PDA

View Full Version : Ssl


boardmain
5th August 2005, 10:39
i can create only one certificate for ip?

i can't create for any domain?

till
5th August 2005, 10:40
i can create only one certificate for ip?

i can't create for any domain?

Yes, thats a limitation in the Apache Webserver. Only one SSL enabled
vHost per IP.

KenMcGinnis
8th August 2005, 07:07
I have everything installed and working ok - but it has that dummy cert. My web site name is server.domain.com. I want people to download some files and I need the site to show a 'real' certificate. I can get the cert files ok, Where can I put them?

My server is at 192.168.0.195. Can I put that in the SSL Cert request and have it work for all web sites on my server? If not, how can I do that? I would like all web sites to have the cert and use https://xxxxx.domain.com where xxxx can be anything?

falko
8th August 2005, 09:00
I have everything installed and working ok - but it has that dummy cert. My web site name is server.domain.com. I want people to download some files and I need the site to show a 'real' certificate. I can get the cert files ok, Where can I put them?

The files are in /root/ispconfig/httpd/conf/ssl.*.

My server is at 192.168.0.195. Can I put that in the SSL Cert request and have it work for all web sites on my server? If not, how can I do that? I would like all web sites to have the cert and use https://xxxxx.domain.com where xxxx can be anything?

You need a certificate for _each_ web site. But note that you can only have one SSL web site per IP address!

KenMcGinnis
9th August 2005, 01:06
I have 2 dsl connections with 2 ip addresses and 2 lan cards in my server. Each dsl router opens ports to one of the lan cards.

Can I have 2 SSL certificates since I have 2 IP addresses?

One problem I have noticed is that I can only have one default gateway (when I set it for one lan card, it automatically sets the same value for the other lan card)

falko
9th August 2005, 09:19
Can I have 2 SSL certificates since I have 2 IP addresses?


Yes, one for each IP address.

KenMcGinnis
9th August 2005, 20:01
Sorry if I am asking basic questions, but I do not have much time in with Linux. I set up an apache2 server with SuSE 9.0 about 18 months ago using a cookbook (which I can't find anymore). The system never went down or had a single problem so I lost all my notes and forgot how I did things. I have ispconfig running just fine now with 4 resellers and about 16 clients. One of the clients must have ssl for file http downloads (and 3 others are probably going to require it).

You said (above) where to put the cert files and I did that and it works. But how to put a 2nd one? if I name it server.key/crt, it will write over the 1st one?

till
9th August 2005, 20:06
Sorry if I am asking basic questions, but I do not have much time in with Linux. I set up an apache2 server with SuSE 9.0 about 18 months ago using a cookbook (which I can't find anymore). The system never went down or had a single problem so I lost all my notes and forgot how I did things. I have ispconfig running just fine now with 4 resellers and about 16 clients. One of the clients must have ssl for file http downloads (and 3 others are probably going to require it).

You said (above) where to put the cert files and I did that and it works. But how to put a 2nd one? if I name it server.key/crt, it will write over the 1st one?

If you have ISPConfig installed you dont have to make SSL-Certificates manually, just use the functions in ISPConfig. ISPConfig takes care where to store the certificate files and make the correct entries in the vhost configuration.

KenMcGinnis
9th August 2005, 22:33
Thanks that worked, pretty easy. This is a pretty powerful interface.

I found the cert it made - in /srv/www in that client location. I guess if I send the code off somewhere and get a regular certificate, I can paste it in the crt window and save and that will do it?

falko
9th August 2005, 22:54
Thanks that worked, pretty easy. This is a pretty powerful interface.

I found the cert it made - in /srv/www in that client location. I guess if I send the code off somewhere and get a regular certificate, I can paste it in the crt window and save and that will do it?

You can send the code from the "SSL Request" textarea in the ISPConfig interface to a Certificate Authority (CA) like instantssl.com. The certificate you get back has to be copied to the "SSL Certificate" textarea, and under "Action" you choose "Save certificate" and click on "Save". That's it. :)

KenMcGinnis
10th August 2005, 03:28
One more related question: In your "perfect setup" you mention:

"I want to create a virtual network card eth0:0 with the IP address 192.168.0.101 (my main one is 192.168.0.100 in this example) so I select Add:"

Can this 'virtual IP' be used with an SSL Certificate? If not, what was the purpose? I don't see where you use the Virtual IP for anything.

till
10th August 2005, 07:47
One more related question: In your "perfect setup" you mention:

"I want to create a virtual network card eth0:0 with the IP address 192.168.0.101 (my main one is 192.168.0.100 in this example) so I select Add:"

Can this 'virtual IP' be used with an SSL Certificate? If not, what was the purpose? I don't see where you use the Virtual IP for anything.

Yes, this virtual IP can be used for SSL or when you need an IP-Based vhost (site).

KenMcGinnis
12th August 2005, 20:58
I am still researching this as I have some clients breathing down my back.

Regarding your post above about the virtual ip. I do have a virtual IP 192.168.0.197 (in Suse9.3 - additional IP), however it is not in the drop down list for a site that I have setup. The site is now working fine on 192.168.0.195 but I want to change it so I can have a SSL cert.


