HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Need Help For Certified SSL Install For Alias Domain (http://www.howtoforge.com/forums/showthread.php?t=60465)

Unfaiir 7th February 2013 05:09

Need Help For Certified SSL Install For Alias Domain
 
I have a subdomain set up as a site (because I like that better than using the subdomain feature): subdomain.domain.com

I have an alias for this subdomain: www.aliasdomain.com

I've used open SSL to create a CSR, sent it to the CA and received the Server Cert, Intermediate Cert and Root Cert back from them.

I've uploaded my private key, and all certs to /var/www/clients/clientX/webX/ssl (this is the client & web for subdomain.domain.com).

In ISPConfig 3, I've pasted the Server Cert into the SSL Certificate field, the Intermediate Cert followed by the Root Cert into the SSL Bundle field, and then selected Save certificate from the drop down and clicked Save.

When I check my domain under https it says "Wrong Site" and "Unknown Identity", and then even further, in Chrome it even shows me in the browser what I have in /var/www/html instead of whats in /var/www/clients/clientX/webX/ssl... which I just don't get, but I'm sure it has something to do with the SSL cert not being properly installed.

Can someone PLEASE help? What am I doing wrong to get this cert to work for an ISPConfig 3 alias?

Unfaiir 7th February 2013 06:35

Found Workaround! Seems OK So Far! But Is It Really?
 
After trying several different things through the ISPConfig 3 SSL Tab, adding in some SSL file uploads, and pouring myself a glass full of Tequila I finally found something that worked:

1.) Use ISPConfig 3 SSL Tab to create a self signed SSL cert for domain.com
2.) Make a backup of the files domain.key, domain.csr and domain.crt in /var/www/clients/clientX/webX/ssl
3.) Rename certified SSL files domainalias.key, domainalias.csr and domainalias.crt to domain.key, domain.csr and domain.crt and then upload them, along with the Root Cert and Intermediate Cert, to /var/www/clients/clientX/webX/ssl
4.) Then restart Apache: httpd service restart

This seems like the best way to do it because if ISPConfig 3 make changes to the vhost file then the SSL pointers in there will still match the certified SSL files.

If anyone has a better way please let me know. Hope this helps someone out!

till 7th February 2013 10:28

Your problems occureed because you did not create the first ssl cert in ispconfig and that you did not use a multidomain cert, take a look into the ispconfig manual, the steps to create a ssl cert in ispconfig are described there in detail.

If a site has more then one domain name, then choose a multi domain ssl cert when you buy it at the ssl authority. The ssl authority will ask you for the additional domain names, so there are no changes required in your ispconfig setup for that.

Unfaiir 7th February 2013 12:03

Quote:

Originally Posted by till (Post 291712)
Your problems occureed because you did not create the first ssl cert in ispconfig and that you did not use a multidomain cert, take a look into the ispconfig manual, the steps to create a ssl cert in ispconfig are described there in detail.

If a site has more then one domain name, then choose a multi domain ssl cert when you buy it at the ssl authority. The ssl authority will ask you for the additional domain names, so there are no changes required in your ispconfig setup for that.

Thanks for the reply Till!

I did look through the manual but it does not cover what I faced with this particular case. I needed the cert to cover the Domain Alias, not the actual domain. ISPConfig's SSL Tab doesn't allow you to choose a domain alias when having it create a SSL cert via pasting. ISPConfig's SSL Tab limits you to the current domain only.

Because you are limited to only choosing the current domain, ISPConfig writes file references to ssl files for the current domain in the vhost file when you create any ssl using the tab.

Therefore, I needed an alternative solution that was compatible with ISPConfig. Hopefully this feature is added in a future release, but this seems to be doing the trick pretty safely in the meantime.

Also, I did setup a self-signed ssl cert in ISPConfig during initial setup, however, neither a self-signed cert nor a multi-domain cert were desired in this case.

till 7th February 2013 13:09

You could have e.g. exchanged the alias domain name with the main domain name, as the ssl domain is normally the main domain of a site.

Unfaiir 7th February 2013 14:04

Quote:

Originally Posted by till (Post 291722)
You could have e.g. exchanged the alias domain name with the main domain name, as the ssl domain is normally the main domain of a site.

That would be a great option if the server were a single IP server with one certified SSL certificate.

In my case, the server is a multiple IP server and multiple certified SSL certificate server, and there is no real "main domain".

I probably could have also avoided having to do this by sandboxing each SSL domain with OpenVZ.

This isn't optimal for my case though and would have been both overkill and a major inconvenience, since all IPs and all SSL domains are owned by the same client and this is a true dedicated server.

till 7th February 2013 14:16

The main domain of a website is the domain that you enter in the "domain" field of the site. I'am not talking about a main domain of the server. So you can have as many domains and as many IP addresses as youlike on the server, this does not matter for this setup at all.

So all you have to do is to exchange the content of the "domain" field of this website with the content of the "domain" field of the alias domain.

Unfaiir 7th February 2013 14:52

Quote:

Originally Posted by till (Post 291726)
The main domain of a website is the domain that you enter in the "domain" field of the site. I'am not talking about a main domain of the server. So you can have as many domains and as many IP addresses as youlike on the server, this does not matter for this setup at all.

So all you have to do is to exchange the content of the "domain" field of this website with the content of the "domain" field of the alias domain.

I think I see what you're saying by "main site". I thought you were meaning the "main site" for the server. Are you suggesting that I make the alias the domain and the domain the alias?

That is also a great idea and would totally work in most cases.

In my case though there are a few catches so I can't swap the two.

It is a very long and boring story why, but in a nutshell, the sites are actually wildcard SSL subdomains (I make them sites because I don't like the subfolder approach ISPConfig uses for subdomains) which may have 0-n number of SSL aliases per subdomain and they are part of larger network.


All times are GMT +2. The time now is 04:37.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.