I have two sites (home server and linode VPS) and I have some subdomains of one domain on one site and some on the other. I also have two or three other domains on both servers. I currently use Apache VirtualHost on both sites. None of them are currently using https.
Is it possible to start rolling out https one subdomain at a time, or is it all or nothing? Do I need to use a front end like nginx or can I do it all in Apache?
For SSL support in Apache you'll need to configure a
VirtualHost
on port 443 for each site, so you can do it one sub-domain at a time. See Apache TLS/SSL How-ToYou can "start rolling one subdomain at a time". But you can't restrict HTTPS port 443 to be open for just some of the Virtual Domains if you have one IP for all of them.
Name based virtual hosts serve different websites based on the Host HTTP header. Now you have HTTP, when you type "example.com" in your browser, it connects to your IP and adds a
Host: example.com
in the request headers. That way webserver matches known virtual host or just handles as default virtual host if it's unknown (for example if you directly type an IP in your browser).Now for the HTTPS part it's a bit different. As the TLS secure connecting has to be established before HTTP headers are sent. So the webserver actually couldn't knew which certificate to present. Be it example1.com or example2.com (for example). Back in the old times that meant that only one valid HTTPS website per IP was allowed (well, multi-domain certificate could work, but I don't remember any CA allowed those). I.e. no virtual hosts. But thankfully for the TLS SNI extension that works similarly to HTTP. Except that instead of HTTP headers the domain name are passed in the TLS session information.
Now considering this, once you enabled SSL for one website
example1.com
, and generated a certificate for it, if you typehttps://example2.com
it would actually openexample1.com
website (because it's the only virtual host for the HTTPS listener), but also the browser would complain that website presents certificate for wrong domain (because your webserver don't have both certificate for example2.com and virtual host for it).To avoid that confusion I'd rather suggest you to test & prepare all the certificates and config for your sites first. And then enable them all at once. At least if you host all of them on the same IP. If you have different IPs for them, I assume you understand that you can enable HTTP for the separately based on the statements above.