Hi,

i created a small work-a-round to use ISPConfig with gnutls.

Install gnutls and disable SSL:


aptitude install libapache2-mod-gnutls
a2enmod gnutls
a2dismod ssl


The next step is to modify the ISPConfig Apache template /usr/local/ispconfig/server/conf/vhost.conf.master to use gnuTLS:

Change:


[...]
<tmpl_if name='ssl_enabled'>
<IfModule mod_ssl.c>
[...]



[...]
SSLEngine on
SSLCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.crt
SSLCertificateKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.key
<tmpl_if name='has_bundle_cert'>
SSLCACertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.bundle
</tmpl_if>
[...]


to:


[...]
<tmpl_if name='ssl_enabled'>
<IfModule mod_gnutls.c>
[...]



[...]
GnuTLSEnable on
GnuTLSPriorities NORMAL
GnuTLSCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.crt
GnuTLSKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.key
[...]


I don't use the ssl bundles, so i hide the form field. Edit /usr/local/ispconfig/interface/web/sites/form/web_domain.tform.php and change it to an hidden field:


'ssl_bundle' => array (
'datatype' => 'TEXT',
'formtype' => 'HIDDEN',
'default' => '',
'value' => '',
'cols' => '30',
'rows' => '10'
),


and modify the template /usr/local/ispconfig/interface/web/sites/templates/web_domain_ssl.htm:


<div class="ctrlHolder" style="display:none;">
<label for="ssl_bundle">{tmpl_var name='ssl_bundle_txt'}</label>
<textarea name="ssl_bundle" id="ssl_bundle" rows='10' cols='30'>{tmpl_var name='ssl_bundle'}</textarea>
</div>


GnuTLS requires an ip address in the virtual host definition. So i had to disable the "*". First add the IP of the server into the isp config admin interface. Now disable the "*" in the file /usr/local/ispconfig/interface/web/sites/web_domain_edit.php by removing all $ip_select = "<option value='*'>*</option>"; entries.

Amazing code, very useful, thanks :)

I must edit file /etc/apache2/ports.conf yet to following:


NameVirtualHost your server ip:80
Listen your server ip:80

<IfModule mod_gnutls.c>
NameVirtualHost your server ip:443
Listen your server ip:443
</IfModule>


But I have ever problem with certificates, like with SSL..I turn on SLL on domain.sk and on domain.cz If I go to https://domain.sk server use certificate for domain.cz......I hoped that gnuTLS is solution, but.......Can everybody help me?? Thanks

i have tried implementing this into my debian Lenny system and cant seem to get it to work, all my sites use the same certificate instead of there own any got any pointers as to where to start fixing this

hello johnboy4809

with gnutls you can have more virtual hosts on ONE IP with ssl but you must have one cert for all domains.

with default ssl mod you can have only one virtualhost with ssl on one IP.

and How create cert for all domains??

you must edit this file /etc/ssl/openssl.cnf

and look on this lines


0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd

# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd


you easyli add more common names

0.commonName = domain.com
1.commonName = domain2.com
2.commonName = domain3.com



then you must recreate certificate, you can sign this certificate for example with cacert.org

hi tio289

thanks for getting back to me i think i miss understood gnutls, i thought it would allow me to have multiple SSL secure sites on a single IP or is this openssl cert separate to the virtual hosts cert, sorry if i sound dumb but learning as i go. the reason i was wanting this is i have my own server at home running lenny and ISPConfig 3, it hosts 3 sites 2 of which id now like to have SSL, My domains are all sent to my server via dyndns as i dont have a static ip. I dont know whether i am trying to achieve the impossible with this

thanks

SSLMOD - ONE IP = ONE SSL based host

GNUTLS - ONE IP (static or dynamic) = MANY SSL based hosts with ONE jointed certificate.

In certificate doesnt any information abou IP. Important in certificate is CommonName, which is for example *.domain.com. Cert them will valid for anything.domain.com. When you want use gnuTLS and MANY SSL based host on one IP you must create certificate with MANY commonNames.

