Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd October 2011, 19:26
Mike007 Mike007 is offline
Junior Member
 
Join Date: Jun 2010
Posts: 10
Thanks: 1
Thanked 1 Time in 1 Post
Default Changing SSL box not affect vhost file

ISPconfig ver 3.0.3.3
OS: CentOS 5.7 x86_64
Problem: Sites-->Website --> Webdomain --> SSL checkbox
No matter if it is checked or not - there are no changes saved to vhost file ;(

Here is log from debug loglevel ispconfig.log while
->first: unchecking SSL box
Code:
23.10.2011-18:21 - DEBUG - Found 1 changes, starting update process.
23.10.2011-18:21 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
23.10.2011-18:21 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
23.10.2011-18:21 - DEBUG - exec: chmod 751 /var/www/clients/client23/web91/
23.10.2011-18:21 - DEBUG - exec: chmod 751 /var/www/clients/client23/web91/*
23.10.2011-18:21 - DEBUG - exec: chmod 710 /var/www/clients/client23/web91/web
23.10.2011-18:21 - DEBUG - exec: chmod 777 /var/www/clients/client23/web91/tmp
23.10.2011-18:21 - DEBUG - exec: chmod 755 /var/www/clients/client23/web91/log
23.10.2011-18:21 - DEBUG - exec: usermod --groups sshusers web91
23.10.2011-18:21 - DEBUG - exec: chown web91:client23 /var/www/clients/client23/web91
23.10.2011-18:21 - DEBUG - exec: chown web91:client23 /var/www/clients/client23/web91/log/error.log
23.10.2011-18:21 - DEBUG - Disable SSL for: my.domain
23.10.2011-18:21 - DEBUG - Writing the vhost file: /etc/httpd/conf/sites-available/my.domain.vhost
23.10.2011-18:21 - DEBUG - Apache status is: 1
23.10.2011-18:21 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
23.10.2011-18:21 - DEBUG - Apache online status after restart is: 1
and then (a few time later)
-> check this SSL box on again.

Code:
23.10.2011-18:23 - DEBUG - Found 1 changes, starting update process.
23.10.2011-18:23 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
23.10.2011-18:23 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
23.10.2011-18:23 - DEBUG - exec: chmod 751 /var/www/clients/client23/web91/
23.10.2011-18:23 - DEBUG - exec: chmod 751 /var/www/clients/client23/web91/*
23.10.2011-18:23 - DEBUG - exec: chmod 710 /var/www/clients/client23/web91/web
23.10.2011-18:23 - DEBUG - exec: chmod 777 /var/www/clients/client23/web91/tmp
23.10.2011-18:23 - DEBUG - exec: chmod 755 /var/www/clients/client23/web91/log
23.10.2011-18:23 - DEBUG - exec: usermod --groups sshusers web91
23.10.2011-18:23 - DEBUG - exec: chown web91:client23 /var/www/clients/client23/web91
23.10.2011-18:23 - DEBUG - exec: chown web91:client23 /var/www/clients/client23/web91/log/error.log
23.10.2011-18:23 - DEBUG - Disable SSL for: my.domain
23.10.2011-18:23 - DEBUG - Writing the vhost file: /etc/httpd/conf/sites-available/my.domain.vhost
23.10.2011-18:23 - DEBUG - Apache status is: 1
23.10.2011-18:23 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
23.10.2011-18:23 - DEBUG - Apache online status after restart is: 1
Both cases are the same info:
23.10.2011-18:21 - DEBUG - Disable SSL for: my.domain (this one is OK)
23.10.2011-18:23 - DEBUG - Disable SSL for: my.domain

File my.domain.vhost got new timestamp only.
BTW. Changing other attributes eg. IP address working fine.
Reply With Quote
Sponsored Links
  #2  
Old 24th October 2011, 09:39
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,721 Times in 2,562 Posts
Default

After you have enabled the SSL checkbox, you must go to the SSL tab and create a certificate. This is also described in the ISPConfig 3 Manual.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 24th October 2011, 09:40
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,421
Thanks: 812
Thanked 5,205 Times in 4,081 Posts
Default

Quote:
No matter if it is checked or not - there are no changes saved to vhost file ;(
Thats ok, it means that there is no valid ssl certificate created yet for that website. Go to the ssl tab and create a ssl cert.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 24th October 2011, 11:03
Mike007 Mike007 is offline
Junior Member
 
Join Date: Jun 2010
Posts: 10
Thanks: 1
Thanked 1 Time in 1 Post
Default

I have Comodo CA cert already installed
I did it by copy and paste into texboxes:
1. SSL Request - content of filename: AddTrustExternalCARoot.crt
2. SSL Certificate - content of filename: my.domain.crt
3. SSL Bundle - content of filename: COMODOHigh-AssuranceSecureServerCA.crt

Then i choose SSL Action: Save Certificate.
Saving makes debug info:
Code:
24.10.2011-10:33 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
24.10.2011-10:33 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
24.10.2011-10:33 - WARNING - Network configuration disabled in server settings.
24.10.2011-10:33 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
WARNING - Network configuration disabled in server settings.
I think this warning info has nothing related to this problem, am i right ?

