Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 14th June 2013, 00:56
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Question SNI (Server Name Indication) and ISPConfig 3.0.5.2

Hi:

Trying to avail https connections to several domains with a single IP in ISPConfig 3.0.5.2/Apache2 in Debian Wheezy.

The motivation is to allow users to access webmail, phpmyadmin, and ISPConfig panel using SSL.

Enabling SSL in ISPConfig panel always lands at error message : (Error code: ssl_error_rx_record_too_long) when accessed using https, and even http gives blank page.

Appreciate if someone could share experience how you achieved SNI. Thanks!
Reply With Quote
Sponsored Links
  #2  
Old 14th June 2013, 09:48
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Exclamation Some additional info

Hi with bump!

1. According to http://debian-handbook.info/browse/w...eb-server.html, it simply states that:

Quote:
The Apache package provided in Debian is built with support for SNI; no particular configuration is therefore needed, apart from enabling name-based virtual hosting on port 443 (SSL) as well as the usual port 80. This is a simple matter of editing /etc/apache2/ports.conf so it includes the following:

Code:
<IfModule mod_ssl.c>
    NameVirtualHost *:443
    Listen 443
</IfModule>
2. And /etc/apache2/ports.conf categorically states that:
Quote:
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>

# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
3. Thus, in the /etc/apache2/sites-available/default-ssl, it has been changed from:

Code:
<VirtualHost _default_:443>
to:

Code:
<VirtualHost *:443>
4. Now, how does ISPconfig3 handles SNI? Do one need to enable SSL option in domain to enable SNI in the ISPConfig3 server?

Expecting an ISPConfig3 way of SNI for multiple domains from Falko. Thanks in advance!
Reply With Quote
  #3  
Old 14th June 2013, 09:55
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,667
Thanks: 819
Thanked 5,317 Times in 4,170 Posts
Default

Using SNI with ispconfig does not require any additional configuration on Debian, just create the website in ispconfig, go to ssl tab and create a ssl cert for that website. In some cases it is reqzired that you select the IP adddress in the website field instead of *, so you might want to try that as well.

The message you posted above just indicates that the ssl is not active at the moment on this site e.g. because the ssl cert is broken or you do not created a ssl cert.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
zenny (14th June 2013)
  #4  
Old 14th June 2013, 11:59
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Default

Thanks Till.

But I did create a ssl certificate by getting into SSL tab of domain and also with 'create certificate' option.

It did create everything and it didn't work, so I just made changes to the ports.conf and default-ssl.

Earlier, I didn't make any changes to the conf files above and yet getting the same error "ssl_error_rx_record_too_long".

Any hints?
Reply With Quote
  #5  
Old 14th June 2013, 13:20
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,667
Thanks: 819
Thanked 5,317 Times in 4,170 Posts
Default

Quote:
Any hints?
The message you posted above just indicates that the ssl is not active at the moment on this site e.g. because the ssl cert is broken or you do not created a ssl cert.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 15th June 2013, 02:27
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Default

Quote:
Originally Posted by till View Post
Using SNI with ispconfig does not require any additional configuration on Debian, just create the website in ispconfig, go to ssl tab and create a ssl cert for that website. In some cases it is reqzired that you select the IP adddress in the website field instead of *, so you might want to try that as well.
But the IPv4 address in the website is a dropdown list which has no IP address specified. However I added one for the specific client in server config, but with the server IP selected, even http is not rendering with default 403 forbidden error message.

Burt when I selected * for the IP address, http works at least, but https still outputs "ssl_error_rx_record_too_long" error.

Quote:
Originally Posted by till View Post
The message you posted above just indicates that the ssl is not active at the moment on this site e.g. because the ssl cert is broken or you do not created a ssl cert.
Tried even after recreating the entire domian besides ssl cert, but no go.

Last edited by zenny; 15th June 2013 at 02:43.
Reply With Quote
  #7  
Old 15th June 2013, 10:45
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,667
Thanks: 819
Thanked 5,317 Times in 4,170 Posts
Default

Quote:
But the IPv4 address in the website is a dropdown list which has no IP address specified. However I added one for the specific client in server config, but with the server IP selected, even http is not rendering with default 403 forbidden error message.
If you riún multiple sites on that same IP, then ensure that all sites use the IP and dont mix * and IP.

