HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials - Changing SSL box not affect vhost file

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)

- Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)

- - Changing SSL box not affect vhost file (http://www.howtoforge.com/forums/showthread.php?t=54612)

Changing SSL box not affect vhost file

ISPconfig ver 3.0.3.3
OS: CentOS 5.7 x86_64
Problem: Sites-->Website --> Webdomain --> SSL checkbox
No matter if it is checked or not - there are no changes saved to vhost file ;(

Here is log from debug loglevel ispconfig.log while
->first: unchecking SSL box

Code:

23.10.2011-18:21 - DEBUG - Found 1 changes, starting update process.

23.10.2011-18:21 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.

23.10.2011-18:21 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.

23.10.2011-18:21 - DEBUG - exec: chmod 751 /var/www/clients/client23/web91/

23.10.2011-18:21 - DEBUG - exec: chmod 751 /var/www/clients/client23/web91/*

23.10.2011-18:21 - DEBUG - exec: chmod 710 /var/www/clients/client23/web91/web

23.10.2011-18:21 - DEBUG - exec: chmod 777 /var/www/clients/client23/web91/tmp

23.10.2011-18:21 - DEBUG - exec: chmod 755 /var/www/clients/client23/web91/log

23.10.2011-18:21 - DEBUG - exec: usermod --groups sshusers web91

23.10.2011-18:21 - DEBUG - exec: chown web91:client23 /var/www/clients/client23/web91

23.10.2011-18:21 - DEBUG - exec: chown web91:client23 /var/www/clients/client23/web91/log/error.log

23.10.2011-18:21 - DEBUG - Disable SSL for: my.domain

23.10.2011-18:21 - DEBUG - Writing the vhost file: /etc/httpd/conf/sites-available/my.domain.vhost

23.10.2011-18:21 - DEBUG - Apache status is: 1

23.10.2011-18:21 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.

23.10.2011-18:21 - DEBUG - Apache online status after restart is: 1

and then (a few time later)
-> check this SSL box on again.

Code:

23.10.2011-18:23 - DEBUG - Found 1 changes, starting update process.

23.10.2011-18:23 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.

23.10.2011-18:23 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.

23.10.2011-18:23 - DEBUG - exec: chmod 751 /var/www/clients/client23/web91/

23.10.2011-18:23 - DEBUG - exec: chmod 751 /var/www/clients/client23/web91/*

23.10.2011-18:23 - DEBUG - exec: chmod 710 /var/www/clients/client23/web91/web

23.10.2011-18:23 - DEBUG - exec: chmod 777 /var/www/clients/client23/web91/tmp

23.10.2011-18:23 - DEBUG - exec: chmod 755 /var/www/clients/client23/web91/log

23.10.2011-18:23 - DEBUG - exec: usermod --groups sshusers web91

23.10.2011-18:23 - DEBUG - exec: chown web91:client23 /var/www/clients/client23/web91

23.10.2011-18:23 - DEBUG - exec: chown web91:client23 /var/www/clients/client23/web91/log/error.log

23.10.2011-18:23 - DEBUG - Disable SSL for: my.domain

23.10.2011-18:23 - DEBUG - Writing the vhost file: /etc/httpd/conf/sites-available/my.domain.vhost

23.10.2011-18:23 - DEBUG - Apache status is: 1

23.10.2011-18:23 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.

23.10.2011-18:23 - DEBUG - Apache online status after restart is: 1

Both cases are the same info:
23.10.2011-18:21 - DEBUG - Disable SSL for: my.domain (this one is OK)
23.10.2011-18:23 - DEBUG - Disable SSL for: my.domain

File my.domain.vhost got new timestamp only.
BTW. Changing other attributes eg. IP address working fine.

After you have enabled the SSL checkbox, you must go to the SSL tab and create a certificate. This is also described in the ISPConfig 3 Manual.

Quote:

No matter if it is checked or not - there are no changes saved to vhost file ;(

Thats ok, it means that there is no valid ssl certificate created yet for that website. Go to the ssl tab and create a ssl cert.

I have Comodo CA cert already installed
I did it by copy and paste into texboxes:
1. SSL Request - content of filename: AddTrustExternalCARoot.crt
2. SSL Certificate - content of filename: my.domain.crt
3. SSL Bundle - content of filename: COMODOHigh-AssuranceSecureServerCA.crt

Then i choose SSL Action: Save Certificate.
Saving makes debug info:

Code:

24.10.2011-10:33 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.