For this must edit /etc/ssl/openssl.cnf file and add to it commonNames.
For example. If you have 3 domains domainA.com, domainB.com and domainC.com. You must add all domains to openssl.cnf file.


[ req_distinguished_name ]
0.commonName = Common Name (eg, YOUR name)
0.commonName_default = *.domainA.com
0.commonName_max = 64
1.commonName = Common Name (eg, YOUR name)
1.commonName_default = *.domainB.com
1.commonName_max =64
2.commonName = Common Name (eg, YOUR name)
2.commonName_default = shop.domainC.com (only an example of subdomain added to ssl cert)
2.commonName_max = 64
3.commonName = Common Name (eg, YOUR name)
3.commonName_default = My Secure Internet Services (example)
3.commonName_max = 64


how?? look this http://www.sambarserver.info/viewtopic.php?t=740


And when you want thank me use buttom for it :-)

I have to correct you, it is possible to use multiple cert files with gnutls. I just followed the instructions on this page and I created the ssl file in the webinterface. Works all!

I see, in my case this doesnt function :( so I created one cert :)

thanks for your help tio289 but still seen to be doing something wrong. I decided to start with a fresh server so I rebuilt my server using the Debian Lenny Perfect setup for ISPconfig 3 from this site then as soon as everything was installed i followed oprago's setup of gnutls and also made the changes that tio289 outlined but still to no avail. My sites all still use the same cert. am at a loss now as to why it will not work

I had the same problem and therefore I used one cert with multiple commonNames.

hi guys, im still not able to get this to work using either methods on this post, do you know if there is anywhere to start with checking my server setup to find the problem, just a wild idea but could this be anything to do with using the PowerPC build of debian below is my virtualhost config file for my site. can anyone see any errors in this

thanks for you time and help folks
<Directory /var/www/thecraftykitten.co.uk>
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>

<VirtualHost 192.168.2.4:80>
DocumentRoot /var/www/thecraftykitten.co.uk/web

ServerName thecraftykitten.co.uk
ServerAlias www.thecraftykitten.co.uk
ServerAdmin webmaster@thecraftykitten.co.uk

ErrorLog /var/log/ispconfig/httpd/thecraftykitten.co.uk/error.log

ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 503 /error/503.html

<Directory /var/www/thecraftykitten.co.uk/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all

# ssi enabled
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Options +Includes
</Directory>
<Directory /var/www/clients/client2/web2/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all

# ssi enabled
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Options +Includes
</Directory>

# cgi enabled
<Directory /var/www/clients/client2/web2/cgi-bin>
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /var/www/clients/client2/web2/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
# suexec enabled
SuexecUserGroup web2 client2
# mod_php enabled
AddType application/x-httpd-php .php .php3 .php4 .php5
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@thecraftykitten.co.uk"
php_admin_value upload_tmp_dir /var/www/clients/client2/web2/tmp
php_admin_value session.save_path /var/www/clients/client2/web2/tmp
php_admin_value open_basedir /var/www/clients/client2/web2/web:/var/www/clients/client2/web2/tmp:/usr/share/php5


</VirtualHost>



#<IfModule mod_ssl.c>
################################################## #########
# SSL Vhost
################################################## #########

<IfModule mod_gnutls.c>
################################################## #########
# GNUTLS SSL Vhost
################################################## #########


<VirtualHost 192.168.2.4:443>
DocumentRoot /var/www/thecraftykitten.co.uk/web

ServerName thecraftykitten.co.uk
ServerAlias www.thecraftykitten.co.uk
ServerAdmin webmaster@thecraftykitten.co.uk

