HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   SSL Certificate install trouble (http://www.howtoforge.com/forums/showthread.php?t=59383)

BitSprocket 4th November 2012 23:54

SSL Certificate install trouble
 
All,

I have install per your Perfect Ubuntu 12.10 server howto and am having an issue with getting my certificate to work properly.

I've entered the ip address and am not using a wildcard and I have verifed that the certs are in-fact in the /var/www/sitename/ssl directory. SSL is checked on the proper page but when browsing to https://mysite.com I get a 701 error and the apache2 error log reads :

Code:

client denied by server configuration: /var/www/
I can get to the non https site just fine but can't get the server configured to pull files from the proper location.

I've tried deleting the domain and re-creating it with no luck. It also seems that the virtual host file in /var/www/apache2/sites-enabled makes no mention of port 443 or ssl.

Thanks for your help!

till 5th November 2012 11:24

Please remove the ssl cert that you copied to the ssl folder manually and then create a nwe ssl cert in ispconfig on the ssl tab of the website, wait a few minutes and test again. If the site works with the self signed ssl cert, replace the ssl cert and key file in the ssl folder with the cert and key of your other ssl cert and restart apache.

BitSprocket 5th November 2012 16:08

Thanks till. Late last night (before your post) I found a solution that works but I wanted to get your opinion. It's very different than the one you mentioned. I added a clause to the mysite.com.vhost file in /etc/apache2/sites-available and it looks like this:

Code:

<Directory /var/www/mysite.com>
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>

<VirtualHost *:80>
      DocumentRoot /var/www/mysite/web
 
    ServerName mysite.com
    ServerAlias www.mysite.com
    ServerAdmin webmaster@mysite.com

    ErrorLog /var/log/ispconfig/httpd/mysite.com/error.log

    Alias /error/ "/var/www/mysite.com/web/error/"
    ErrorDocument 400 /error/400.html
    ErrorDocument 401 /error/401.html
    ErrorDocument 403 /error/403.html
    ErrorDocument 404 /error/404.html
    ErrorDocument 405 /error/405.html
    ErrorDocument 500 /error/500.html
    ErrorDocument 502 /error/502.html
    ErrorDocument 503 /error/503.html

    <IfModule mod_ssl.c>
    </IfModule>

    <Directory /var/www/mysite.com/web>
        Options FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    <Directory /var/www/clients/client0/web1/web>
        Options FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>



    # suexec enabled
    <IfModule mod_suexec.c>
      SuexecUserGroup web1 client0
    </IfModule>
    # Clear PHP settings of this website
    <FilesMatch "\.ph(p3?|tml)$">
        SetHandler None
    </FilesMatch>
    # php as fast-cgi enabled
        # For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
    <IfModule mod_fcgid.c>
        IdleTimeout 300
        ProcessLifeTime 3600
        # MaxProcessCount 1000
        DefaultMinClassProcessCount 0
        DefaultMaxClassProcessCount 100
        IPCConnectTimeout 3
        IPCCommTimeout 360
        BusyTimeout 300
    </IfModule>
    <Directory /var/www/mysite.com/web>
        AddHandler fcgid-script .php .php3 .php4 .php5
        FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
        Options +ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    <Directory /var/www/clients/client0/web1/web>
        AddHandler fcgid-script .php .php3 .php4 .php5
        FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
        Options +ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>


    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
      AssignUserId web1 client0
    </IfModule>

    <IfModule mod_dav_fs.c>
          # Do not execute PHP files in webdav directory
      <Directory /var/www/clients/client0/web1/webdav>
            <FilesMatch "\.ph(p3?|tml)$">
          SetHandler None
        </FilesMatch>
      </Directory>
      DavLockDB /var/www/clients/client0/web1/tmp/DavLock
      # DO NOT REMOVE THE COMMENTS!
      # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
      # WEBDAV END
    </IfModule>


</VirtualHost>
<VirtualHost *:443>
      DocumentRoot /var/www/mysite.com/web
 
    ServerName mysite.com
    ServerAlias www.mysite.com
    ServerAdmin webmaster@mysite.com

    ErrorLog /var/log/ispconfig/httpd/mysite.com/error.log

    Alias /error/ "/var/www/mysite.com/web/error/"
    ErrorDocument 400 /error/400.html
    ErrorDocument 401 /error/401.html
    ErrorDocument 403 /error/403.html
    ErrorDocument 404 /error/404.html
    ErrorDocument 405 /error/405.html
    ErrorDocument 500 /error/500.html
    ErrorDocument 502 /error/502.html
    ErrorDocument 503 /error/503.html

    <IfModule mod_ssl.c>
    </IfModule>

    <Directory /var/www/mysite.com/web>
        Options FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    <Directory /var/www/clients/client0/web1/web>
        Options FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>



    # suexec enabled
    <IfModule mod_suexec.c>
      SuexecUserGroup web1 client0
    </IfModule>
    # Clear PHP settings of this website
    <FilesMatch "\.ph(p3?|tml)$">
        SetHandler None
    </FilesMatch>
    # php as fast-cgi enabled
        # For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
    <IfModule mod_fcgid.c>
        IdleTimeout 300
        ProcessLifeTime 3600
        # MaxProcessCount 1000
        DefaultMinClassProcessCount 0
        DefaultMaxClassProcessCount 100
        IPCConnectTimeout 3
        IPCCommTimeout 360
        BusyTimeout 300
    </IfModule>
    <Directory /var/www/mysite.com/web>
        AddHandler fcgid-script .php .php3 .php4 .php5
        FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
        Options +ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
    <Directory /var/www/clients/client0/web1/web>
        AddHandler fcgid-script .php .php3 .php4 .php5
        FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
        Options +ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>


    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
      AssignUserId web1 client0
    </IfModule>

    <IfModule mod_dav_fs.c>
          # Do not execute PHP files in webdav directory
      <Directory /var/www/clients/client0/web1/webdav>
            <FilesMatch "\.ph(p3?|tml)$">
          SetHandler None
        </FilesMatch>
      </Directory>
      DavLockDB /var/www/clients/client0/web1/tmp/DavLock
      # DO NOT REMOVE THE COMMENTS!
      # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
      # WEBDAV END
    </IfModule>
SSLEngine on
SSLCertificateFile /var/www/clients/client0/web1/ssl/mysite.com.crt
SSLCertificateKeyFile /var/www/clients/client0/web1/ssl/mysite.com.key
SSLCACertificateFile /var/www/clients/client0/web1/ssl/mysite.com.bundle

</VirtualHost>

Paying particular attention to the section starting <VirtualHost *:443> I know wildcards are less than ideal as it seems to apply to all my sites now (producing the browser warning of course) but it works properly for the site I need. The other sites don't use ssl anyway so I'm not concerned.

Thoughts?

till 5th November 2012 16:37

Never edit a vhost file manually as all manual settings that you do in that file will get removed automatically anyway.

If you use * or the Ip depends on your apache version, the IP works always, * works only on latest apache versions and enables ssl for sni only which is not understood by older internet explorer versions.

Please do what I described above, ispconfig will then create the ssl vhost automatically, it has not created it before because either one of your manually copied ssl certs were wrong or had a wrong name, so apache was not able to strat with the ssl certs you provided and ispconfig had to do a rollback and remove the ssl vhost again.

BitSprocket 5th November 2012 16:39

Thanks for the advice till. And for the quick reply!


All times are GMT +2. The time now is 18:53.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.