HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   SNI (Server Name Indication) and ISPConfig 3.0.5.2 (http://www.howtoforge.com/forums/showthread.php?t=62221)

zenny 14th June 2013 00:56

SNI (Server Name Indication) and ISPConfig 3.0.5.2
 
Hi:

Trying to avail https connections to several domains with a single IP in ISPConfig 3.0.5.2/Apache2 in Debian Wheezy.

The motivation is to allow users to access webmail, phpmyadmin, and ISPConfig panel using SSL.

Enabling SSL in ISPConfig panel always lands at error message : (Error code: ssl_error_rx_record_too_long) when accessed using https, and even http gives blank page.

Appreciate if someone could share experience how you achieved SNI. Thanks!

zenny 14th June 2013 09:48

Some additional info
 
Hi with bump!

1. According to http://debian-handbook.info/browse/w...eb-server.html, it simply states that:

Quote:

The Apache package provided in Debian is built with support for SNI; no particular configuration is therefore needed, apart from enabling name-based virtual hosting on port 443 (SSL) as well as the usual port 80. This is a simple matter of editing /etc/apache2/ports.conf so it includes the following:

Code:

<IfModule mod_ssl.c>
    NameVirtualHost *:443
    Listen 443
</IfModule>


2. And /etc/apache2/ports.conf categorically states that:
Quote:

# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>

# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
3. Thus, in the /etc/apache2/sites-available/default-ssl, it has been changed from:

Code:

<VirtualHost _default_:443>
to:

Code:

<VirtualHost *:443>
4. Now, how does ISPconfig3 handles SNI? Do one need to enable SSL option in domain to enable SNI in the ISPConfig3 server?

Expecting an ISPConfig3 way of SNI for multiple domains from Falko. Thanks in advance!

till 14th June 2013 09:55

Using SNI with ispconfig does not require any additional configuration on Debian, just create the website in ispconfig, go to ssl tab and create a ssl cert for that website. In some cases it is reqzired that you select the IP adddress in the website field instead of *, so you might want to try that as well.

The message you posted above just indicates that the ssl is not active at the moment on this site e.g. because the ssl cert is broken or you do not created a ssl cert.

zenny 14th June 2013 11:59

Thanks Till.

But I did create a ssl certificate by getting into SSL tab of domain and also with 'create certificate' option.

It did create everything and it didn't work, so I just made changes to the ports.conf and default-ssl.

Earlier, I didn't make any changes to the conf files above and yet getting the same error "ssl_error_rx_record_too_long".

Any hints?

till 14th June 2013 13:20

Quote:

Any hints?
The message you posted above just indicates that the ssl is not active at the moment on this site e.g. because the ssl cert is broken or you do not created a ssl cert.

zenny 15th June 2013 02:27

Quote:

Originally Posted by till (Post 298613)
Using SNI with ispconfig does not require any additional configuration on Debian, just create the website in ispconfig, go to ssl tab and create a ssl cert for that website. In some cases it is reqzired that you select the IP adddress in the website field instead of *, so you might want to try that as well.

But the IPv4 address in the website is a dropdown list which has no IP address specified. However I added one for the specific client in server config, but with the server IP selected, even http is not rendering with default 403 forbidden error message.

Burt when I selected * for the IP address, http works at least, but https still outputs "ssl_error_rx_record_too_long" error.

Quote:

Originally Posted by till (Post 298613)
The message you posted above just indicates that the ssl is not active at the moment on this site e.g. because the ssl cert is broken or you do not created a ssl cert.

Tried even after recreating the entire domian besides ssl cert, but no go. :(

till 15th June 2013 10:45

Quote:

But the IPv4 address in the website is a dropdown list which has no IP address specified. However I added one for the specific client in server config, but with the server IP selected, even http is not rendering with default 403 forbidden error message.
If you riún multiple sites on that same IP, then ensure that all sites use the IP and dont mix * and IP.

Quote:

Burt when I selected * for the IP address, http works at least, but https still outputs "ssl_error_rx_record_too_long" error.
This means that there is no ssl vhost or a broken ssl cert.You can e.g. try to recreate the ssl cert trough ispconfig, ensure that you dont use any special chars in the ssl cert detail fields as this might cause openssl to fail to create the cert.

zenny 15th June 2013 20:58

Quote:

Originally Posted by till (Post 298670)
If you riún multiple sites on that same IP, then ensure that all sites use the IP and dont mix * and IP.

This is a completely new installation and only with two domains created to check whether SNI works by default. So all sites use the IP. Still no go.


Quote:

This means that there is no ssl vhost or a broken ssl cert.You can e.g. try to recreate the ssl cert trough ispconfig, ensure that you dont use any special chars in the ssl cert detail fields as this might cause openssl to fail to create the cert.
Recreated the cert with ISPConfig3 panel, yet no go.

When tried to access the ssl site, Apache2 error.log shows as of below:

Quote:

[Sat Jun 15 18:45:10 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Jun 15 18:45:10 2013] [notice] Apache/2.2.22 (Debian) DAV/2 mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.6 PHP/5.4.4-14 mod_python/3.3.1 Python/2.7.3 mod_ruby/1.2.6 Ruby/1.8.7(2012-02-08) mod_ssl/2.2.22 OpenSSL/1.0.1e configured -- resuming normal operations
[Sat Jun 15 18:45:10 2013] [error] [client 192.168.9.1] client denied by server configuration: /var/www/
[Sat Jun 15 18:45:11 2013] [error] [client 192.168.9.1] client denied by server configuration: /var/www/
[Sat Jun 15 18:45:37 2013] [error] [client 192.168.9.1] client denied by server configuration: /var/www/
And the browser reports "(Error code: ssl_error_rx_record_too_long)"

Where did I go wrong?

zenny 15th June 2013 22:48

An update!
 
This is an update of very undesired results after executing:

Code:

#a2ensite default-ssl
The following happened:

1) http://<domain.tld> got "403 Forbidden" message showing in error.log:

Quote:

[Sat Jun 15 20:39:12 2013] [error] [client 127.0.0.1] client denied by server configuration: /var/www/
2) https://<domain.tld> works, but defaults to the default apache "It Works" instead of ISPConfig3 default "Welcome" index page.

3) but both http://<domain.tld/webmail and https://<domain.tld/webmail also got rendered.

How to overcome above situations as of 1) and 2)? Thanks in advance!

zenny 17th June 2013 00:45

Is it a bug? Else share success stories of SNI!
 
Bump!!

From what I experienced, it could be a bug.

Else, can someone share their experience setting up multiple ssl sites with a single public ip, using SNI feature of apache2 and nginx in ISPConfig 3.0.5.2? Appreciate it! Thanks!


All times are GMT +2. The time now is 10:26.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.