I needed to get an actual SSL Cert for one of the 3 websites I am running under ISPCONFIG. I put in the information and chose create certificate and saved. Then I copied the SSL Request and put it into my application for a key. Got the key and pasted it into the SSL Certificate box in ISPCONFIG for the website I need the key for, saved it and restarted ispconfig_server. All restarted but I can not get to the website. I am using Fedora Core 7 setup using the how to for FC7 and asked for a mod ssl type key. Does everything have to be the same as far as company information that was entered during the how to for openssl, even the department? I setup ISPCONFIG using my company name etc.. but the department I used was web. I am using www for the website. Just so I am clear, IPCONFIG is setup as web.mydomainname.com and my website is www.mydomainname.com. Also does the number of days play a factor as I plan to buy a 3 year cert?

httpd does not start and the error I am getting in the error log of the website is:
Unable to configure RSA server private key
SSL Library error: 185073780 error:0B080074:x509 certificate routines:x509_check_private_key:key values mismatch

Do I need to regen my keys on the server using the same code as in the how to for FC7 or just the x509 ones?

Trying to figure it all out but don't want to do anything that is going to cause me to start over...


John

Do I need to regen my keys on the server using the same code as in the how to for FC7 or just the x509 ones?

No.

You must copy the certificate that you received back to the certificate box and not the key of the SSL certificate and then select save and not create as action.

No.

You must copy the certificate that you received back to the certificate box and not the key of the SSL certificate and then select save and not create as action.

I may be using the word KEY in the wrong context because that's what I did. I entered the information at the top of the SSL form in ISPCONFIG and chose create to make the SSL Request, then I chose save, after that I copied the request into the CA's form and when I got the files from the CA, I took the one that ended in .crt and pasted it into SSL Certificate and chose save as the option and then clicked on save. When I restarted ISPCONFIG, httpd failed to restart with the error.

I also recieved a file called my_domain_name.ca-bundle. Was I supposed to do anything with this?

Thanks

John

Could part of my problem be that I am calling the ISP Server web.mydomainname.com and then I have setup a website called www.mydomainname.com?

Can I change the name of the ISP server or will I have to re-install ISPCONFIG in order to change the name, if it's causing me a problem.

Hoping to get this resolved soon. I am trying to go live with this by this weekend. :eek:

Thanks

John

Could part of my problem be that I am calling the ISP Server web.mydomainname.com and then I have setup a website called www.mydomainname.com?

No, that's no problem.

Did you take a look at this guide? http://www.howtoforge.com/faq/14_49_en.html

I think I have it worked out.

While viewing the cert created by ISPCONFIG for the ISP Server, I realized that when I installed ISPCONFIG, I always used MY email address and setup the oranganization as web. SO, this time, I logged in as admin, deleted the existing cert that was created by ISPCONFIG, logged out, logged back in as myself, created a request using web as the organization and submitted it. Now, there are no errors bring ISPCONFIG and httpd back up and the cert shows my CA's name.

I am running this at home this week while I am off (some vacation), so it still shows as can't be trusted, but that has to be because it's not sitting at the IP it is supposed to be at, yes?

Thanks for the replies guys and the fantastic work you all do in helping everyone on this site.... it's really appreciated.

John

I am running this at home this week while I am off (some vacation), so it still shows as can't be trusted, but that has to be because it's not sitting at the IP it is supposed to be at, yes?

The IP doesn't matter, but I guess you're also using a different hostname?

The IP address that the domain is sitting at right now is the only thing that is different. The DNS points to the IP address at work and right now, I am just running it on my home DSL Non-Static IP. I just change my host files on my workstation to match the current IP to connect to the server for testing. I'll know more tomorrow as I am taking it back to work. Hopefully, the warning stops popping up then.

John

Update: I contacted my SSL CA and they said I was getting the not trusted warning because of no intermediate file being installed., So I added the intermediate ca file, as per their instructions, to the .conf files, both the httpd.conf and the httpd.conf.https files where they are looking for the SSLCertificateChainFile. They were commented out originally. Not sure I needed it in both conf files, but now. IE 6 or IE7 do not complain, but Firefox 2.0.0.6 still complains even though the CA is listed as an Authority. Does anyone know why this might be happening only in Firefox? It may in others, but I only have FireFox and IE6 - IE7.