ErrorLog /var/log/ispconfig/httpd/thecraftykitten.co.uk/error.log

ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 503 /error/503.html

# SSLEngine on
# SSLCertificateFile /var/www/clients/client2/web2/ssl/thecraftykitten.co.uk.crt
# SSLCertificateKeyFile /var/www/clients/client2/web2/ssl/thecraftykitten.co.uk.key
#
GnuTLSEnable on
GnuTLSPriorities NORMAL
GnuTLSCertificateFile /var/www/clients/client2/web2/ssl/thecraftykitten.co.uk.crt
GnuTLSKeyFile /var/www/clients/client2/web2/ssl/thecraftykitten.co.uk.key

<Directory /var/www/thecraftykitten.co.uk/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all

# ssi enabled
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Options +Includes
</Directory>
<Directory /var/www/clients/client2/web2/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all

# ssi enabled
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Options +Includes
</Directory>

# cgi enabled
<Directory /var/www/clients/client2/web2/cgi-bin>
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /var/www/clients/client2/web2/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
# ssi enabled
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
# suexec enabled
SuexecUserGroup web2 client2
# mod_php enabled
AddType application/x-httpd-php .php .php3 .php4 .php5
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@thecraftykitten.co.uk"
php_admin_value upload_tmp_dir /var/www/clients/client2/web2/tmp
php_admin_value session.save_path /var/www/clients/client2/web2/tmp
php_admin_value open_basedir /var/www/clients/client2/web2/web:/var/www/clients/client2/web2/tmp:/usr/share/php5:/tmp


</VirtualHost>
</IfModule>

You must specify more closely the problem. Post error log etc...

the problem im having is that all hosted sites still try to use the same certificate, will have a look at the error logs, but not sure which one deals with the certificates

Yes, I had this problem too, I solved it by using one cert for all sites, I wrote about this in previevious posts.

i tried your method too about adding the domains to the openssl conf file but this did not work either

and after adding domains to openssl.conf you must recreate certificate.......(create new key and csr for signing)

yep i did tht and had the certificate signed by CaCert

did you disable gnutls and reactivate ssl in order to get this mehod to work?

if you deactivate gnutls and activate ssl, them you can use only one virtual ssl based host per IP.

ok so what i did was leave gnutls active and pointed all the virtualhost certs to the openssl one i created with all the commonnames but still they all seem to want to use the standard first certificate, i restarted the server to make sure all settings were active. also now my web server wont display the https site and says its unreachable, think this has to do with apaches ports conf but i did not edit that

what standart first???

ignore those posts, got it working now, all my sites are valid the only problem is cacert needs to be installed as a root certificate provider in IE which still is going to be a problem with people visiting my sites. do you know if anyone will validate the openssl cert other than cacert one i can pay for that has full IE support

you can sign cert by verisign.com or GoDaddy.com

Hi guys, so i got gnutls to work if i create my certificates manually using www.domain.com, www.domainb.com as the common names in each cert. If i use the certs created with ispconfig then the common name in these certs is just domain.com and domainb.com. If i use these ispconfig certs and goto https://www.domain.com or https://www.domainb.com i get a certificate error and my browser then tries to use the first cert created eg

site https://www.domain.com uses cert for www.domain.com
site https://www.domainb.com uses cert for www.domain.com
site https://www.domainc.com uses cert for www.domain.com
etc

all sites use the first sites cert

. So i am wondering if there is a setup problem with my server or in the way i define my sites in ispconfig. Can anyone see if there is something blazingly obvious that im doing wrong

Also can anyone confirm, does gnutls not work with IE7 on windows xp it seems to work on safari in mac os x 10.5.7 but not on my windows box

Hate to bring up an old Post but has anyone been able to get this working on Latest Debian 5 and Latest ISPConfig 3?

I have tried the first post several times without success. Still using first cert created for all sites. Also tried the commonName fix without success.

The setup from the original post seems to install fine without errors other than the one:
[warn] NameVirtualHost xxx.xxx.xxx.xxx:443 has no VirtualHosts

But still not working as specified. Horfic said he got it to work by following the first post and all was needed was to create the CSR from ISPConfig. Just wandering if anyone else has had success and if so can anyone give me a down and dirty way of doing this. I would much appreciate it.

