Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 25th February 2012, 01:36
marko marko is offline
Junior Member
 
Join Date: Oct 2011
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Just one SSL web site per IP address

Hi,

during my SSL certificates implementation, I have noticed this note in documentation:
"note that you can have just one SSL web site per IP address"

Doeas it really means, I can provide only for one customer SSL certificate?

Thank you in advanced.
Reply With Quote
Sponsored Links
  #2  
Old 25th February 2012, 02:12
kwickcut kwickcut is offline
Senior Member
 
Join Date: Nov 2005
Location: nj usa
Posts: 223
Thanks: 14
Thanked 11 Times in 10 Posts
Default

yes on ssl per ip so if you have 5 sites wanting ssl u would need 5 ip for that server one ip per site and ssl cert


kwick
__________________
Operating system Ubuntu Linux 10.04.4
ISPConfig Version: 3.0.4.3
Webmin version 1.580
Kernel and CPU Linux 2.6.32-40-server on x86_64
Processor information AMD Phenom(tm) II X4 945 Processor, 4 cores
Real memory 4.0 GB total
Reply With Quote
  #3  
Old 25th February 2012, 11:34
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

We've implemented SNI in recent ISPConfig versions which means you can have multiple SSL vhosts per IP. Modern browsers support this:

Browsers/clients with support for TLS server name indication:

Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
Internet Explorer 7 or later (under Windows Vista and later only, not under Windows XP)
Firefox 2.0 or later
Curl 7.18.1 or later (when compiled against an SSL/TLS toolkit with SNI support)
Chrome 6.0 or later (on all platforms - releases up to 5.0 only on specific OS versions)
Safari 3.0 or later (under OS X 10.5.6 or later and under Windows Vista and later)

You can test your own browser here: https://alice.sni.velox.ch/
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following 2 Users Say Thank You to falko For This Useful Post:
kwickcut (28th February 2012), ras (21st April 2012)
  #4  
Old 26th February 2012, 17:07
dynamind dynamind is offline
Member
 
Join Date: Mar 2011
Location: Mödling bei Wien
Posts: 62
Thanks: 21
Thanked 9 Times in 5 Posts
Send a message via Skype™ to dynamind
Default SSL IP configuration question

Hi falco,

on the folder system/ip adresses, do I set external or internal Ip for the customers?
What's the right way when I'm behind a router with a server and I have an internal IP on the webserver?
Setting the 'wrong' IP can refuse apache2 from starting. On my fb-page I get the following error now:

Fehler 501 (net::ERR_INSECURE_RESPONSE): Unbekannter Fehler.

messing around with this SSL ; ) *uh*
when I read the guide here I'd think it can be right only to set the internal IP http://www.ispc-wiki.org/ispconfig3-anleitung

regards

PS: I own the

ISPConfig 3 Manual
Version 1.2 for ISPConfig 3.0.3.3
Author: Falko Timme <youknow@yourmailadress.c0m>
Last edited 05/04/2011

but it's not explained here how to set it right

UPDATED: set the internal IP, deleted & re-create the certificate and after a few minutes facebook accepted the certificate again.
The problem is the fact that I'm the only 'client' who can create the certs due to the unique IP overlap, otherwise you'll see:



Is it possible to fix the message sec_error_untrusted_issuer?

Hm, now I found all domains redirected directly to my IP instead of the website folders, it's annoying : (

Last edited by dynamind; 26th February 2012 at 18:48. Reason: not solved
Reply With Quote
  #5  
Old 27th February 2012, 09:43
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,083
Thanks: 826
Thanked 5,397 Times in 4,241 Posts
Default

Quote:
UPDATED: set the internal IP, deleted & re-create the certificate and after a few minutes facebook accepted the certificate again.
The problem is the fact that I'm the only 'client' who can create the certs due to the unique IP overlap, otherwise you'll see:
If you want to use SNI, enabele the checkbox "Enable SNI" under System > Server Config > Web and then use * for all websites and not the IP address.

Quote:
Is it possible to fix the message sec_error_untrusted_issuer?
You need to get a officially signed ssl cert, e.g. from startssl.

Quote:
but it's not explained here how to set it right
SNI is a feature of ISPConfig 3.0.4 and your manual is for ISPConfig 3.0.3.3.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
dynamind (27th February 2012)
  #6  
Old 27th February 2012, 17:30
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
 
Default

Quote:
Originally Posted by dynamind View Post
on the folder system/ip adresses, do I set external or internal Ip for the customers?
What's the right way when I'm behind a router with a server and I have an internal IP on the webserver?
You must always use IP addresses that you see in the output of
Code:
ifconfig
. The system does not know other IPs.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
dynamind (27th February 2012)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with fetchmail/getmail brianetilley Installation/Configuration 3 27th January 2012 12:15
Adding SSL certificate to Site snowfly Installation/Configuration 2 31st May 2011 12:54
Sending emails with custom FROM email address merisor Installation/Configuration 4 8th February 2010 16:27
Static Web Site Configurations christopher Installation/Configuration 8 18th November 2006 14:43


All times are GMT +2. The time now is 19:09.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.