Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 24th February 2013, 10:52
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,266
Thanks: 82
Thanked 24 Times in 20 Posts
Default need some help with SNI and startssl

Hi there,

I'm running ISPCFG 3.0.5RC2 and am having some trouble understanding SNI:

Under System => Server Config => server => Web => SSL Settings I have checked the boy next to "Enable SNI" but what exactly goes into: "CA Path" and "CA passphrase"?

Now if I am going to configure a vhost with SSL via Sites => select vhost => check "SSL" then go to the SSL tab and fill in the fields I am struggling finding out what to put into "SSL Bundle"

I have signed up with startssl.com and can generate certificates there so I have all the info but not sure where/what to fill in. Yes I have found the howto that deals with startssl.com but it doesn't help so please don't just point me there.

Is this scenario I have in mind doable:
- check SNI, then create a class2 certificate via startssl for each vhost that needs it, class2 because I'll generate a certificate that is valid for *.domain.tld

Yes, I know SNI is not fully supported everywhere but where I rent my root server from I can only get 2 IPs.

###additional question###
Lets assume the above scenario works, what/which SSL certificate do I then use for securing emails and FTP? Can I additionally create a wildcard/multi-domain certificate from startssl that covers all hosted domains so it can be shared for this purpose?
Reply With Quote
Sponsored Links
  #2  
Old 25th February 2013, 18:57
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

The fields are all described in the manual.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
Ovidiu (26th February 2013)
  #3  
Old 25th February 2013, 19:03
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,394
Thanks: 833
Thanked 5,487 Times in 4,319 Posts
Default

Quote:
Under System => Server Config => server => Web => SSL Settings I have checked the boy next to "Enable SNI" but what exactly goes into: "CA Path" and "CA passphrase"?
These fields are not related to sni. They are for companys that run their own ssl CA.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
Ovidiu (26th February 2013)
  #4  
Old 26th February 2013, 07:07
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,266
Thanks: 82
Thanked 24 Times in 20 Posts
Default

Awesome guys, I only bought the manual for ISPCFG 3.0.3 and was experimenting with 3.0.5RC1/RC2 but now that the final version is out I saw the manual is available too so I'll go buy that.

So apart from those fields, would you mind having a look at the other questions in this thread please?
Reply With Quote
  #5  
Old 27th February 2013, 14:32
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

Quote:
Originally Posted by Ovidiu View Post
###additional question###
Lets assume the above scenario works, what/which SSL certificate do I then use for securing emails and FTP? Can I additionally create a wildcard/multi-domain certificate from startssl that covers all hosted domains so it can be shared for this purpose?
The CA (StartSSL, Comodo, GeoTrust, etc.) doesn't matter.
If you want to use a multi-domain (SAN) certificate, make sure to use the same key for all those websites.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #6  
Old 31st March 2013, 14:58
midcarolina midcarolina is offline
Senior Member
 
Join Date: Jul 2011
Posts: 254
Thanks: 1
Thanked 5 Times in 5 Posts
Default SNI Disabled

The best method to avoid this SSL error is to disable the SNI feature completely. Prior to the SNI option set in ISPConfig, I ran my servers as such:

WAN IP for main DNS (Public static), then

LAN IP I only use one: e.g 192.168.11.XX

I have 5 shared boxes running this set-up (no extra LAN ips) and all browsers resolve them just fine without this feature.

Some may or may not know - Android OS, iOS, Blackberry, etc. smartphones, tablets and such tend to give SSL's a harder time.

I haven't had a single issue as long as I validated them with a CA Authority.

Best solution as of today - $5.99 Godaddy cert. Works fine running:

Static WAN IP >> LAN IP (in ISPConfig) without SNI. One box has perhaps 15 or so SSLs on the exact same LAN IP (192.168.11.XX) with no issues in browsers or tablets, smartphones, mobile web, mobile apps, etc....

Best...

P.S. This is using Apache 2.2, not nginx (have no knowledge of nginx), so please restart apache server after reconfiguration.

Last edited by midcarolina; 31st March 2013 at 15:08. Reason: Left out important conclusion!
Reply With Quote
  #7  
Old 25th April 2013, 13:55
mbsouth mbsouth is offline
Junior Member
 
Join Date: Apr 2010
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
 
Default

@midcarolina

Hi, it sounds interesting!
I doesnt use ISPConfig, therfore I dont exactly know how your vhost config (e.g. shared box) file looks like.
Is it possible to post a vhost config?


mbsouth
Reply With Quote
Reply

Bookmarks

Tags
ispcfg3, sni, startssl

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 18:06.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.