HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Tips/Tricks/Mods (http://www.howtoforge.com/forums/forumdisplay.php?f=29)
-   -   Creating a SSL certificate - Quick guide (http://www.howtoforge.com/forums/showthread.php?t=42341)

SamTzu 1st January 2010 21:05

Creating a SSL certificate - Quick guide
 
If you want to get Commercial SSL Certificate for 2048bit or stronger encryption (Godaddy etc.) you need to change ISPConfig3 core settings.

Follow this Quick guide to do it. If you just want to get your own non-commercial Certificate to work skip this ISPConfig3 hack and proceed to the Normal SSL configuration.

ISPConfig3 hack SSL guide.
  1. If you have already created a cert, delete it from the SSL tab for your site.
  2. Disable SSL for your website from the Website tab.
  3. Open /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php and change 1024 (second instance, not the default setting - although it may still work changing both) to 2048 or 4096.
  4. Save the file and restart apache2 (i.e. /etc/init.d/apache2 restart) for good measure.
  5. Note: If you experience an error restarting apache2 (e.g. "(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80") then do the following:
    • sudo lsof -i :80
    • Determine the pid of the running service and...
    • kill <pid from step 2>
    • /etc/init.d/apache2 restart
      It should start this time. I'm not sure what may cause this, but I had experienced it many times. It may have something to do with Subversion if you have it enabled under apache.
  6. Go back to ISPConfig and create a new certificate as you would normally.
  7. Go back to the SSL tab (may have to restart apache again if you do not see the keys in the first two fields (not sure why, but I experienced this a few times).
  8. Copy the code from the SSL request fields and provide that to GoDaddy as the request key.
  9. Once you download your certificate from GoDaddy, paste the contents of the yourdomain.com.crt file into the SSL Certificate field (replacing what is there), select Save Certificate form the pulldown and click Save. The SSL Bundle was left empty (not sure if I needed anything here or not...can anyone confirm).
  10. Restart apache2 for good measure and test it out.

Normal SSL configuration.
  1. Make sure that your (Linux) server has 1 IP address for each site that needs a Cert (and one for the server.)
  2. Make sure that those IP addresses are configured in 'ISPConfig3 | System | Edit Server IP' list.
  3. Make sure that the 'new' Certificate site does not have * as it's address in 'Sites | Website | IP-Address' field.
  4. Make sure that SSL is enabled in that same page
  5. Make sure that the DNS address points to that IP-Address that was defined for the website and not the old address (*) that you probably had to change when starting this process.
  6. On 'Sites | Website | SSL' enter your Certificate settings. (Your locale and Company info.)
  7. On the same page in 'SSL Action' 'Create Certificate' and Save.
  8. Wait a moment.
  9. Refresh SSL settings page. You should see the new Certificate code now.
You can now use the https://yourdomain.com

jon 4th February 2010 14:26

I've tried three times but get the following error ...

[Thu Feb 04 08:25:44 2010] [error] Unable to configure RSA server private key
[Thu Feb 04 08:25:44 2010] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

till 4th February 2010 15:34

Looks as if you uploaded a ssl certificate that is not based on the csr created by ispconfig.

jon 4th February 2010 18:16

I agree it looks like that, but I used what was in the csr box. I also wonder if the key was right.

With Step 6 - Go back to ISPConfig and create a new certificate as you would normally. - Would that be normally as in the normal way you documented it below?

Also, I assume we should re-activate SSL for the site once the cert is in.

I did notice some strangeness with boxes being populated (as you mentioned). I wonder is it possible / better (for now) to create a certificate the old fashioned way and then save it in place of the .csr .key and .crt that ISPConfig spits out?

weezul 10th February 2010 11:48

heres what i did:

goto ispconfig uncheck ssl and delete the certificates... click save..
now wait a few minutes or just run the cron urself.

now edit ispconfig settings:


Code:

# vi /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php
goto line 140 and change 1024 to 2048 or 4096.

run the cron again, u should see ispconfig generate new keys.

at this step i reloaded apache..

go back into ispconfig, click create certificate and enable ssl.

run the cron, u should see ispconfig creating the keys now...

reload apache, relogin in ispconfig.. your certs should be there now.

now u can use your ssl request file and let it sign from whereever u get your certificate.. replace the certificate created by ispconfig with your signed one.

at this step it worked for me.. also i followed another tutorial so i added 2 more files and pasted the following lines into the options / apache directives form.
Code:

SSLCertificateChainFile /var/www/domain.tld/ssl/sub.class1.server.ca.pem
SSLCACertificateFile /var/www/domain.tld/ssl/ca.pem


till 10th February 2010 13:02

The SSL encryption has been set to 2048 in SVN, so this part will be fixed with the next ispconfig release (3.0.2).

bswinnerton 5th March 2010 23:33

Quote:

Originally Posted by SamTzu (Post 214955)
[*]Once you download your certificate from GoDaddy, paste the contents of the yourdomain.com.crt file into the SSL Certificate field (replacing what is there), select Save Certificate form the pulldown and click Save. The SSL Bundle was left empty (not sure if I needed anything here or not...can anyone confirm).

As far as I know, yes it's required. It can be found here: https://certs.godaddy.com/anonymous/repository.seam as gd_bundle.crt

Fantu 6th March 2010 15:08

the more simple procedure (example base on certificate class 1 in startssl.com) is:
- create certificate in ispconfig
- take the field SSL Request content and do the certificate with this in startssl site
- take the content of certificate create and copy in "SSL Certificate" and take content of sub.class1.server.ca.pem and ca.pem and copy in "SSL Bundle" on ispconfig and select save option
Finish and work, sorry if i not explain good^^''

rylangrant 8th March 2010 06:31

I tried following your instructions it didn't work for me. I originally generated a 1024 bit one until I realized godaddy required 2048 or 4096. I followed your instructions but it never generates the key for me. Even after gong back to the 1024 setting, it still won't generate a key. Any ideas on where to look or what to do? I've looked for errors and I can't find any, and I can restart apache without problems.

Thanks

Fantu 8th March 2010 07:32

the my instruction is tested only on 3.0.2 from svn (but near to stable)


All times are GMT +2. The time now is 00:49.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.