Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 7th April 2009, 14:13
lubos lubos is offline
Member
 
Join Date: Oct 2007
Location: Belfast, UK - NI
Posts: 59
Thanks: 29
Thanked 17 Times in 13 Posts
Default SOLVED: SSL cert installation for admin area

I know there is lots of threads about this and I read trough them last 2 days and used a lot of suggestions but could not find help.

I have class2 certificate from startssl.com named ssl.crt
I downloaded their certificates:
ca.crt
ca-bundle.crt
sub.class1.server.ca.crt
sub.class2.server.ca.crt
sub.class3.server.ca.crt
sub.class4.server.ca.crt

and put all certificates into /root/ispconfig/httpd/conf/ssl.crt (the default ca-bundle.crt from ISPconfig renamed to ca-bundle.crt.ispconf)

I edited httpd.conf in /root/ispconfig/httpd/conf :

Code:
SSLCertificateFile /root/ispconfig/httpd/conf/ssl.crt/ssl.crt
SSLCertificateKeyFile /root/ispconfig/httpd/conf/ssl.key/server.key
SSLCertificateChainFile /root/ispconfig/httpd/conf/ssl.crt/sub.class2.server.ca.crt
SSLCACertificateFile /root/ispconfig/httpd/conf/ssl.crt/ca-bundle.crt
I restarted server

All the same - browser deemed my certificate unsecure (not recognized authority).

I changed SSLCertificateChainFile and SSLCACertificateFile to all possible combinations, each time restarted server and cleared cache in browser. No joy.

When I do:
Code:
openssl verify -CAfile /root/ispconfig/httpd/conf/ssl.crt/ca-bundle.crt -purpose sslserver /root/ispconfig/httpd/conf/ssl.crt/ssl.crt
the result is OK but then I can't access admin area on port 81 (websites and emails works) = that is second problem I need help with, I have one live server I cant access admin area now This is working now. I had typo in httpd/conf/httpd.conf. I am able to access admin on this site after fixing typo and restarting ISPConfig.

What I am duing wrong? Where else I have to edit something?

More info: obviously I use https connection to admin area on port 81
the certificate is specific to the servers admin area - not valid for other domains (server2.mydomain.net)
systems are Debian Lenny (1x) and Debian Etch (1x)

Thanks very much for help.


Update
The certificate on the server which had typo is now working. I am going trough the other's conf file to make sure there is not a typo as well.
I am reinstalling ISPConfig on the second server once more and after I'll try to install certificate again. Will see what will happened.
__________________
Safe computer? Only when unplugged.

Last edited by lubos; 7th April 2009 at 22:08. Reason: update on status
Reply With Quote
Sponsored Links
  #2  
Old 7th April 2009, 22:05
lubos lubos is offline
Member
 
Join Date: Oct 2007
Location: Belfast, UK - NI
Posts: 59
Thanks: 29
Thanked 17 Times in 13 Posts
Default

Certificates are working. It was probably some other typo. If you need to install StartSSL.com certificate into admin area use this setup:

Class 2 certificate from startssl.com named ssl.crt
Download their certificates:
ca.crt
ca-bundle.crt
sub.class1.server.ca.crt
sub.class2.server.ca.crt
sub.class3.server.ca.crt
sub.class4.server.ca.crt

and put all certificates into /root/ispconfig/httpd/conf/ssl.crt (the default ca-bundle.crt from ISPconfig renamed to ca-bundle.crt.ispconf)

Edit httpd.conf in /root/ispconfig/httpd/conf :


Code:
SSLCertificateFile /root/ispconfig/httpd/conf/ssl.crt/ssl.crt
SSLCertificateKeyFile /root/ispconfig/httpd/conf/ssl.key/server.key
SSLCertificateChainFile /root/ispconfig/httpd/conf/ssl.crt/sub.class2.server.ca.crt
SSLCACertificateFile /root/ispconfig/httpd/conf/ssl.crt/ca-bundle.crt
Restart server.
__________________
Safe computer? Only when unplugged.

