need some help with SNI and startssl

[Ovidiu]

Hi there,

I'm running ISPCFG 3.0.5RC2 and am having some trouble understanding SNI:

Under System => Server Config => server => Web => SSL Settings I have checked the boy next to "Enable SNI" but what exactly goes into: "CA Path" and "CA passphrase"?

Now if I am going to configure a vhost with SSL via Sites => select vhost => check "SSL" then go to the SSL tab and fill in the fields I am struggling finding out what to put into "SSL Bundle"

I have signed up with startssl.com and can generate certificates there so I have all the info but not sure where/what to fill in. Yes I have found the howto that deals with startssl.com but it doesn't help so please don't just point me there.

Is this scenario I have in mind doable:
- check SNI, then create a class2 certificate via startssl for each vhost that needs it, class2 because I'll generate a certificate that is valid for *.domain.tld

Yes, I know SNI is not fully supported everywhere but where I rent my root server from I can only get 2 IPs.

###additional question###
Lets assume the above scenario works, what/which SSL certificate do I then use for securing emails and FTP? Can I additionally create a wildcard/multi-domain certificate from startssl that covers all hosted domains so it can be shared for this purpose?

[falko]

The fields are all described in the manual.

[till]

Quote:

Under System => Server Config => server => Web => SSL Settings I have checked the boy next to "Enable SNI" but what exactly goes into: "CA Path" and "CA passphrase"?

These fields are not related to sni. They are for companys that run their own ssl CA.

[Ovidiu]

Awesome guys, I only bought the manual for ISPCFG 3.0.3 and was experimenting with 3.0.5RC1/RC2 but now that the final version is out I saw the manual is available too so I'll go buy that.

So apart from those fields, would you mind having a look at the other questions in this thread please?

[falko]

Quote:

Originally Posted by Ovidiu

###additional question###
Lets assume the above scenario works, what/which SSL certificate do I then use for securing emails and FTP? Can I additionally create a wildcard/multi-domain certificate from startssl that covers all hosted domains so it can be shared for this purpose?

The CA (StartSSL, Comodo, GeoTrust, etc.) doesn't matter.
If you want to use a multi-domain (SAN) certificate, make sure to use the same key for all those websites.

[midcarolina]

The best method to avoid this SSL error is to disable the SNI feature completely. Prior to the SNI option set in ISPConfig, I ran my servers as such:

WAN IP for main DNS (Public static), then

LAN IP I only use one: e.g 192.168.11.XX

I have 5 shared boxes running this set-up (no extra LAN ips) and all browsers resolve them just fine without this feature.

Some may or may not know - Android OS, iOS, Blackberry, etc. smartphones, tablets and such tend to give SSL's a harder time.

I haven't had a single issue as long as I validated them with a CA Authority.

Best solution as of today - $5.99 Godaddy cert. Works fine running:

Static WAN IP >> LAN IP (in ISPConfig) without SNI. One box has perhaps 15 or so SSLs on the exact same LAN IP (192.168.11.XX) with no issues in browsers or tablets, smartphones, mobile web, mobile apps, etc....

Best...

P.S. This is using Apache 2.2, not nginx (have no knowledge of nginx), so please restart apache server after reconfiguration.

[mbsouth]

@midcarolina

Hi, it sounds interesting!
I doesn´t use ISPConfig, therfore I don´t exactly know how your vhost config (e.g. shared box) file looks like.
Is it possible to post a vhost config?


mbsouth