SSL Host - Intermediate Cert

[Ben]

Hi folks,

does anybody know, if ISPConfig 2 supports providing an intermediate certificate?
I'd say currently not out of the box, only by changing the apache conf's generation template, as an additional config entry is needed to point to the intermediate file.

thanks in advance.

Ben

[falko]

Quote:

Originally Posted by Ben

I'd say currently not out of the box, only by changing the apache conf's generation template, as an additional config entry is needed to point to the intermediate file.

That's right, you must modify the Apache configuration manually.

[Ben]

Hi Falko,

the apache config or the template for the config?
Last would be kind of bad as it must be changed each update of ispcfg and does only work for the assumption of using only one ssl cert on the whole host (which is at least no problem for me )

Does it make sense to add another textbox in the ssl config interface, as many of the CAs tend to intermediate CA certs.

[falko]

I'm not sure - but maybe you can include the intermediate certificate in the main Apache configuration? In that case you don't have to modify the template. (BTW, you could place the customized template in /root/ispconfig/isp/conf/customized_templates, and it will not be overwritten in case of an update.)

[Ben]

good idea, but except "{SSL}" there is nothing in the vhost master template?!

EDIT: Ok it did work more or less. I added the Intermediate CA line below {SSL} with the result having this line in each vhost block instead of just in the ssl block. Luckily apache does not complain about this. Is there a better way to customize the ssl block directly?

[till]

Quote:

Is there a better way to customize the ssl block directly?

The only other way might be to edit the function in config.lib.php file that creates the ssl block. If I remember correctly, it is named make_vhost. But then you might have to patch the file after every ispconfig update, so this solution is not ideal too.

[Ben]

As I have to patch one line regarding the safe mode and the open_basedir paths I think about patching only one line for an include to the additional config. But thanks for the info.

[hairydog2]

I have a few sites that use SSL and I needed to add an intermediate certificate as certificates are renewed.

So putting an intermediate certificate reference into the vhosts file was never going to be a solution.

I have simply put the line

SSLCACertificateFile /home/www/cabundle.crt

into apache2.conf

and it seems to be working OK.

[hairydog2]

Quote:

Originally Posted by hairydog2

and it seems to be working OK.

Two weeks later and it is still working just fine, so it seems like this is a good fix!