Originally Posted by till
... But this rollback is implemented for apache config changes only and not syntax errors in ssl certs, for ssl certs such a implementation is already on our todo list.
Till, are you able to provide a specific bug-tracker ticket number for this effort?
I have long been leery of managing SSL certificates in ISPConfig for this very reason (no validation is performed to determine whether or not the key and certificate match).
If this has not been implemented already, it seems that this should be as simple as examining the hashes of each certificate component and ensuring that they all match.
On the command-line, this might look something like the following:
# openssl x509 -noout -modulus -in /var/www/example.com/ssl/example.com.crt | openssl md5
# openssl rsa -noout -modulus -in /var/www/example.com/ssl/example.com.key | openssl md5
# openssl req -noout -modulus -in /var/www/example.com/ssl/example.com.csr | openssl md5
Of course, in ISPConfig's case, it may make more sense to pass the certificate strings as they exist in the database to the openssl
If any hash mismatches are present in the output, ISPConfig refuses to save the certificate files to disk and throws an error with specific information as to where the mismatch occurred.
Something like this would be a major step forward for SSL handling in ISPConfig.