SNI Dynamic Certificate

Question

I'm pulling my hair out here. Websites like wix.com, squarespace.com ...etc; can generate websites on the fly and still use SSL on every one of the millions of custom domains.

I try to do the same thing, but I can't figure out how they do it!?

The logical solution would be on Apache:

<IfModule mod_ssl.c>
            <VirtualHost *:443>
                    ServerAlias *
                    UseCanonicalName Off

                    DocumentRoot /var/www/html

                    SSLEngine on
                    SSLCertificateFile /etc/apache2/ssl/%0/server.crt
                    SSLCertificateKeyFile /etc/apache2/ssl/%0/server.key
            </VirtualHost></IfModule>

But when I restart apache I get an error: SSLCertificateFile: file '/etc/apache2/ssl/%0/server.crt' does not exist or is empty

Even when I create a dummy folder /ssl/%0/ with some dummy certificates... it still used the (wrong) dummy certificates.

I know some will get on their high horses and yell that you cannot resolve the server name BEFORE the TLS handshake. But according to this post and other ones: %0 can be resolved with mod_vhost_alias because the server name is sent with SNI...

I know this works: a second approach would be to create a virtualhost for every custom domain:

  <VirtualHost *:443>
                    ServerName site111.ca
                    ServerAlias www.site111.ca

                    DocumentRoot /var/www/html

                    SSLEngine on
                    SSLCertificateFile "/var/app/s3/ssl/site111.ca/certificate.crt"
                    SSLCertificateKeyFile "/var/app/s3/ssl/site111.ca/certificate.key"
                    SSLCertificateChainFile "/var/app/s3/ssl/site111.ca/certificate.chain"
            </VirtualHost><VirtualHost *:443>
     ServerName site222.ca
         ServerAlias www.site222.ca
     DocumentRoot /var/www/html

      SSLEngine on
      SSLCertificateFile "/var/app/s3/ssl/site222.ca/certificate.crt"
      SSLCertificateKeyFile "/var/app/s3/ssl/site222.ca/certificate.key"
      SSLCertificateChainFile "/var/app/s3/ssl/site222.ca/certificate.chain"

I could create a dirty system where I add one virtual host per new domain and reload apache every day Eeewwww... and again: Apache cap the number of virtual hosts to 256 :/

How do they do it!? Is there other technology that can help me? Nginx, Nodejs? Thank you for your time.

Answer 1

I try to do the same thing, but I can't figure out how they do it!?

To generate SSL websites on the fly, they use Letsencrypt certificate authority as you can check yourself (example : CN = www.thefoodmarketchiswick.com). But for the websites hosted under .wix.com names, they're just using a wildcard certicate ( CN = *.wix.com ) . Till then, easy.

The second question, as you mentioned Apache could not handle this massive hosting (and no one believes you could host millions of applications on one single server). Have a look on this Netcraft Survey which gives some clues. I can't answer for them, but running an openssl s_client ends in error, meaning they aren't doing very compliant things.

Answer 2

TL;DR: they use wildcard certificates. So the problem is solved @ the certificate level and at the server config level, not only at the server config level like you are trying to do.

Couple of points:

• The logical solution - hardly do I see anything "logical" in Computer Science or Software Engineering. It's engineering, not math, you have to DO stuff, not THINK stuff up. So knowledge becomes more important than intelligence in a lot of cases (not all).

• You have a correct point about SNI - it is a push-back of host identification meachanism to the TCP/SSL layer (prior to HTTP where HTTP headers become available).

• virtualhost for every custom domain - Depending on the scale we are talking about, it could work. However, if you onboard a client with 200, 1000, 5000 - subdomains. What then?

• How do they do it - Let me just provide examples: HTTP proxy like cloudflare generates a free certificate for you, that you have to add on your server (PROXY->ORIGIN ecryption) and END_USER -> CLOUDFLARE connection is encrypted using a wildcard certificate. These are the DNS names of the wildcard certificate they issued for me:

Abbreviated:

DNS Name=sni178747.cloudflaressl.com
DNS Name=*.9992924.com
DNS Name=*.apum.de
DNS Name=*.arbomedia.net
DNS Name=*.australiacasinobonus.net
DNS Name=*.auto-lpg.de
DNS Name=*.autoprof.de
DNS Name=*.circuitodesafio.com.br
DNS Name=*.data--center.info
DNS Name=*.devclub.com
DNS Name=*.eissportanlagen.de
DNS Name=*.entrepreneur-hebdo.fr
DNS Name=*.environmentalbrasil.com.br
DNS Name=*.gofitnessplan.fr
DNS Name=*.golfinterieur.info
DNS Name=*.greenbuch.cf
DNS Name=*.mindaugas.cf
DNS Name=*.mp3fdm.trade
DNS Name=*.mp3freedom.info
DNS Name=*.mp3star.cricket
DNS Name=environmentalbrasil.com.br
DNS Name=gofitnessplan.fr
DNS Name=golfinterieur.info
DNS Name=greenbuch.cf
DNS Name=mindaugas.cf
DNS Name=mp3fdm.trade
DNS Name=mp3freedom.info
DNS Name=mp3star.cricket
DNS Name=preussische-geschichte.de

• How does the configuration of such server look? It is really a server farm, under a loadbalancer, w/ resources shareded (static resources on separately tuned machines w/ cache). There are multiple virtual hosts / domains / host aliases on each of the server, but only 1 SSL file for many of them (or all, depending on the scale). The domains can have dedicated configurations, they can be grouped together if their configurations are identical.

• Regarding webserver recommendations - unless there is a good reason to use APACHE, I would not use it. There is a reason why nginx is gaining traction and popularity.