SSL Certificates in a LAMP/Plesk Environment

For anyone out there who is trying to setup shared certificates in a LAMP/Plesk environment, let me start by saying you should stop now. You should also rejoice in your decision to go with this type of server. Of course, it is definitely possible for you to force this type of SSL setup to work. It is also a very bad idea, and one that has a much better alternative.

Caution:this applies to LAMP environments only. Shared SSL certificates are super-easy in Windows. Not worth the trade-off in my humble opinion.

Utilizing Plesk on a Linux/Unix web server creates a very unique intersection of great security and ease of administration. I have spent the past several years building websites under various hosting conditions, and I am now very impressed with this hosting environment. After all of this time (and after a lot of manual server configuration around the board), I have found that a Plesk/LAMP setup makes the most business sensefor me and my clients. I have read many blogs from people who disagree with me on this point, and I believe them to be misinformed about the purpose of a LAMP/Plesk environment.

If you buy a sedan, you shouldn’t get mad at it for not acting like a pickup truck.

The main trade-off with using Plesk is that you lose some of your flexibility to alter the structure and functionality of the file system on your LAMP server. Of course, you cango in and make changes… but it becomes a bad idea very quickly. The rigidity with which Plesk handles client directories is very much on purpose, and it solves a lot of the architectural problems that arise within a shared hosting environment (namely security). Using safe-mode in PHP can only take you so far. Plesk get’s you the rest of the way.

So what about SSL Certificates?
I’m getting there.

I hope that the following information proves useful to those people who would like to setup a shared SSL certificate under LAMP/Plesk environment. In general, I have seen many a developer go through the following decisioning process (much like I did):

  • I want to offer my clients (or myself) secured connections via one SSL certificate so that I don’t have to pay for more than one, thereby saving my clients (or myself) the cost of $40 for a certificate.
     
  • I can accomplish this setup in a LAMP environment by using a combination of symlinks and directory aliases. That way, my clients can access their site via https://basedomain.com/clientdomain/

What a great idea!
And it is a great idea – until you go to implement it.

As you begin to apply your symlinks and add directory alias commands and various other permission modifications to the vhost.conffiles in your client directories, you begin to realize that things just don’t quite work the way you expected them to. After spending about 20 to 30 hours on Google and manual server configurations you might actually get it to work. I could even show you in a few quick lines show to accomplish this setup. However, I’m going to argue for a different path:

Just buy the darn certificates.

From a real-world business perspective, it is a MUCH better idea to just spend the $30 on a unique SSL certificate for each of your clients, rather than wasting 40 hours on configurations that will reduce the security level of your server for your clients. Consider the following pros and cons to forcing a shared SSL environment on a LAMP/Plesk environment.

Pros

  • Save your clients $30
    on their $3000 website.

Cons

  • You will spend 40 hours of your time on education and manual server configuration. 40 hours times $$/hour = $$$$$.
    Compare that to $30. Hmmmm.
     
  • Your server security will never be the same, and you’ll always be battling configuration of file permissions, file owners, and owner groups in your LAMP/Plesk environment. You will never enjoy the beautiful automation that Plesk can give you.
     
  • Your clients have to memorize a different path if they want direct access to their secured site.

In the business world, $30 is nothing compared to the value of your time. I understand the desire to overcome Mt. Everest in this life, but there are better mountains to climb than this one.

If you are still hoping to persevere just for the challenge of it, I’ll give you some tips:

  • Be prepared to abandon all caution for good security.
  • You will definitely be adding some external client <Directory>commands to your vhost.conf files.
  • You will definitely be adding some external client Aliascommands to your vhost.conf files.
  • You will definitely be playing around with symlinks.
  • You will definitely be telling Plesk to update it’s configuration files by typing something similar to the following: /usr/local/psa/admin/bin/websrvmng -a
  • You will definitely be researching into the value of adding various directories using php_admin_value open_basedir in your vhost.conf files. Hint: the colon is a delimiter, not a pointer.
  • You will most certainly want to read up on FollowSymLinks to keep yourself informed.

This entry was posted on Tuesday, May 13th, 2008 at 4:34 am and is filed under Technical. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply