Some hosting providers restrict customers to a single SSL/TLS certificate per socket. (In simple terms, a socket is the combination of IP address and port number.) Since Apache listens to port 80 for non-SSL connections and port 443 for SSL connections on the same IP address, customers usually need a separate IP address for each certificate.
At the same time, you can configure Apache for multiple domains to share a single IP address using virtual hosts. Each virtual host gets its own port and Apache listens to this port, redirecting connections to the appropriate domain.
The combination of the above behaviours can sometimes cause complications when you install a single SSL Certificate on a shared IP address. Secure connections to port 443 of an IP address will be directed to the virtual host and domain assigned to that port. Thus, if you try to make a secure connection to a domain on a shared IP address, Apache will create a socket to the actual domain listening to port 443. Depending on your configuration, this domain may be a default virtual host or one that is explicitly set to listen to port 443.
The possible solutions depend on the types of configurations supported by your hosting provider. These include:
- Moving each domain with SSL certificates to its own IP address.
- Use Server Name Indication (SNI) to define separate SSL virtual hosts.
- Creating a default virtual host in your SSL file that does nothing but redirect to non-SSL connection.
- Installing a self-signed certificate on each domain name on that IP address.
- Making a different SSL host the primary certificate for the IP address.
