Why do I need a wildcard ssl certificate for Apprenda?
The Apprenda Platform requires, in order to properly operate and not restrict certain functionality, a wildcard SSL certificate to be placed in every server operating as an Apprenda Reverse Proxy.
Apprenda Web Tier Set Up
The Apprenda Web Tier is comprised of two components, the Reverse Proxy and the Web Server. Every request that comes in to the platform is first handled by the Reverse Proxy which then, based on a set of rules, routes the request to the appropriate web server.
Deployment Models for Web Sites
Apprenda supports a couple of deployment models for the web tier of each guest application, path based or sub domain based.
Path based approach means that the application will be reachable at the following URL: apps.XXX/applicationAlias, where XXX is the root URL of your environment and applicationAlias is the unique identifier in Apprenda for that application.
Every Apprenda website is deployed using this approach.
Sub Domain Based
Sub Domain based approach means that the application will be reachable at the following URL: applicationAlias.XXX.
It is important to note that developers get to choose either one of these options at deploy time and the Apprenda Platform will deploy the website as such.
Requirements for a Wildcard SSL Certificate
Due to the nature of Apprenda, in which multiple web sites can reside on the same server, the dynamic nature of the deployments and IIS’ limitation on one SSL certificate per server per port, a technique called SSL Offloading is used. The platform offloads the SSL encryption/decryption to the Reverse Proxies which then route the request to the individual web servers.
Because all SSL traffic is terminated at the Proxy, only one SSL certificate can be attached to the binding responsible for responding to every request. Due to this set up, the only SSL certificate that will cover both UI deployment models is a wildcard one made for *.XXX .
Customers can choose to apply at the proxy level a certificate made specifically for apps.XXX but that will restrict which deployment model will be covered by HTTPS traffic without a certificate error.
Please sign in to leave a comment.