Need Help For Certified SSL Install For Alias Domain

[Eleven Cool]

I have a subdomain set up as a site (because I like that better than using the subdomain feature): subdomain.domain.com

I have an alias for this subdomain: www.aliasdomain.com

I've used open SSL to create a CSR, sent it to the CA and received the Server Cert, Intermediate Cert and Root Cert back from them.

I've uploaded my private key, and all certs to /var/www/clients/clientX/webX/ssl (this is the client & web for subdomain.domain.com).

In ISPConfig 3, I've pasted the Server Cert into the SSL Certificate field, the Intermediate Cert followed by the Root Cert into the SSL Bundle field, and then selected Save certificate from the drop down and clicked Save.

When I check my domain under https it says "Wrong Site" and "Unknown Identity", and then even further, in Chrome it even shows me in the browser what I have in /var/www/html instead of whats in /var/www/clients/clientX/webX/ssl... which I just don't get, but I'm sure it has something to do with the SSL cert not being properly installed.

Can someone PLEASE help? What am I doing wrong to get this cert to work for an ISPConfig 3 alias?

[Eleven Cool]

After trying several different things through the ISPConfig 3 SSL Tab, adding in some SSL file uploads, and pouring myself a glass full of Tequila I finally found something that worked:

1.) Use ISPConfig 3 SSL Tab to create a self signed SSL cert for domain.com
2.) Make a backup of the files domain.key, domain.csr and domain.crt in /var/www/clients/clientX/webX/ssl
3.) Rename certified SSL files domainalias.key, domainalias.csr and domainalias.crt to domain.key, domain.csr and domain.crt and then upload them, along with the Root Cert and Intermediate Cert, to /var/www/clients/clientX/webX/ssl
4.) Then restart Apache: httpd service restart

This seems like the best way to do it because if ISPConfig 3 make changes to the vhost file then the SSL pointers in there will still match the certified SSL files.

If anyone has a better way please let me know. Hope this helps someone out!

[till]

Your problems occureed because you did not create the first ssl cert in ispconfig and that you did not use a multidomain cert, take a look into the ispconfig manual, the steps to create a ssl cert in ispconfig are described there in detail.

If a site has more then one domain name, then choose a multi domain ssl cert when you buy it at the ssl authority. The ssl authority will ask you for the additional domain names, so there are no changes required in your ispconfig setup for that.

[Eleven Cool]

Quote:

Originally Posted by till

Your problems occureed because you did not create the first ssl cert in ispconfig and that you did not use a multidomain cert, take a look into the ispconfig manual, the steps to create a ssl cert in ispconfig are described there in detail.

If a site has more then one domain name, then choose a multi domain ssl cert when you buy it at the ssl authority. The ssl authority will ask you for the additional domain names, so there are no changes required in your ispconfig setup for that.

Thanks for the reply Till!

I did look through the manual but it does not cover what I faced with this particular case. I needed the cert to cover the Domain Alias, not the actual domain. ISPConfig's SSL Tab doesn't allow you to choose a domain alias when having it create a SSL cert via pasting. ISPConfig's SSL Tab limits you to the current domain only.

Because you are limited to only choosing the current domain, ISPConfig writes file references to ssl files for the current domain in the vhost file when you create any ssl using the tab.

Therefore, I needed an alternative solution that was compatible with ISPConfig. Hopefully this feature is added in a future release, but this seems to be doing the trick pretty safely in the meantime.

Also, I did setup a self-signed ssl cert in ISPConfig during initial setup, however, neither a self-signed cert nor a multi-domain cert were desired in this case.

[till]

You could have e.g. exchanged the alias domain name with the main domain name, as the ssl domain is normally the main domain of a site.

[Eleven Cool]

Quote:

Originally Posted by till

You could have e.g. exchanged the alias domain name with the main domain name, as the ssl domain is normally the main domain of a site.

That would be a great option if the server were a single IP server with one certified SSL certificate.

In my case, the server is a multiple IP server and multiple certified SSL certificate server, and there is no real "main domain".

I probably could have also avoided having to do this by sandboxing each SSL domain with OpenVZ.

This isn't optimal for my case though and would have been both overkill and a major inconvenience, since all IPs and all SSL domains are owned by the same client and this is a true dedicated server.