Can I set multiple SSL certificates for virtual hosts with Lighttpd?

Solution 1:

Please look at Lighttpd SNI, Server Name Indication is supported by Lighttpd since 1.4.24, which will allow more than one vhost per ip for SSL as pointed out by jae. Browser support is limited though including IE on XP.

Old answer: You can only setup one SSL certificate per ip/port pair that you use. If you have one IP address and multiple virtual hosts on the same ip address it will not work except if you get a SAN certificate with all the virtual host/domain contained in the SAN certificate. This will get expensive.

The reason for this limitation is that the web server needs to decrypt the SSL request to see which host the client is trying to access. This will be done using the SSL cert bound to that port. The client will then get a different certificate which will not match the host/domain the client is expecting.

This will cause all sorts of security warnings on the client side.

Solution 2:

Using SNI is the way to do it. Here is a quick example:

$HTTP["host"] == "www.domain1.com" {
     server.document-root = "/home/www/domain1.com/public"
     server.errorlog = "/var/log/lighttpd/domain1.com/error.log"
     accesslog.filename = "/var/log/lighttpd/domain1.com/access.log"

     server.error-handler-404 = "/index.php"

     ssl.pemfile = "/etc/lighttpd/certs/www.domain1.com.pem"
}

and if you want to add an other domain with its own SSL,

$HTTP["host"] == "www.domain2.com" {
         server.document-root = "/home/www/domain2.com/public"
         server.errorlog = "/var/log/lighttpd/domain2.com/error.log"
         accesslog.filename = "/var/log/lighttpd/domain2.com/access.log"

         server.error-handler-404 = "/index.php"

         ssl.pemfile = "/etc/lighttpd/certs/www.domain2.com.pem"
}

Keep in mind that not all browsers support this.