Multiple domains with multiple certificates for Apache2 TLS?

[cwaldbieser]

Lafayette College and Swarthmore College are collaborating to create a combined HPC cluster.
We'd like to deploy Open OnDemand such that users can use URLs with their home domain name. E.g. firebird.lafayette.edu or firebird.swarthmore.edu.

If I were setting up a generic web site with Apache2 httpd for this scenario, I'd probably set up 2 distinct VirtualHosts, each with their own ServerName. Each VirtualHost would have its own TLS cert which would be contributed by each member institution.

However, I'm not sure the OOD config lets me set things up this way? The docs seem to suggest that everything gets deployed under one virtual host and I could configure a ServerAlias setting for each domain. That would require that the public certificate has both domains on it (in the subject alternative names field). While that is possible, authorizing a certificate with domains from both institutions may prove to be somewhat challenging.

I wanted to make sure I am not overlooking an obvious way to set up multiple VirtualHosts for OOD or otherwise deploy 2 TLS protected domains for the same site.

[johrstrom]

Yea I don't think we support multiple virtual hosts. But as you indicate you can use ServerAliases (though we're patching that functionality right now in the next 3.1.x release).

If you're not married to the domain names maybe you could play some games with them like
hpc.firebird-swarthmore.edu. & hpc.firebird-lafayette.edu that way you can jointly own the firebird-*.edu domains?

Of course 2 separate instances (VMs) is an option too.

Sorry we can't be much more help! @treydock do you have any more insight?

[cwaldbieser]

Thanks for confirming.
I doubt our certificate registrar would issue a firebird-*.edu certificate to use-- I think some other .edus might object to that. ;)
Running 2 separate instances is something to consider.
Another thing that comes to mind would be to perhaps use multiple vhosts and certs on a proxy in front of the deployment, and merge those 2 requests into something a bit easier to manage on the back end. E.g. firebird.lafayette.edu -> fb-laf.lafayette.edu and firebird.swarthmore.edu -> fb-swa.lafayette.edu. It is easy enough for us to issue certs with multiple names that belong to a single institution.

[treydock]

You can create a CSR that uses Subject Alternative Names to have additional valid names. Example:

[root@web05 ~]# openssl x509 -noout -text -in /etc/letsencrypt/live/class.osc.edu/cert.pem
<SNIP>
Subject: CN = class.osc.edu
<SNIP>
            X509v3 Subject Alternative Name:
                DNS:class.osc.edu, DNS:stat.osc.edu

That certificate is good for both class.osc.edu and stat.osc.edu. So for OnDemand you create a cert with Subject Alternative Name that corresponds to additional aliases other than main virtual host ServerName.

[cwaldbieser]

So the way we ultimately resolved this was to have a certificate with both names on it. Our Apache config has a ServerName directive for the cert subject and a ServerAlias directive for the alternative name. It was a bit tricky to get a certificate with both domains on it, as we had to coordinate a domain validation with Swarthmore, but once we set it up it worked as advertised.