Blog

Getting SNI working in Apache these days is pretty straightforward. Add an appropriate "<VirtualHost *:443>" snippet and it basically works out-of-the-box. Personally, I'm fond of creating an include file for the bulk of each vhost's configuration that I include from the <VirtualHost *:80> and <VirtualHost *:443> blocks so that I know the configuration of the two is in sync, but that isn't exactly necessary.

The rough spot that I encountered is that by default, name-based virtual hosting on port 443 isn't enabled. Since name-based virtual hosting is enabled on port 80, this is easy to miss (or, at least, I spent a long time assuming there was another issue).

/etc/apache2/ports.conf claims:

<IfModule mod_ssl.c>
    # SSL name based virtual hosts are not yet supported, therefore no
    # NameVirtualHost statement here
    Listen 443
</IfModule>

Which is nonsense, given SNI (and was probably nonsense before SNI if you had a wildcard cert). What you actually want is:

<IfModule mod_ssl.c>
    NameVirtualHost *:443
    Listen 443
</IfModule>

Adding a snarky comment too is always an option...

(Relatedly... You can now use https://alex.mit.edu/, https://adehnert.mit.edu/, or https://masada.mit.edu/, and each will give you an appropriate MITCA-signed certificate.)