not really a question … just sharing some experience that others might run into. if you:
- run an apache server (last checked version 2.4.18)
- use mod_h2 for HTTP/2.0
- have multiple vhosts (i.e. <VirtualHost>, not ServerAlias in a single <VirtualHost>)
- want to enable SSL for all of them
then you should be aware that using SAN does not play well with clients:
if your server sometimes produces HTTP 421 errors, you’re probably hitting this problem.
you can use SAN as long as all the domains belong to the same <VirtualHost> instance (i.e. show up in ServerName/ServerAlias). however, each distinct <VirtualHost> block needs a sep certificate.
as an example, i have:
- <VirtualHost> for my main web server with multiple domains (example.org, www.example.org, example.com, etc…)
- <VirtualHost> for my git repos (git.example.org, git.example.com, etc…)
- <VirtualHost> for my bugzilla instance (bugs.example.org, bugs.example.com, etc…)
which means i (currently) need 3 certificates so that clients do not get confuse the server. once apache is fixed though, i should be able to get a single cert and have each vhost use it.