Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 20th February 2013, 10:35
Bonzo Bonzo is offline
Junior Member
 
Join Date: Feb 2013
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default SSL, problems with certificate creation and usage

Hi,

I've installed 2 Systems according to this HowTo

http://www.howtoforge.com/installing...th-ispconfig-3

Now I have problems creating SSL certificates, for now I use self-signed but in the future I will use official signed certificate.
I have a domain example com.
If I create a domain example.com with Auto-subdomain No, or www, or a domain www.example.com wit Auto-Subdomain No, I can't use https (after I checked and created the SSL-cert, ispconfig). I get this error.

Code:
Secure Connection Failed

An error occurred during a connection to example.com.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)
If I create a domain test.example.com, with Auto-Subdomain No, create SSL if works like a charm. Why it's possible to to create test.* but not *. or www. ?

Is it possible to create 2 certificartes, one for one Serve, one for the other?
One (sub)domain pointing to 2 different IP's?
Reply With Quote
Sponsored Links
  #2  
Old 20th February 2013, 10:44
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,461
Thanks: 813
Thanked 5,240 Times in 4,108 Posts
Default

Quote:
If I create a domain test.example.com, with Auto-Subdomain No, create SSL if works like a charm. Why it's possible to to create test.* but not *. or www. ?
SSl Cert for www subdomain works fine on my server. A ssl cert is only for one domain, so dont use wildcards. Did you delete the ssl cert before you created a new one?

Quote:
Is it possible to create 2 certificartes, one for one Serve, one for the other?
Sure. you can use as many ssl certs on your server as you want. Just create a new website for each domain or subdomain that you want to have its own ssl cert and create a new cert. Please note that you have to use SNI if you dont have a dedicated IP for each ssl enabled site.

Quote:
One (sub)domain pointing to 2 different IP's?
One domain or subdomain can only point to one IP at a time. But thats not ssl related.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 20th February 2013, 11:01
Bonzo Bonzo is offline
Junior Member
 
Join Date: Feb 2013
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
SSl Cert for www subdomain works fine on my server. A ssl cert is only for one domain, so dont use wildcards. Did you delete the ssl cert before you created a new one?
Yes, deleted. I create the subdomain www.example.com in Website-Websites, not Subdomains for Website, is this OK?
I didn't use wildcards.


Quote:
Originally Posted by till View Post
Sure. you can use as many ssl certs on your server as you want. Just create a new website for each domain or subdomain that you want to have its own ssl cert and create a new cert. Please note that you have to use SNI if you dont have a dedicated IP for each ssl enabled site.
Is this maybe the problem, I don't know what SNI is. Is there a howto for enabling this?


Quote:
Originally Posted by till View Post
One domain or subdomain can only point to one IP at a time. But thats not ssl related.
Ok, I think I have to tell you what this server is intended for, for clarification.
It should be a sem-HA solution for the poor. Thats why I used your clustered setup.
Now, I have the Domain example.com and A records for www (some DNS provider) somethiong like

www A 1.2.3.4
www A 5.6.7.8

With this configuration (one subdomain points to different IP's) i get some round-robin LoadBalancing.
Thats working OK. But I think I'll have a problem with SSL.
www on both IP's should be certificated. Is this possivble. certificeate domain www.example.com for 1.2.3.4 and for 5.6.7.8

Actually, I don't need this LoadBalancing. All I need is a solution if the first Server is not reachable switch to the second Server and switch back to the first server when reachable again. I read your clustered solution and build everything around this. And it worked OK till I needed to uses certificates.
Maybe you have an idea how to do this better?
Reply With Quote
  #4  
Old 20th February 2013, 11:06
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,461
Thanks: 813
Thanked 5,240 Times in 4,108 Posts
Default

Quote:
Yes, deleted. I create the subdomain www.example.com in Website-Websites, not Subdomains for Website, is this OK?
Yes, thats ok. But you wont create www.example.com as website, the correct settings are:

domain: example.com
auto subdoman: www

to get a website for www.example.com

Quote:
With this configuration (one subdomain points to different IP's) i get some round-robin LoadBalancing.
Thats working OK. But I think I'll have a problem with SSL.
This does not matter for ssl as ssl does not depend on the IP. Just the domain name the ssl cert is issued for matters.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 20th February 2013, 11:25
Bonzo Bonzo is offline
Junior Member
 
Join Date: Feb 2013
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Ok, i tried some other configuration and it is probably because the only one dedicated IP i have.
It's possible to create and use only one subdomain with one IP? Correct?

What is SNI you mentioned, is this a server extension? Any HowTo at Howtoforge?
Reply With Quote
  #6  
Old 20th February 2013, 11:55
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,461
Thanks: 813
Thanked 5,240 Times in 4,108 Posts
 
Default

Quote:
It's possible to create and use only one subdomain with one IP? Correct?
You can have only one ssl certificate per IP address with traditional ssl.

Quote:
What is SNI you mentioned, is this a server extension? Any HowTo at Howtoforge?
See wikipedia and various posts here in the forum.

http://en.wikipedia.org/wiki/Server_Name_Indication

You dont need a special configuration for sni. sni is supported by default in ispconfig. What matters are the bwowsers of your user and the openssl and apache version on your server as decsribed at wikipedia.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 03:19.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.