Yandex Kacca and no support for SNI


#1

Hey,

I use SSL cert on my server and it’s working well. Now I installed internet store within domain with LE SSL certificate. Unfortunately one of payment modules (the main one) couldn’t work with SNI SSL.

Is it possible to set up the standalone https server (apache2), with this LE certificate for this particular one domain only, without SNI support? Do you know any existing tutorial for that?

thx in adv!
Klif

(from Yandex support in russian):

Доступ по HTTPS от Cloudflare или Let’s Encrypt работает по технологии SNI. В настоящий момент наша платежная система не поддерживает этот режим (поддержка ожидается примерно в третьем квартале 2017 года). Если ваш сайт работает через Cloudflare или Let’s Encrypt, вам надо обратиться в техподдержку Cloudflare или Let’s Encrypt с просьбой перевода на HTTPS без режима SNI.


Russian speaker to ask Yandex to support SNI?
#2

Well, using SNI or not isn’t actually a certificate problem.

To do SNI or not to do SNI is a “virtual hosting” problem. I.e., serve multiple websites on the same host (server). To achieve that, there are a few options:

  • Use one IP address per virtual host;
  • Use only unsecure HTTP and use the “Host” HTTP header to differentiate between virtual hosts;
  • Use only one certificate containing all the hostnames used on the host (this should technically work, not sure if webservers actually support it though);
  • Use SNI.

A standalone webserver separate from the other webserver(s) on the same host wouldn’t be a solution: every non-secure website uses port 80 and every secure website uses port 443. Sharing one port with multiple processes (webservers) isn’t possible.

The easiest solution would be the first one: use a separate, single IP address for that hostname. But it depends on whether that is possible. Most service providers only provide one IPv4 address. For IPv6 it’s easier: most of the time you’ll get a whole range of IP addresses. But to use IPv6 it must be supported by your service provider and of course at the side of the payment provider.

Using the 3rd option would require some testing.

Another option I just thought of: Apache uses the first <VirtualHost> as the “default” virtual host. So if you only have one site which has to work without SNI, you might want to try and use that <VirtualHost> as the default one. You would have to load the configuration file for that <VirtualHost> before any other <VirtualHost> is loaded.


#3

OK, thank you very much!
Klif


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.