Certificates are saved in this location:
Code:
# ls -l /var/www/clients/client3/web91/ssl
total 12
-rw-r--r-- 1 root root 1788 Oct 23 12:13 my.domain.bundle
-rw-r--r-- 1 root root 2089 Oct 23 12:13 my.domain.crt
-rw-r--r-- 1 root root 1520 Oct 23 12:13 my.domain.csr
PS. my.domain is not real domain name of course.
Reply With Quote
  #5  
Old 24th October 2011, 11:06
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,421
Thanks: 812
Thanked 5,205 Times in 4,081 Posts
Default

Quote:
I have Comodo CA cert already installed
I did it by copy and paste into texboxes:
1. SSL Request - content of filename: AddTrustExternalCARoot.crt
2. SSL Certificate - content of filename: my.domain.crt
3. SSL Bundle - content of filename: COMODOHigh-AssuranceSecureServerCA.crt
Have you created the csr for this certificate in this ispconfig website? If not, then the ssl cert is incomplete as the key file is missing. To fix this, you will have to install the key in the ssl folder manually in the file my.domain.crt and then enable the ssl cert in ispconfig again.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 24th October 2011, 12:33
Mike007 Mike007 is offline
Junior Member
 
Join Date: Jun 2010
Posts: 10
Thanks: 1
Thanked 1 Time in 1 Post
Smile

Quote:
Originally Posted by till View Post
Thats ok, it means that there is no valid ssl certificate created yet for that website. Go to the ssl tab and create a ssl cert.
Thank You,

I removed certificate by choosing SSL action 'Delete Certificate'. Folder .../web/ssl/ is empty now. I also cleared all textboxes on 'Web Domain' and I checked vhost file (OK - it is without SSL directives).

Now I started from the beginning.
I filled all required fields (Now State, Locality, Organisation, Organisation Unit, Country, SSL Domain) and choose SSL Action 'Create Certificate'.
And... It works!

Folder .../web/ssl has now these files:
Code:
# ls -l /var/www/clients/client23/web91/ssl
total 16
-rw-r--r-- 1 root root 1322 Oct 24 12:14 my.domain.crt
-rw-r--r-- 1 root root 1115 Oct 24 12:14 my.domain.csr
-r-------- 1 root root 1675 Oct 24 12:14 my.domain.key
-rw-r--r-- 1 root root 1743 Oct 24 12:14 my.domain.key.org
SSL works but of cource certificate is untrusted.
Now I have to figure out how to put COMODO Certificate.

SSL Bundle textbox is empty so I should fill this box with intermediate cert (file: COMODOHigh-AssuranceSecureServerCA.crt) ?
What else should I do ?
Reply With Quote
  #7  
Old 24th October 2011, 13:38
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,421
Thanks: 812
Thanked 5,205 Times in 4,081 Posts
Default

You have to sign the csr now so that you get a new trusted certificate from comodo. Comodo should to the reiussue of the certificate for free. So the step sre now:

1) Login to your comodo account and request a reissue of the ssl cert base on the csr that is shown in the ispconfig interface.
2) You will get a new ssl certificate from comodo then, copy the ontnets of this new certificate into the certificate field in ispconfig and the content of the ssl intermediate cert into the ssl bundle field. Then select save certificate as action and click on save.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 24th October 2011, 16:40
Mike007 Mike007 is offline
Junior Member
 
Join Date: Jun 2010
Posts: 10
Thanks: 1
Thanked 1 Time in 1 Post
Default

I did it my way and it works now - but it was a bit sneaky idea
While SSL is working now (I mean vhost file contain SSL info), I copied into Website Webdomain texboxes content of files I own before:
1. SSL Request - content of filename: my.domain.csr
2. SSL Certificate - content of filename: my.domain.crt
3. SSL Bundle - content of filename: COMODOHigh-AssuranceSecureServerCA.crt

Then simply apply SSL Action 'Save Certificate'

my.domain.csr file that I previously generated myself for CA Authority (COMODO) for certificate request process.
my.domain.crt - domain certificate received from CA.

Then I copied my.domain.key file to .../web/sssl folder. This file was also created during certificate request process for signing my.domain.csr file. That file replaced created by the ISPconfig one.

But... there is a little problem while restart httpd service:
Code:
# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server my.domain:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.

Last edited by Mike007; 24th October 2011 at 16:44.
Reply With Quote
  #9  
Old 24th October 2011, 16:46
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,421
Thanks: 812
Thanked 5,205 Times in 4,081 Posts
Default

You created a encyrpted ssl key, so that it requires a password now. Make sure that you dont reboot the server now, it will not come up again until you fix your key. You will have to decrypt the key and store the decrypted key instead of the encrypted one.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #10  
Old 24th October 2011, 21:03
Mike007 Mike007 is offline
Junior Member
 
Join Date: Jun 2010
Posts: 10
Thanks: 1
Thanked 1 Time in 1 Post
 
Default

Quote:
Originally Posted by till View Post
You created a encyrpted ssl key, so that it requires a password now. Make sure that you dont reboot the server now, it will not come up again until you fix your key. You will have to decrypt the key and store the decrypted key instead of the encrypted one.
Yes, I decrypted the key
Code:
# openssl rsa -in my.domain.key -out new.my.domain.key
Enter pass phrase for my.domain.key:
writing RSA key
# cp new.my.domain.key my.domain.key
I rather thought that problem is because I should use ispserver.key to sign out *.csr file, but I see that ispserver.key is not encrypted too. ISPconfig has encrpyted key file: ispserver.key.secure and encrypted files like *.domain.key.org created on the SSL websites.

Anyway thanks for a great help.

[PROBLEM SOLVED]

Last edited by Mike007; 24th October 2011 at 21:06.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix doesn't have Nolan Installation/Configuration 5 13th April 2011 05:00
FreeRadius + MySQL working, but I don't know how to customise SQL queries awe Installation/Configuration 4 4th April 2010 23:28
Forbidden 403; Samba access; config of maildeamon fawkes Installation/Configuration 4 14th January 2010 18:16
Chroot SSH + ISPConfig Norman Installation/Configuration 27 26th March 2007 03:40
Dspam planet_fox General 6 20th January 2007 18:42


All times are GMT +2. The time now is 06:53.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.