diff --git a/http/apache/server.tpl.php b/http/apache/server.tpl.php
index 0654ed41a48d0730a6e1be15c151916267e86afe..3b25afdcbe706774c9faa6e7b0092176f23fa614 100644
--- a/http/apache/server.tpl.php
+++ b/http/apache/server.tpl.php
@@ -1,8 +1,8 @@
 # Aegir web server configuration file
 
-NameVirtualHost *:<?php print $http_port; ?>
+NameVirtualHost <?php print $ip_address . ':' . $http_port; ?>
 
-<VirtualHost *:<?php print $http_port; ?>>
+<VirtualHost <?php print $ip_address . ':' . $http_port; ?>>
   ServerName default
   Redirect 404 /
 </VirtualHost>
diff --git a/http/http.drush.inc b/http/http.drush.inc
index 23d37764d560b839e4200a8272ee294264f9a3a2..3675ba4b9f4c319b633a75e8cda52aca4ed06c7d 100644
--- a/http/http.drush.inc
+++ b/http/http.drush.inc
@@ -35,8 +35,15 @@ class provisionService_http_public extends provisionService_http {
     // We assign this generic catch all for standard http.
     // The SSL based services will override this with the
     // correct ip address.
-    $data['ip_address'] = '*';
-
+    if (sizeof($this->server->ip_addresses)) {
+      // Use the first IP address for all standard virtual hosts.
+      $data['ip_address'] = $this->server->ip_addresses[0];
+    }
+    else {
+      // If no external ip addresses are defined, we fall back on *:port
+      // There will be no SSL , so that's fine.
+      $data['ip_address'] = '*';
+    }
 
     // TODO: move away from drush_get_context entirely.
     if ($config == 'site') {
diff --git a/http/http.ssl.inc b/http/http.ssl.inc
index 2637f4d683cec275f042f911fa15ed23fdbb3c90..90b088c1def7064e0720be0a2e3af73e0c81a642 100644
--- a/http/http.ssl.inc
+++ b/http/http.ssl.inc
@@ -170,7 +170,7 @@ class provisionService_http_ssl extends provisionService_http_public {
 
     // try to assign one
     foreach ($server->ip_addresses as $ip) {
-      if (!provisionService_http_ssl::get_ip_certificate($ip)) {
+      if (!provisionService_http_ssl::get_ip_certificate($ip, $server)) {
         touch("{$path}/{$ssl_key}__{$ip}.receipt");
         return $ip;
       }
@@ -317,10 +317,7 @@ class provisionConfig_http_ssl_site extends provisionConfig_http_site {
     $ip_addresses = drush_get_option('site_ip_addresses', array(), 'site');
 
     if ($this->ssl_enabled && $this->ssl_key) {
-      $path = dirname($this->data['ssl_cert']);
-
-      $this->clear_certs();
-
+      $this->clear_certs($this->ssl_key);
     }
     elseif ($ip = $ip_addresses[$this->data['server']->name]) {
       if ($ssl_key = provisionService_http_ssl::get_ip_certificate($ip, $this->data['server'])) {