: browsers don't do that, so you'll get a certificate warning even if the cert matches the domain you would receive from the PTR lookup. – tylerl Sep 06 '11 at 17:44
  • @Jonas, no, no reverse lookup is used when using an IP address with SSL. IP addresses can be in certificates (but they have to be in a Subject Alt Name of IP-address type, see [this question](http://stackoverflow.com/a/8444863/372643)). It's also extremely rare for the reasons tylerl mentions. (You can also use SNI to have multiple certs on a single address/port, but not all browsers support it.) – Bruno Oct 06 '12 at 12:55
3

It depends on the SSL certificates. Some of them allow to specify more than one domain. Often this is limited to two names (www.example.org and example.org).

If it is exactly the same app on both domains, you should just configure a redirection from seconddomain.com to firstdomain.com - so there is only one domain name to worry about.

Alex
  • 32,506
  • 16
  • 106
  • 171
  • I don't think a redirect will work because the SSL connection (and hence certificate) is verified *first* - even before a 301 redirect would be processed. But good point about multiple domains per certificate. – Dean Harding May 18 '10 at 06:05