I understand it is possible to have multiple vhosts on a single IP by using different ports. For example you could have one on xx.xx.xx.xx:80 and a different one on xx.xx.xx.xx:8080. Another way is to have a wildcard cert (http://www.digicert.com/wildcard-ssl-certificates.htm) Supposedly both of these work with apache2. Do either of these work with ispconfig?

till
13th August 2005, 11:43
I am still researching this as I have some clients breathing down my back.

Regarding your post above about the virtual ip. I do have a virtual IP 192.168.0.197 (in Suse9.3 - additional IP), however it is not in the drop down list for a site that I have setup. The site is now working fine on 192.168.0.195 but I want to change it so I can have a SSL cert.

Have you entered the IP in the controlpanel under Management > Server > Settings?


I understand it is possible to have multiple vhosts on a single IP by using different ports. For example you could have one on xx.xx.xx.xx:80 and a different one on xx.xx.xx.xx:8080. Another way is to have a wildcard cert (http://www.digicert.com/wildcard-ssl-certificates.htm) Supposedly both of these work with apache2. Do either of these work with ispconfig?

I've never tested wildcard certificates with ISPConfig. If you want to know how ISPConfig configures your apache serve, have a look at the
Vhost_ispconfig.conf file in the directory vhosts in your apache configuration directory.

falko
13th August 2005, 14:33
I understand it is possible to have multiple vhosts on a single IP by using different ports. For example you could have one on xx.xx.xx.xx:80 and a different one on xx.xx.xx.xx:8080.

You can have as many vhosts as you like on a single IP address using the same port as long as they do not use SSL.
If you use SSL and only have one IP address you must use different ports, but then you have to type the port into the browser's address bar as long as it's not the standard https port (443). E.g. you would have to type https://www.example.com:8080. I don't think this is what your clients want... :rolleyes:

Another way is to have a wildcard cert (http://www.digicert.com/wildcard-ssl-certificates.htm) Supposedly both of these work with apache2. Do either of these work with ispconfig?

A wildcard certificate means that all subdomains of a domain (e.g. www.example.com. test.example.com, example.example.com, shop.example.com, etc.) can use that certificate, without a warning popping up in the visitor's browser. If you use a wildcard certificate, then all your clients would have to use a subdomain of example.com, and I don'T think your clients want that either...

KenMcGinnis
13th August 2005, 19:37
Thanks, that helps.
1. no I did not enter the virtual IP on the management screen. That is now fixed.

Regarding the options for multiple IPs with ports:
The port thing may work for me. I have the client go to a web page with http: as usual. They only need the encryption with cert when they download. So I have a link on the web page to the file to download. The client only sees the name of the file. The actual link can be anything so having the port appended is not a problem.

So I now have the domain www.mydomain.com set up on the IP 192.168.0.195 - it works fine.

1. I changed the IP to 192.168.0.197 (a virtual port) checked the 'SSL' box and created and saved the cert. How do I access it now?

2. I tried entering 192.168.0.195:445 in the management/server/settings and using that IP but it does not work. Note that when I do use that new port, I can only see 192.168.0.4 in the drop down box - maybe that is the problem?

I need a hint how to access a domain on an IP using a different port.

falko
14th August 2005, 14:54
1. I changed the IP to 192.168.0.197 (a virtual port) checked the 'SSL' box and created and saved the cert. How do I access it now?

https://www.mydomain.com

2. I tried entering 192.168.0.195:445 in the management/server/settings and using that IP but it does not work. Note that when I do use that new port, I can only see 192.168.0.4 in the drop down box - maybe that is the problem?

I need a hint how to access a domain on an IP using a different port.
You can only enter IP addresses under Management -> Server -> Settings, not IP addresses with ports.

You could copy your SSL vhost from the Vhosts_ispconfig.conf file to your main httpd.conf (so that the vhost doesn't get overwritten by ISPConfig anymore) and change port 443 to 445. Then you have to add Listen 445 to the main section of your httpd.conf and restart Apache.

guentherhoven
11th June 2006, 21:33
You can have as many vhosts as you like on a single IP address using the same port as long as they do not use SSL.
If you use SSL and only have one IP address you must use different ports, but then you have to type the port into the browser's address bar as long as it's not the standard https port (443). E.g. you would have to type https://www.example.com:8080. I don't think this is what your clients want... :rolleyes:



A wildcard certificate means that all subdomains of a domain (e.g. www.example.com. test.example.com, example.example.com, shop.example.com, etc.) can use that certificate, without a warning popping up in the visitor's browser. If you use a wildcard certificate, then all your clients would have to use a subdomain of example.com, and I don'T think your clients want that either...

One thing you did not mention is that you can are still required to use only 1 ip address for even wildcard certificates.
Also, i keep seeing all of these CA's being posted, but you can actually buy them all at one place, ssl.com. Try these links out:
Standard certs - http://www.ssl.com/c-24-single-domain-name-fqdn.aspx
Wildcard certs - http://www.ssl.com/c-25-multiple-subdomains-wildcard.aspx
SSL Information/Knowledge Base (good stuff) http://info.ssl.com