24.10.2011-10:33 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.

24.10.2011-10:33 - WARNING - Network configuration disabled in server settings.

24.10.2011-10:33 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.

WARNING - Network configuration disabled in server settings.
I think this warning info has nothing related to this problem, am i right ?

Certificates are saved in this location:

Code:

# ls -l /var/www/clients/client3/web91/ssl

total 12

-rw-r--r-- 1 root root 1788 Oct 23 12:13 my.domain.bundle

-rw-r--r-- 1 root root 2089 Oct 23 12:13 my.domain.crt

-rw-r--r-- 1 root root 1520 Oct 23 12:13 my.domain.csr

PS. my.domain is not real domain name of course.

Quote:

Have you created the csr for this certificate in this ispconfig website? If not, then the ssl cert is incomplete as the key file is missing. To fix this, you will have to install the key in the ssl folder manually in the file my.domain.crt and then enable the ssl cert in ispconfig again.

Quote:

Originally Posted by till (Post 265800)

Thats ok, it means that there is no valid ssl certificate created yet for that website. Go to the ssl tab and create a ssl cert.

Thank You,

I removed certificate by choosing SSL action 'Delete Certificate'. Folder .../web/ssl/ is empty now. I also cleared all textboxes on 'Web Domain' and I checked vhost file (OK - it is without SSL directives).

Now I started from the beginning.
I filled all required fields (Now State, Locality, Organisation, Organisation Unit, Country, SSL Domain) and choose SSL Action 'Create Certificate'.
And... It works! :)

Folder .../web/ssl has now these files:

Code:

# ls -l /var/www/clients/client23/web91/ssl

total 16

-rw-r--r-- 1 root root 1322 Oct 24 12:14 my.domain.crt

-rw-r--r-- 1 root root 1115 Oct 24 12:14 my.domain.csr

-r-------- 1 root root 1675 Oct 24 12:14 my.domain.key

-rw-r--r-- 1 root root 1743 Oct 24 12:14 my.domain.key.org

SSL works but of cource certificate is untrusted.
Now I have to figure out how to put COMODO Certificate.

SSL Bundle textbox is empty so I should fill this box with intermediate cert (file: COMODOHigh-AssuranceSecureServerCA.crt) ?
What else should I do ?

You have to sign the csr now so that you get a new trusted certificate from comodo. Comodo should to the reiussue of the certificate for free. So the step sre now:

1) Login to your comodo account and request a reissue of the ssl cert base on the csr that is shown in the ispconfig interface.
2) You will get a new ssl certificate from comodo then, copy the ontnets of this new certificate into the certificate field in ispconfig and the content of the ssl intermediate cert into the ssl bundle field. Then select save certificate as action and click on save.

I did it my way and it works now - but it was a bit sneaky idea ;)
While SSL is working now (I mean vhost file contain SSL info), I copied into Website Webdomain texboxes content of files I own before:
1. SSL Request - content of filename: my.domain.csr
2. SSL Certificate - content of filename: my.domain.crt
3. SSL Bundle - content of filename: COMODOHigh-AssuranceSecureServerCA.crt

Then simply apply SSL Action 'Save Certificate'

my.domain.csr file that I previously generated myself for CA Authority (COMODO) for certificate request process.
my.domain.crt - domain certificate received from CA.

Then I copied my.domain.key file to .../web/sssl folder. This file was also created during certificate request process for signing my.domain.csr file. That file replaced created by the ISPconfig one.

But... there is a little problem while restart httpd service:

Code:

# service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.



Server my.domain:443 (RSA)

Enter pass phrase:



OK: Pass Phrase Dialog successful.

You created a encyrpted ssl key, so that it requires a password now. Make sure that you dont reboot the server now, it will not come up again until you fix your key. You will have to decrypt the key and store the decrypted key instead of the encrypted one.

Quote:

Originally Posted by till (Post 265854)

Yes, I decrypted the key

Code:

# openssl rsa -in my.domain.key -out new.my.domain.key

Enter pass phrase for my.domain.key:

writing RSA key

# cp new.my.domain.key my.domain.key

I rather thought that problem is because I should use ispserver.key to sign out *.csr file, but I see that ispserver.key is not encrypted too. ISPconfig has encrpyted key file: ispserver.key.secure and encrypted files like *.domain.key.org created on the SSL websites.

Anyway thanks for a great help.

[PROBLEM SOLVED]