Virtual Hosts SSL 443

[DaddyFix]

First, Im sorry for asking about Virtual Hosts SSL help. I see many people have been having similar issues setting this up, but I can' seem to find the imformation I need. Could you please direct me to offer some advice to this issue?

Originally I used to put my Client SSL information into the VHosts.conf file. All client share the same Certificate Key. Her is a simplified example...

Code:

NameVirtualHost 192.168.1.100:80
NameVirtualHost 192.168.1.100:443
<VirtualHost 192.168.1.100:80>
        Servername somedomain.ca
        Redirect permanent / http://www.somedomain.ca
</VirtualHost>
<VirtualHost 192.168.1.100:443>
        Servername somedomain.ca
        Redirect permanent / http://www.somedomain.ca
        SSLEngine on
        SSLCertificateFile \
            /usr/local/ssl/install/openssl/certs/http://www.example.com.cert
        SSLCertificateKeyFile \
            /usr/loca/ssl/install/openssl/certs/http://www.example.com.key
</VirtualHost>

But now I see that Vhosts_ispconfig.conf only uses 'NameVirtualHost 192.168.1.100:80'. Hmmm. How do I enable a client to use the same SSL certificate for all the sites I host?

I tried to use the SSL option in the client setup of ISPConfig but I get the error ' Already a Cettificate for this IP '. Which I understand why this happens.

when I try to use https://mydomain.ca I get the request for the SSL and I get an answer from Apache v2.53 that tells me there is no virtual host entry on 443 for this client.

Code:

You don't have permission to access / on this server.

Am I doing something wrong here?

PS. I love ISPConfig..

[till]

ISPConfig only supports one SSL website per IP, this is is an apache limit and not an limit of ISPConfig.

To create an SSL website, check the SSL checkbox in the website settings of the site and then create an SSL certificate on the SSL TAB. ISPConfig rewrites the vhost configuration for you to enable SSL for this website.

If you need an other setup that does not use SSL virtual hosts, you can not use ISPConfig to configure it.

[Sheridan]

Are you sure?
I always thought that one certificate for multiple vhosts shouldn't be a problem.
I know that it's not possible to have multiple ssl cerificates for one ip but the ssl part is just over when apache has to get the right vhost.

greets
Sheridan

[falko]

A wildcard certificate is no problem, but you cannot use multiple certs on one IP address.

[Sheridan]

Quote:

Originally Posted by falko

A wildcard certificate is no problem, but you cannot use multiple certs on one IP address.

Yep. I know, but ispconfig doesn't create a VirtualHost entry for the ssl part of the Vhostconfig file for the other domains on my server.
If i try to enable ssl for the other domain he tells me that an ssl certificate still exists for this ip. That's ok, but i simply want to use the existing one for this domain too.

greets & thanks
Sheridan

[falko]

That's not possible with ISPConfig. You can try to tweak the main Apache configuration file as it's not overwritten by ISPConfig.

[erk]

There can be only one SSL enabled site per ip, but that is already clear as I understand from your last post.
The thing with SSL is that there is no hostname, just ip-number. The hostname is not visible to apache. Therefore if
www.domainone.com and
www.domaintwo point to the same ip number and you have enabled SSL on domainone.com a request to https://www.domainone.com and https://www.domaintwo.com should go to the same site whereas http requests will go to the two different sites.

In SSL only ip number counts.

//Erk

[Sheridan]

Quote:

Originally Posted by erk

There can be only one SSL enabled site per ip, but that is already clear as I understand from your last post.
The thing with SSL is that there is no hostname, just ip-number. The hostname is not visible to apache. Therefore if
www.domainone.com and
www.domaintwo point to the same ip number and you have enabled SSL on domainone.com a request to https://www.domainone.com and https://www.domaintwo.com should go to the same site whereas http requests will go to the two different sites.

In SSL only ip number counts.
//Erk

Yep. That's the behaviour because of the missing VirtualHost entry for the second domain in the vhosts conf for <ip-address>:443.

Nope. Apache can resolve different domains when using ssl. I tried it manually on another machine without ispconfig to be sure.

@falko:
I think you can take this as a feature request from my side. ;-)

Maybe the ssl option could change it's behaviour (and name) when a certificate exists on this ip and so when enabling it, it would be nice if ispconfig can create the entry in the vhosts config file.

greets
Sheridan

[erk]

Quote:

Nope. Apache can resolve different domains when using ssl. I tried it manually on another machine without ispconfig to be sure.

If that is the case I would be very happy if you could post that configuration here. That would be real news for me and possibly for the apache crew as well.

From http://httpd.apache.org/docs/2.0/vhosts/name-based.html :

Quote:

Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol.

I don't mind being proven wrong in this case but I would be surprised.

//Erk

[Sheridan]

Quote:

Originally Posted by erk

From http://httpd.apache.org/docs/2.0/vhosts/name-based.html :

I don't mind being proven wrong in this case but I would be surprised.

//Erk

Ok. To get sure i've checked the configs of our plesk server at work. For each domain i've enabled ssl i have a <VirtualHost <ip>:443> with a different "Servername <domain>:443" param. The ip is always the same and so is the path to the ssl cert file.

So it seems that you should trust this board and not the apache docu.

I would like to see support for this in ispconfig anyway. ;-)


greets
Sheridan