Hi,

I've purchased an SSL Cert from Godaddy, created the key and csr files, and downloaded my cert. All that is fine. Now, I don't know what to do next. What needs to be done in the ISPC admin panel to setup the new cert on an existing site? Where does the cert need to be placed on the server?

Thanks.

Brian

Copy and paste the certificate to the certificate field in ISPConfig of this website, select save as action and the click on the save button

Also take a look here: http://www.howtoforge.com/faq/14_49_en.html

Thanks for the help, guys. The site shows a generic error page in IE. In Firefox, I get an error code 12263 SSL_ERROR_RX_RECORD_TOO_LONG message.

Any ideas?

Any errors in the Apache logs?

The only thing in the (Apache2) error log was this...

[Mon May 28 14:47:08 2007] [notice] Apache/2.2.3 (Debian) PHP/5.2.0-8+etch4 mod_ssl/2.2.3 OpenSSL/0.9.8c configured -- resuming normal operations

And that wasn't even when I tried to access the site in question. There are several of those same messages in the error log.

There were no errors in the /var/log/httpd/ logs.

One other thing...should the Vhosts file for this domain have any SSL comments in it...or does that go someplace else? This is the Vhosts section of this domain:


######################################
# Vhost: www.mydomain.com:80
######################################
#
#
<VirtualHost 192.168.1.4:80>
<Directory "/var/www/web4/web">
Options FollowSymLinks
AllowOverride All
</Directory>
ServerName www.mydomain.com:80
ServerAdmin webmaster@mydomain.com
DocumentRoot /var/www/web4/web
ServerAlias mydomain.com
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
ErrorLog /var/www/web4/log/error.log
AddType application/x-httpd-php .php .php3 .php4 .php5
php_admin_flag safe_mode Off
Alias /error/ "/var/www/web4/web/error/"
ErrorDocument 400 /error/invalidSyntax.html
ErrorDocument 401 /error/authorizationRequired.html
ErrorDocument 403 /error/forbidden.html
ErrorDocument 404 /error/fileNotFound.html
ErrorDocument 405 /error/methodNotAllowed.html
ErrorDocument 500 /error/internalServerError.html
ErrorDocument 503 /error/overloaded.html
AliasMatch ^/~([^/]+)(/(.*))? /var/www/web4/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web4/user/$1/web/$3
</VirtualHost>
#
#
#

I did some further testing (and Googling) and I manually added a separate Vhosts entry for the site at port 443


######################################
# Vhost: domain.com:443
######################################
#
#
<VirtualHost 192.168.1.4:443>
<Directory "/var/www/web4/web/ssl">
Options FollowSymLinks
AllowOverride All
</Directory>
SSLEngine on
SSLCertificateFile /certificates/domain.com.crt
SSLCertificateKeyFile /certificates/domain.com.key
ServerName domain.com:443
ServerAdmin webmaster@domain.com
DocumentRoot /var/www/web4/web/ssl
ServerAlias https://domain.com
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
ErrorLog /var/www/web4/log/error.log
AddType application/x-httpd-php .php .php3 .php4 .php5
php_admin_flag safe_mode Off
Alias /error/ "/var/www/web4/web/error/"
ErrorDocument 400 /error/invalidSyntax.html
ErrorDocument 401 /error/authorizationRequired.html
ErrorDocument 403 /error/forbidden.html
ErrorDocument 404 /error/fileNotFound.html
ErrorDocument 405 /error/methodNotAllowed.html
ErrorDocument 500 /error/internalServerError.html
ErrorDocument 503 /error/overloaded.html
AliasMatch ^/~([^/]+)(/(.*))? /var/www/web4/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web4/user/$1/web/$3
</VirtualHost>
#
#
#


I restarted Apache, entered the pass phrase and Apache restarted without errors. I then logged on the https site, and got to the https directory...but, I encountered a certificate error.


Unable to verify the identity of domain.com as a trusted site. Possible reasons for this error:
-your browser does not recognize the CA that issued the cert...
-the site's cert is incomplete due to a server misconfiguartion
-you are connected to a site pretending to be domain.com...