Quote:
Burt when I selected * for the IP address, http works at least, but https still outputs "ssl_error_rx_record_too_long" error.
This means that there is no ssl vhost or a broken ssl cert.You can e.g. try to recreate the ssl cert trough ispconfig, ensure that you dont use any special chars in the ssl cert detail fields as this might cause openssl to fail to create the cert.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 15th June 2013, 20:58
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Unhappy

Quote:
Originally Posted by till View Post
If you riún multiple sites on that same IP, then ensure that all sites use the IP and dont mix * and IP.
This is a completely new installation and only with two domains created to check whether SNI works by default. So all sites use the IP. Still no go.


Quote:
This means that there is no ssl vhost or a broken ssl cert.You can e.g. try to recreate the ssl cert trough ispconfig, ensure that you dont use any special chars in the ssl cert detail fields as this might cause openssl to fail to create the cert.
Recreated the cert with ISPConfig3 panel, yet no go.

When tried to access the ssl site, Apache2 error.log shows as of below:

Quote:
[Sat Jun 15 18:45:10 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Jun 15 18:45:10 2013] [notice] Apache/2.2.22 (Debian) DAV/2 mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.6 PHP/5.4.4-14 mod_python/3.3.1 Python/2.7.3 mod_ruby/1.2.6 Ruby/1.8.7(2012-02-08) mod_ssl/2.2.22 OpenSSL/1.0.1e configured -- resuming normal operations
[Sat Jun 15 18:45:10 2013] [error] [client 192.168.9.1] client denied by server configuration: /var/www/
[Sat Jun 15 18:45:11 2013] [error] [client 192.168.9.1] client denied by server configuration: /var/www/
[Sat Jun 15 18:45:37 2013] [error] [client 192.168.9.1] client denied by server configuration: /var/www/
And the browser reports "(Error code: ssl_error_rx_record_too_long)"

Where did I go wrong?
Reply With Quote
  #9  
Old 15th June 2013, 22:48
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
Exclamation An update!

This is an update of very undesired results after executing:

Code:
#a2ensite default-ssl
The following happened:

1) http://<domain.tld> got "403 Forbidden" message showing in error.log:

Quote:
[Sat Jun 15 20:39:12 2013] [error] [client 127.0.0.1] client denied by server configuration: /var/www/
2) https://<domain.tld> works, but defaults to the default apache "It Works" instead of ISPConfig3 default "Welcome" index page.

3) but both http://<domain.tld/webmail and https://<domain.tld/webmail also got rendered.

How to overcome above situations as of 1) and 2)? Thanks in advance!
Reply With Quote
  #10  
Old 17th June 2013, 00:45
zenny zenny is offline
Senior Member
 
Join Date: Nov 2006
Posts: 176
Thanks: 20
Thanked 6 Times in 6 Posts
 
Exclamation Is it a bug? Else share success stories of SNI!

Bump!!

From what I experienced, it could be a bug.

Else, can someone share their experience setting up multiple ssl sites with a single public ip, using SNI feature of apache2 and nginx in ISPConfig 3.0.5.2? Appreciate it! Thanks!

Last edited by zenny; 17th June 2013 at 00:48.
Reply With Quote
Reply

Bookmarks

Tags
https ispconfig broke, ispconfi3, multiple ssl on one ip, sni

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Trying to get my DNS to work using ISPConfig petersfreeman Server Operation 2 22nd June 2012 08:23
ISPConfig 3 / Apache Crash / SNI Pasco Installation/Configuration 7 16th December 2011 10:08
ISPConfig 3 Postfix Problem (Tutorial Perfect Server Centos) topmaverick Server Operation 3 19th May 2011 10:59
Terrible server speeds gAnDo HOWTO-Related Questions 3 14th February 2008 18:31


All times are GMT +2. The time now is 11:24.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.