HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   need some help with SNI and startssl (http://www.howtoforge.com/forums/showthread.php?t=60661)

Ovidiu 24th February 2013 10:52

need some help with SNI and startssl
 
Hi there,

I'm running ISPCFG 3.0.5RC2 and am having some trouble understanding SNI:

Under System => Server Config => server => Web => SSL Settings I have checked the boy next to "Enable SNI" but what exactly goes into: "CA Path" and "CA passphrase"?

Now if I am going to configure a vhost with SSL via Sites => select vhost => check "SSL" then go to the SSL tab and fill in the fields I am struggling finding out what to put into "SSL Bundle"

I have signed up with startssl.com and can generate certificates there so I have all the info but not sure where/what to fill in. Yes I have found the howto that deals with startssl.com but it doesn't help so please don't just point me there.

Is this scenario I have in mind doable:
- check SNI, then create a class2 certificate via startssl for each vhost that needs it, class2 because I'll generate a certificate that is valid for *.domain.tld

Yes, I know SNI is not fully supported everywhere but where I rent my root server from I can only get 2 IPs.

###additional question###
Lets assume the above scenario works, what/which SSL certificate do I then use for securing emails and FTP? Can I additionally create a wildcard/multi-domain certificate from startssl that covers all hosted domains so it can be shared for this purpose?

falko 25th February 2013 18:57

The fields are all described in the manual.

till 25th February 2013 19:03

Quote:

Under System => Server Config => server => Web => SSL Settings I have checked the boy next to "Enable SNI" but what exactly goes into: "CA Path" and "CA passphrase"?
These fields are not related to sni. They are for companys that run their own ssl CA.

Ovidiu 26th February 2013 07:07

Awesome guys, I only bought the manual for ISPCFG 3.0.3 and was experimenting with 3.0.5RC1/RC2 but now that the final version is out I saw the manual is available too so I'll go buy that.

So apart from those fields, would you mind having a look at the other questions in this thread please?

falko 27th February 2013 14:32

Quote:

Originally Posted by Ovidiu (Post 292487)
###additional question###
Lets assume the above scenario works, what/which SSL certificate do I then use for securing emails and FTP? Can I additionally create a wildcard/multi-domain certificate from startssl that covers all hosted domains so it can be shared for this purpose?

The CA (StartSSL, Comodo, GeoTrust, etc.) doesn't matter.
If you want to use a multi-domain (SAN) certificate, make sure to use the same key for all those websites.

midcarolina 31st March 2013 14:58

SNI Disabled
 
The best method to avoid this SSL error is to disable the SNI feature completely. Prior to the SNI option set in ISPConfig, I ran my servers as such:

WAN IP for main DNS (Public static), then

LAN IP I only use one: e.g 192.168.11.XX

I have 5 shared boxes running this set-up (no extra LAN ips) and all browsers resolve them just fine without this feature.

Some may or may not know - Android OS, iOS, Blackberry, etc. smartphones, tablets and such tend to give SSL's a harder time.

I haven't had a single issue as long as I validated them with a CA Authority.

Best solution as of today - $5.99 Godaddy cert. Works fine running:

Static WAN IP >> LAN IP (in ISPConfig) without SNI. One box has perhaps 15 or so SSLs on the exact same LAN IP (192.168.11.XX) with no issues in browsers or tablets, smartphones, mobile web, mobile apps, etc....

Best...

P.S. This is using Apache 2.2, not nginx (have no knowledge of nginx), so please restart apache server after reconfiguration.

mbsouth 25th April 2013 13:55

@midcarolina

Hi, it sounds interesting!
I doesnīt use ISPConfig, therfore I donīt exactly know how your vhost config (e.g. shared box) file looks like.
Is it possible to post a vhost config?


mbsouth


All times are GMT +2. The time now is 12:52.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.