This error shows up in Firefox and Safri on a Mac...but not in IE. So, I have three questions:

1-Why the error in Firefox (PC) and Safari (Mac) and not IE (PC)?
2-Will the Vhosts config "stay" after an ISPConfig upgrade
3-Is there any way to not have to enter the pass phrase on reboot of Apache?

Thanks for all the help!

Brian

One other thing...should the Vhosts file for this domain have any SSL comments in it...or does that go someplace else? This is the Vhosts section of this domain:
When you enable SSL on the Basis tab of the web site in ISPConfig, there should be a second vhost that contains the SSL settings. If you don't see that second vhost: can you post the ls -l output of the directory where Vhosts_ispconfig.conf is in?
What's the output of ls -la /root/ispconfig?

Thanks Falko...here they are:


mail:~# ls -l /etc/apache2/vhosts
total 48
-rw-r--r-- 1 root root 6291 2007-05-29 09:10 Vhosts_ispconfig.conf
-rw-r--r-- 1 root root 4989 2007-05-29 06:28 Vhosts_ispconfig.conf~
-rw-r--r-- 1 root root 5215 2007-05-27 15:50 Vhosts_ispconfig.conf_27-05-07_15-50-35
-rw-r--r-- 1 root root 5213 2007-05-27 15:53 Vhosts_ispconfig.conf_27-05-07_15-53-38
-rw-r--r-- 1 root root 5213 2007-05-27 15:57 Vhosts_ispconfig.conf_27-05-07_15-57-27
-rw-r--r-- 1 root root 5213 2007-05-27 15:57 Vhosts_ispconfig.conf_27-05-07_15-57-50
mail:~#




mail:~# ls -la /root/ispconfig
total 100
drwxr-xr-x 9 root root 4096 2007-05-29 06:28 .
drwxr-xr-x 6 root root 4096 2007-05-21 15:47 ..
-rwxr-xr-x 1 root root 34862 2007-05-21 15:47 cronolog
-rwxr-xr-x 1 root root 9673 2007-05-21 15:47 cronosplit
drwxr-xr-x 12 root root 4096 2007-05-21 15:31 httpd
drwxr-xr-x 14 root root 4096 2007-05-21 15:47 isp
-rw-r--r-- 1 root root 8 2007-05-29 06:28 .old_path_httpd_root
drwxr-xr-x 6 root root 4096 2007-05-21 15:30 openssl
drwxr-xr-x 6 root root 4096 2007-05-21 15:47 php
drwxr-xr-x 4 root root 4096 2007-05-21 15:47 scripts
drwxr-xr-x 4 root root 4096 2007-05-21 15:47 standard_cgis
drwxr-xr-x 2 root root 4096 2007-05-21 15:47 sv
-rwx------ 1 root root 9389 2007-05-21 15:47 uninstall
mail:~#

Ok, can you rename one of those Vhosts_ispconfig.conf files that have a date at the end to Vhosts_ispconfig.conf and run httpd -t? What's the output?

Thanks again for the help on this. No matter which config file I renamed, I get the following error:


Syntax error on line 125 of /etc/apache2/vhosts/Vhosts_ispconfig.conf:
<VirtualHost> cannot occur within <VirtualHost> section


Here's the content of the file (for the domain in question):


<VirtualHost 192.168.1.4:80>
<Directory "/var/www/web4/web">
Options FollowSymLinks
AllowOverride All
</Directory>
<VirtualHost 192.168.1.4:443>
ServerName http://domain.com
SSLEngine on
SSLCertificateFile \
/certificates/domain.com.crt
SSLCertificateKeyFile \
/certificates/domain.com.key
</VirtualHost>
ServerName www.domain.com:80
ServerAdmin webmaster@domain.com
DocumentRoot /var/www/web4/web
ServerAlias domain.com
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
ErrorLog /var/www/web4/log/error.log
AddType application/x-httpd-php .php .php3 .php4 .php5
php_admin_flag safe_mode Off
Alias /error/ "/var/www/web4/web/error/"
ErrorDocument 400 /error/invalidSyntax.html
ErrorDocument 401 /error/authorizationRequired.html
ErrorDocument 403 /error/forbidden.html
ErrorDocument 404 /error/fileNotFound.html
ErrorDocument 405 /error/methodNotAllowed.html
ErrorDocument 500 /error/internalServerError.html
ErrorDocument 503 /error/overloaded.html
AliasMatch ^/~([^/]+)(/(.*))? /var/www/web4/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web4/user/$1/web/$3
</VirtualHost>

I deleted the website in the ISP CP, and then tried to re-create the site...then I looked in the vhosts.ispconf file, and there still isn't an SSL section for this site.