Hi ByteMe, You should need to create one cert with multiple domains (see my prev posts), and about warning - Its says, that you dont have virtualhost with name xxx.xxx.xxx.xxx:443. You probably have vhost *:443, which is default generated by ISPConfig, so you have to select IP address in WebSite config.

Reviving an old topic, but very interesting. I tried with the tutorial in the first post and also made the necessary changes in ports.conf as descrbed in the 3rd post, but apache fails to load afterwards:

# /etc/init.d/apache2 start
Starting web server: apache2Syntax error on line 51 of /etc/apache2/sites-enabled/000-ispconfig.vhost:
Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration
Action 'start' failed.
The Apache error log may have more information.
failed!


The apache log does not state anything:

Thu Oct 27 15:37:37 2011] [warn] child process 5769 still did not exit, sending a SIGTERM
[Thu Oct 27 15:37:37 2011] [warn] child process 5770 still did not exit, sending a SIGTERM
<br />
<b>Warning</b>: Directive 'register_long_arrays' is deprecated in PHP 5.3 and greater in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>: Directive 'register_long_arrays' is deprecated in PHP 5.3 and greater in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>: Directive 'register_long_arrays' is deprecated in PHP 5.3 and greater in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>: Directive 'register_long_arrays' is deprecated in PHP 5.3 and greater in <b>Unknown</b> on line <b>0</b><br />
<br />
<b>Warning</b>: Directive 'register_long_arrays' is deprecated in PHP 5.3 and greater in <b>Unknown</b> on line <b>0</b><br />
[Thu Oct 27 15:37:39 2011] [error] child process 1458 still did not exit, sending a SIGKILL
[Thu Oct 27 15:37:39 2011] [error] child process 5765 still did not exit, sending a SIGKILL
[Thu Oct 27 15:37:39 2011] [error] child process 5766 still did not exit, sending a SIGKILL
[Thu Oct 27 15:37:39 2011] [error] child process 5770 still did not exit, sending a SIGKILL
[Thu Oct 27 15:37:40 2011] [notice] caught SIGTERM, shutting down
<br />
<b>Warning</b>: Directive 'register_long_arrays' is deprecated in PHP 5.3 and greater in <b>Unknown</b> on line <b>0</b><br />

Could not figure out where things went wrong? Checked the 000-ispconfig.vhost without any clue. Or is there a new way to achieve the same?

Thanks!

Is mod_ssl enabled?

Nope.

#a2dismod ssl
#a2enmod gnutls

and when I tried to restart the apache2 server with

#/etc/init.d/apache2 restart

I got those errors.

The command to enable a module in apache 2 is a2enmod and not a3enmod.
And which errors did you got?

Till: That was a typo (about a3enmod) ;-)

The errors are as posted at http://www.howtoforge.com/forums/showpost.php?p=266089&postcount=28 fyi

Hey zenny,

I know this is late and sorry about that, just upgraded myself to new 3.0.4.1 and until now everything has worked with the gnutls. I upgraded and reconfiged and made a new cert then towards the end of the upgrade I was confronted with:

Restarting web server: apache2We failed to correctly shutdown apache, so we're now killing all running apache processes. This is almost certainly suboptimal, so please make sure your system is working as you'd expect now! (warning).
Syntax error on line 47 of /etc/apache2/sites-enabled/000-ispconfig.vhost:
Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration
... waiting failed!

So similar issue with Debian 5 is what I am running. When following the directions in the first post I disabled ssl with:
a2dismod ssl

And enabled gnutls:
a2enmod gnutls

Well the upgrade broke my sites and ISPConfig. Could not start apache. What I did for right now is re-enable ssl and apache was able to start without error:

# a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
l# /etc/init.d/apache2 restart
Restarting web server: apache2 ... waiting .


Try that to see if you are able to get everything back up.

Also I will post any updates I have about getting gnutls back in order.

Hope this helps.