50% of the way there.... :)

What is the exact error message that you get in firefox?

What I think it is , is the misconfiguration on the server of the cert. CA is now telling me to try a different file for the bundle file. I'll have to wait until tomorrow to try it.

This is the screen that pops up in Firefox.

Installing the new file did not solve the problem.
Ok.. still not fixed, but it seems that I should be working on the ssl.conf file, not the httpd.conf or httpd.conf.https files.

By installing the paths for my .crt, .key and .ca.bundle files, I can now access Squirrelmail and ISPConfig using IE6 and 7 where before I did this, I couldn't access the pages using IE, but Firfox was able to.
Firefox still doesn't trust my Cert from the CA but IE does.
I have installed as they requested using the ssl.conf file located in etc/httpd/conf.d./

This is what I have in ssl.conf now

SSLCertificateFile /the path to cert file/www.tidesmarine.com.crt
SSLCertificateKeyFile /the path to cert file/www.tidesmarine.com.key
SSLCertificateChainFile /the path to cert file/www.tidesmarine.com.ca-bundle.crt
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt


What else can I look at?

Update:

Problem, I thought was finally solved. What I had to do, was add the Chain File to the Vhosts_ispconfig.conf file under the 443 section of my web site. :D


Update: See MY post on 3rd page about adding line to httpd.conf

Well, I THOUGHT it was solved, BUT... something rewrites the Vhosts_ispconfig.conf file. :confused:

What would be doing this?

It omits the chain file from the new file that gets written. It rewrote the file at 8:54 am today. What file is it basing it's information on when it rewrites this file?

Thanks

John

try adding the chain file in the apache directives of the site.
SSLCertificateChainFile /the path to cert file/www.tidesmarine.com.ca-bundle.crt

Well, I THOUGHT it was solved, BUT... something rewrites the Vhosts_ispconfig.conf file.

NEVER edit the file Vhosts_ispconfig.conf manually. It is automatically changed by ISPConfig.

Add the SSL chain files to your httpd / apache or apache2.conf file as daveb suggested.

I don't have an apache.conf or apache2.conf file.

I did the Fedora Core 7 install per how to's. I have several conf files, but none that start with apache. I already have the file paths in the ssl.conf foler and it puts my .key and .crt file in the Vhost_ispconfig.conf file, just not the chain file.

I'll keep looking but if someone has a difinitive answer as to which file the VHosts file gets written from using FC7, please let me know.

John

You can put it in the ssl.conf file as well, that does not matter.

I'll keep looking but if someone has a difinitive answer as to which file the VHosts file gets written from using FC7, please let me know.

Do not touch the Vhosts_ispconfig.conf.

I won't touch the Vhosts_ispconfg.conf file, but what file does ISPCONFIG get it's information from to write it? I have the chain file in ssl.conf and it does not get written to the Vhosts_ispconfig.conf file. The Key and crt file paths do, but not the Chain file.

a) The chain file does not have to be written to the Vhosts_ispconfg.conf file, it is enough if you put it in ss.conf.
b) There is no file where ISPConfig get sthe content for Vhosts_ispconfig.conf from, the content is generated out of the database.

The only time it has worked is when I manually put it in the Vhosts file. I had already had it in the ssl.conf file and it was not getting picked up or being recognized as being there. As soon as the Vhosts files gets rewritten, I get the window complaining about the authority as shown in an earlier post in this thread, Same thing happens in Firefox & Opera, but IE is fine with it.

Maybe the sl.conf is not included in your httpd.conf file. Please try to put it directly in the httpd.conf file.

OK, here's what I finally did and I think it has corrected my problem. :)

In the /etc/httpd/conf/httpd.conf file, after:

Include /etc/httpd/conf/vhosts/Vhosts_ispconfig.conf

I added this one line:

SSLCertificateChainFile /the path to the file/www_tidesmarine_com.ca-bundle

and removed it from where I manually had placed it in the Vhosts file and I do not get any complaints from IE, Firefox or Opera after restarting ispconfig_server.

If I don't get any complaints after the VHosts file gets rewritten by ISPCONFIG, then I am golden.

Thanks to ALL for your help... This is an ongoing learning experience as I am coming from Windows....:eek: