How To Configure Apache/NGINX for switching TLS certs by domain name for HNS + ICANN dual name support
First of all we need two separate Certificates because normal Certificate Authorities don't support Handshake(HNS) Domain, and we don't want to trust Certificate Authorities Anyway! We have DANE (For Handshake) which is Decentralized. So for your ICANN Domain you can still use a Let's Encrypt Certificate, but for your HNS Domain you can use a Self-Signed Certificate, Anchored with DANE Follow this step to Setup DANE
BTW Config Time
Apache Config With Macros (mod_macro)
Apache Macros allow you to set up scripted templates to use for hosting all of your websites. Like functions, they can be called with parameters allowing you the flexibility to set up various scenarios for each website.
Since version 2.4.6 of Apache, the macro module comes loaded by default on most linux distributions. To check if your installation of Apache has the macro module loaded, run the following command :
a2enmod macro
Macro Examples
Here are two examples of macros I created for HTTP and HTTPS
HTTP
Edit
000-default.conf
<Macro VHostHTTP $host>
<VirtualHost *:$80>
ServerName $host
Redirect "/" "https://$host/"
</VirtualHost>
</Macro>
# VHostHTTP $host
Use VHostHTTP google.com
Use VHostHTTP google.hns
HTTPS
Edit
default-ssl.conf
# SSL Cert For ICANN Domain. With Let's Encrypt Certificates.
<Macro IcannSSL>
SSLCertificateFile /etc/ssl/letsencrypt/certificate.crt
SSLCertificateKeyFile /etc/ssl/letsencrypt/private.key
</Macro>
# SSL Cert For Handshake Domain. With Self-Sign Certificates.
<Macro HandshakeSSL>
SSLCertificateFile /etc/ssl/Handshake/certificate.crt
SSLCertificateKeyFile /etc/ssl/Handshake/private.key
</Macro>
<Macro VHostHTTPS $host $dir $ssl>
<VirtualHost *:443>
ServerName $host
DocumentRoot "$dir"
SSLEngine on
Use $ssl
</VirtualHost>
</Macro>
# VHostHTTPS $host $dir $ssl
Use VHostHTTPS google.com /var/www/google IcannSSL
Use VHostHTTPS google.hns /var/www/google HandshakeSSL
In each macro, I have passed three parameters. except for HTTP which have one. They are :
- $host - used to identify the hosted domain name of the VirtualHost
- $dir - the root directory of the Website serving the VirtualHost, and
- $ssl - used to identify which SSL cert we want to use in VirtualHost
The takeaway from using macros in your Apache configuration, is not only is it simple to set up, your configuration files become less prone to errors. Macros can be used not only in a development environment, but also in a production environment. How you set up your macros in your Apache configuration files, are only limited by your server configuration and your imagination.
For more info chechout Official Apache Docs
NGINX Config
Edit
nginx.conf
# Redirect HTTP To HTTPS
server {
listen 80;
listen [::]:80;
server_name google.com google.hns;
return 301 https://$host$request_uri;
}
# ICANN Domain with Let's Encrypt Certificates.
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name google.com;
root /var/www/google;
ssl_certificate /etc/ssl/letsencrypt/certificate.crt;
ssl_certificate_key /etc/ssl/letsencrypt/private.key;
}
# Handshake Domain with Self-Sign Certificates.
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name google.hns;
root /var/www/google;
ssl_certificate /etc/ssl/Handshake/certificate.crt;
ssl_certificate_key /etc/ssl/Handshake/private.key;
}