This error shows up in Firefox and Safri on a Mac...but not in IE.
I had this issue also. To resolve this I had to download gd_intermediate_bundle.cer from Godaddy.com/Repository (https://certificates.godaddy.com/Repository.go)
then upload to my sites ssl folder. Then from the ispconfig control panel for that site in apache directives I had to add the line "SSLCACertificateFile /var/www/web?/ssl/gd_intermediate_bundle.cer" and Save.
after that I no longer had any Problems with errors in firefox.

Thanks, Dave. I was wondering what I was supposed to do with that file. it said to download it...just not what to do with it. Now, I just need to figure out why ISPConfig isn't adding the SSL site in the vhosts file.

Thanks again Dave and Falko!

Thanks, Dave. I was wondering what I was supposed to do with that file. it said to download it...just not what to do with it. Now, I just need to figure out why ISPConfig isn't adding the SSL site in the vhosts file.

Thanks again Dave and Falko!

Please do what falko posted in #10 in this thread. ISPConfig is not writing your config file because it contains errors that would prevent the startup of apache, so the new config file is written with a date appended to the filname. To find the error, you must rename it to Vhost_ispconfig.conf and run the command: httpd -t

I did...post #11.

You have a virtual host within a virtual host:

<VirtualHost 192.168.1.4:443>
ServerName http://domain.com
SSLEngine on
SSLCertificateFile \
/certificates/domain.com.crt
SSLCertificateKeyFile \
/certificates/domain.com.key
</VirtualHost>Did you put it there? Something like this isn't written by ISPConfig.

That was put in by me. Upon installing the certificate based on your directions on the first page of this thread, I looked in the vhosts file and didn't see any SSL section. So I tried to add it in the Apache Directives for this domain. I didn't realize that it would add the virtual host inside the other virtual host...so obviously it didn't like the syntax...and named the file by the date. Then in post #10 you wanted me to rename one of those files and remove the date. That's where we are now. The problem is that ISPConfig isn't adding the separate vhost for the ssl port...just the regular stuff on port 80. Thanks again for all the help on this!!!

bschultz, just speaking from my own experience here. not sure if it would help. but have you created a ssl crt from the ispconfig control panel for that web. I had this issue when I had a ssl cert already and just checked off ssl in the control panel and thought groovy but nothing ever was wrote to the vhost file. wasnt till I created a csr or self signed ssl via the control panel that it added the appropriate lines withen the vhost file.

Dave,

That worked to get the Apache vhost info correct....but I'm still getting a cert error....even after your suggestion of


SSLCACertificateFile /var/www/web6/ssl/gd_intermediate_bundle.crt


in the Apache directive field.

OK...I changed (manually) the directories for all of the SSL certs in the vhosts file to the originals sent to me from GoDaddy. Now, I don't get any errors in the certs...but I did have to enter a pass phrase to restart Apache.

Since this is the only site that will use SSL, I don't mind if I have to re-change the info on an ISPConfig update...so I don't care if I leave things the way they are now (with the location of the cert files in the VHosts file).

BUT, is there a way to un-encrypt the private key so that I don't have to enter the pass pharse each time I need a reboot?

Again, I can't thank everyone enough for the help on this!!!

hmm not sure then.. i know that worked for me.

yes you can decrypt the pass phrase
Remove the encryption from the RSA private key (while keeping a backup copy of the original file):
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
you might want to check the permissions afterwords and set accordingly.

that worked Dave! Thank you, and Till and Falko!

Consider this thread solved!