Last edited by lubos; 7th April 2009 at 22:07.
Reply With Quote
The Following User Says Thank You to lubos For This Useful Post:
falko (8th April 2009)
  #3  
Old 13th May 2009, 05:16
danuel danuel is offline
Junior Member
 
Join Date: May 2009
Posts: 5
Thanks: 1
Thanked 1 Time in 1 Post
Default StartSSL.com for Vhosts

I have a similar issue installing the CA certificates for StartSSL.com for Vhosts. It installs once /etc/apache2/vhosts/Vhosts_ispconfig.conf is edited and following code added

Code:
# existing lines
SSLEngine on
SSLCertificateFile /var/www/some.site.com/ssl/site.crt
SSLCertificateKeyFile /var/www/some.site.com/ssl/site.key

#add these lines for Certificate Authority 
SSLCertificateChainFile var/www/some.site.com/ssl/sub.class1.server.ca.pem
SSLCACertificateFile var/www/some.site.com/ssl/ca.pem
Please ensure you replace some.site.com with the actual site name (folder path must exists).

See http://www.startssl.com/?app=21.
Make sure you download sub.class1.server.ca.pem and ca.pem from http://www.startssl.com/certs/. Store them in var/www/some.site.com/ssl/

Unfortunately, as soon you make any changes in ISPConfig web interface, the file /etc/apache2/vhosts/Vhosts_ispconfig.conf is overwritten. Falko, is there a way to fix this please? If you need help with modifying the php function that writes the Vhosts config file, maybe I can help. But a better fix would be to also re-work the SSL tab in ISPConfig so there is space for Certificate Authority Chain file and Certificate file.

Last edited by danuel; 13th May 2009 at 05:19.
Reply With Quote
  #4  
Old 13th May 2009, 07:31
danuel danuel is offline
Junior Member
 
Join Date: May 2009
Posts: 5
Thanks: 1
Thanked 1 Time in 1 Post
Lightbulb SSLCACertificatePath

See http://www.howtoforge.com/forums/sho...t=14569&page=3

Since /etc/apache2/vhosts/Vhosts_ispconfig.conf is dynamically generated by ISPC from info in db, it is suggested to add SSLCACertificateFile and SSLCertificateChainFile directives in /etc/apache2/apache2.conf or httpd.conf . This is not an ideal solution since it's not in the Virtual host directives because different vhosts may need different CA certificates.

After reading http://httpd.apache.org/docs/2.0/mod...ertificatepath, best solution may be to use SSLCACertificatePath directive instead of either/both SSLCACertificateFile and SSLCertificateChainFile. We can add the following to /etc/apache2/apache2.conf file (last line after include Vhosts is ok)
Code:
Include /etc/apache2/vhosts/Vhosts_ispconfig.conf
SSLCACertificatePath /var/www/ssl_ca
In /var/www/ssl_ca we'll keep all the CA certificates from any/all trusted Certificate Authorities (client/site certificates under their respective directories handled by ISPConfig db). Make sure you only use "pem" encoded certificates.

From startssl.com, you only need following:
Code:
ca.pem
sub.class1.server.ca.pem
sub.class2.server.ca.pem
sub.class3.server.ca.pem
sub.class4.server.ca.pem
Unlike mentioned above, you don't need ca-bundle, which includes a lot of other unneeded certs and file size is over 90Kb. All the files above add up to less than 20Kb.

Every time you add/remove files to /var/www/ssl_ca, please remember to run:
Code:
c_rehash /var/www/ssl_ca

Hopefully, future ISPC releases can include a automatically run script to dynamically obtain (wget) the CA certs (all available online) from major/all browser trusted certificate authorities to keep the folder current -- this folder can be anywhere ISPConfig maintains dynamically maintained files (like Vhosts config files). All that will be needed then is just the site server key (private) and site server crt (public) manages by ISPConfig web interface.

Last edited by danuel; 13th May 2009 at 07:43.
Reply With Quote
  #5  
Old 13th May 2009, 09:22
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,421
Thanks: 834
Thanked 5,500 Times in 4,329 Posts
 
Default

You can simply add the lines:

SSLCertificateChainFile var/www/some.site.com/ssl/sub.class1.server.ca.pem
SSLCACertificateFile var/www/some.site.com/ssl/ca.pem

in the apache directives field of the website settings in ispconfig.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following 2 Users Say Thank You to till For This Useful Post:
danuel (13th May 2009), lubos (9th June 2009)
Reply

Bookmarks

Tags
installation, ispconfig, ssl certificate

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SSL Cert for site filch General 3 10th December 2008 13:49
Replacing SSL Cert jonwatson General 4 24th February 2008 15:40
SSL for virtual hosts on one certificate rbartz Tips/Tricks/Mods 8 20th November 2007 17:59
New SSL Cert PoleCat Installation/Configuration 15 4th July 2007 10:13
Can't get SSL Cert to work rbartz Installation/Configuration 4 23rd April 2006 09:32


All times are GMT +2. The time now is 10:48.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.