HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Tips/Tricks/Mods (http://www.howtoforge.com/forums/forumdisplay.php?f=19)
-   -   Solved ISPConfig Admin Panel w/RapidSSL (http://www.howtoforge.com/forums/showthread.php?t=53208)

kextra1 24th June 2011 15:49

Solved ISPConfig Admin Panel w/RapidSSL
 
This is a brief tutorial on how to install a RapidSSL certificate to be used with your ISPConfig admin panel, webmail, etc. etc. everything on and after https://www.yourdomain.com:81/*

It's pretty simple, but I'll go into detail for SSL newbie's like me.

I used Enom to purchase the RapidSSL cert for $70 bucks less.

It's actually pretty easy... so I felt like a dummie at first being confused on the different certificate webserver types that could have been correct when purchasing and checking out and all sorts of other small things that weren't documented very well for a person like me buying his 2nd SSL cert.

This includes the new RapidSSL requirements that require at least 2048 when generating the key as well as the newly required "intermediate.crt" they send you with your server.crt, and where to add the path's for the intermediate.crt to ispconfig 2.

It's not rocket science like some of you genious' get into, but I hope it helps some of you guys.

I used ENOM so I could get the $79.95/yr cert for $9.95/yr, but it's pretty much the same if you go directly through RapidSSL.com.

HOW TO INSTALL:
---------------

Go to enom and buy the $9.95/yr RapidSSL certificate. (Or rapidssl respectively)

Generate the Certificate in /root/ispconfig/httpd/conf/

or /root/ispconfig/httpd/conf/ssl.crt/server.crt respectively. Shown in the Generate the CSR section below.

IMPORTANT NOTE:

The CN, or Common name is important! If Enom or RapidSSL directly will not allow wildcards such as *.yourdomain.com for the $9.95/yr cert

make sure you use:

ON Enom/RapidSSL: Webserver type "Apache2"

CN: www.yourdomain.com

Make sure to use the same CN: on enom as you do when generating the certificate CSR with the commands below. So when entering the CN (Common Name) include the "www" in the domain when purchasing it & generating it so it will work when you go to:

https://www.yourdomain.com:81

-AND ALSO-

https://yourdomain.com:81

and of course everything else like :81/roundcubemail -or- :81/phpmyadmin etc. etc. it will work.. you get the picture...

So all your Co-Domain forwards and stuff are good to go.

Generate the CSR to submit to ENOM/RapidSSL:
-------------------------
-OLD-
openssl genrsa -des3 -passout pass:yourpassword -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024
-/OLD-

RapidSSL requires at least 2048 now and and intermediate certificate so use the following when generating it instead of 1024.

openssl genrsa -des3 -passout pass:yourpassword -out /root/ispconfig/httpd/conf/ssl.key/server.key2 2048

openssl req -new -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 365

openssl req -x509 -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 365

openssl rsa -passin pass:yourpassword -in /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.key/server.key

chmod 600 /root/ispconfig/httpd/conf/ssl.key/server.key

/etc/init.d/ispconfig_server restart
----------------------------

You will get an E-Mail with the new RapidSSL signed certificate.

You'll need to put this new .crt in ISPConfig's server.crt

cp /root/ispconfig/httpd/conf/ssl.crt/server.crt /root/ispconfig/httpd/conf/ssl.crt/server-backup.crt

Now paste the newly issued RapidSSL certificate you got in your email into:

/root/ispconfig/httpd/conf/ssl.crt/server.crt

UPDATED 5/16/2011

I found out with all new RapidSSL certs you need to use another cert authority thingy they send you named INTERMEDIATE CA

Make a new file in the following location:

/root/ispconfig/httpd/conf/ssl.crt/intermediate.crt

Paste the INTERMEDIATE CA info into intermediate.crt which is at the bottom of the same email they give send u to put in the actual server.crt

Now go to the following file:

/root/ispconfig/httpd/conf/httpd.conf

Open httpd.conf with your favorite text editor and do a find for "SSLCACertificateFile"

You'll find an already commented out example in httpd.conf

To tell ISPConfig to check the intermediate.crt you created in the steps above simply add this line below:

SSLCACertificateFile /root/ispconfig/httpd/conf/ssl.crt/intermediate.crt

Reboot your server or restart your services and you're done!

Hope this helps someone that was as inexperienced with purchasing new SSL certs as I was!

Oh btw if you're interested you can try this method exactly like I explained it through enom, I believe I still have a few reseller accounts left for $8.50/yr domains and cheap SSL certs...unfortunately $9.95 is as low as the SSL certs get, but at least it's still 70 bucks off. The nice thing was that last year I messed up the first time and they gave me a refund right away so I could resubmit. I think I chose Apache2+mod_ssl or Apache2+OpenSSL instead of just Apache2 when submitting to rapidssl. They seem like a pretty stand up company.

I'm loving all the cool stuff you guys have been posting for ispconfig 2 & 3. I can't wait to get some stuff ready for SVN hopefully sooner than later.

kextra1


All times are GMT +2. The time now is 23:23.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.