Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 2nd July 2006, 15:56
ctroyp ctroyp is offline
Senior Member
 
Join Date: Sep 2005
Posts: 292
Thanks: 3
Thanked 2 Times in 1 Post
Default SSL Certificates...

I am not sure that I fully understand SSL on ISPConfig, but I understand that only one web can support SSL per server IP. If I am hosting 100 webs with ISPConfig, there are many that will want SSL--or at least more than 1. Someone also mentioned that this is an Apache restriction and not an ISPConfig restriction.

I guess my question is, what options are available for redirecting https requests to more than one web? Is this really not possible with ISPConfig and Apache? Any insight or suggestions are appreciated. ...thanks!
Reply With Quote
Sponsored Links
  #2  
Old 3rd July 2006, 10:43
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

Quote:
Originally Posted by ctroyp
Is this really not possible with ISPConfig and Apache?
No, it is not possible, but it has nothing to do with ISPConfig. You can have only one SSL web site per IP address and port.
Either get more IP addresses, or create a catchAll SSL web site, something like https://mysecurewebsite.tld that all you customers can use for their shopping carts, checkout processes, etc...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 3rd July 2006, 12:51
ctroyp ctroyp is offline
Senior Member
 
Join Date: Sep 2005
Posts: 292
Thanks: 3
Thanked 2 Times in 1 Post
Default

Thanks falko!
Reply With Quote
  #4  
Old 1st May 2007, 19:47
ctroyp ctroyp is offline
Senior Member
 
Join Date: Sep 2005
Posts: 292
Thanks: 3
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by falko
No, it is not possible, but it has nothing to do with ISPConfig. You can have only one SSL web site per IP address and port.
Either get more IP addresses, or create a catchAll SSL web site, something like https://mysecurewebsite.tld that all you customers can use for their shopping carts, checkout processes, etc...
In all the Perfect Setup... series (Fedora Core 4 in my case), there is discussion about configuring additional IP addresses for a single NIC:

HTML Code:
Configure Additional IP Addresses

Let's assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfg-eth0 which looks like this:

DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.0.255
IPADDR=192.168.0.100
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes
TYPE=Ethernet

Now we want to create the virtual interface eth0:0 with the IP address 192.168.0.101. All we have to do is to create the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which looks like this:

DEVICE=eth0:0
BOOTPROTO=static
BROADCAST=192.168.0.255
IPADDR=192.168.0.101
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes
TYPE=Ethernet

Afterwards we have to restart the network:

/etc/init.d/network restart
Would this be what I need to do to support additional SSL sites on the same server? If so, how would I forward the https requests to the multiple IP addresses (on the same server)?
Reply With Quote
  #5  
Old 2nd May 2007, 14:31
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

Quote:
Originally Posted by ctroyp
Would this be what I need to do to support additional SSL sites on the same server?
Yes, if these are public IP addresses. If they are private and there's only one public IP address on your router, then all SSL requests would go over this one public address again, and wouldn't work anymore.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
ctroyp (3rd May 2007)
  #6  
Old 2nd May 2007, 15:04
ctroyp ctroyp is offline
Senior Member
 
Join Date: Sep 2005
Posts: 292
Thanks: 3
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by falko
Yes, if these are public IP addresses. If they are private and there's only one public IP address on your router, then all SSL requests would go over this one public address again, and wouldn't work anymore.
If I make these IPs public, then I would need a router for each public IP, correct? For example...

If I have 10 SSL sites hosted on one server using 1 NIC I would need 10 public IPs configured in that NIC, and 10 routers for each IP. And the connection would be as follows:
ISP DSL line -> hub -> (10) routers -> hub -> NIC (with 10 virtual public IPs)

Am I on the right track?

Thanks for the info...
Reply With Quote
  #7  
Old 3rd May 2007, 09:23
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,372
Thanks: 833
Thanked 5,478 Times in 4,313 Posts
Default

Quote:
If I make these IPs public, then I would need a router for each public IP, correct?
Yes, or a professional grade router that supports multiple IP addresses.

To have multiple IP addresses, you first need a provider that offers you multiple IP addresses. I'am not sure if any DSL (normal) provider does this, normally you need something like a T1 line. But in most cases, a webhsoting server is located in a datacenter and you will get the IP addresses assigned by your datacenter provider without a router between your server and the internet. This is the secenario that is assumed by the perfect setup guides.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
ctroyp (3rd May 2007)
  #8  
Old 3rd May 2007, 16:23
ctroyp ctroyp is offline
Senior Member
 
Join Date: Sep 2005
Posts: 292
Thanks: 3
Thanked 2 Times in 1 Post
Default

Thanks guys for the great info! Not sure what I will decide to do at this point, as I am still on the learning trail...
Reply With Quote
  #9  
Old 12th May 2007, 11:19
airstrip airstrip is offline
Junior Member
 
Join Date: May 2007
Posts: 4
Thanks: 0
Thanked 2 Times in 2 Posts
Default Installing RapidSSL

Firstly thanks for a great package. I've setup a few debian sarge machines now, and they're all running perfectly.

I have a question about installing a RapidSSL certificate.
I used ispconfig to generate a certificate request, sent that to the CA, got my signed certificate back, and pasted it back into ispconfig and saved it. It's great! The certificate works in a web browser.

The issue is with email clients, I installed courier-imap. When collecting mail it still gives me a default non-trusted certificate that's generated by courier.

How do I install my certificate for courier IMAP and POP? I tried following the instructions on this CA's page:

http://www.rapidssl.com/ssl-certific...te/courier.htm

I created the certificate as said in the url above, and edited:

/etc/courier/impad-ssl
/etc/courier/pop3d-ssl

and restarted imap, imap-ssl, pop, pop-ssl

But the certificate remains the same default one. It feels like I'm missing a vital piece of information here, can anyone offer some advice please.

Many thanks, Matt

Last edited by airstrip; 13th May 2007 at 11:23.
Reply With Quote
  #10  
Old 13th May 2007, 13:35
airstrip airstrip is offline
Junior Member
 
Join Date: May 2007
Posts: 4
Thanks: 0
Thanked 2 Times in 2 Posts
 
Default rapidssl installation for imap-courier solved!

well I've finally found the answer to my question.

with courier-imap-ssl changing the TLS_CERTFILE value in imapd-ssl seemed to have no effect whatsoever. only by modifying the imapd.pem or pop3d.pem files was I able to install my rapidssl certificate.

but how to create a pem file from a crt and key file?

cat servername.key servername.crt > servername.pem
openssl gendh >> servername.pem

then you can replace imapd.pem, and pop3d.pem with your CA signed certificate!

thanks to this url for tips on creating the pem file.
http://macnugget.org/projects/sslcheatsheet/
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SSL Certificates with OpenSSL heat Technical 3 25th January 2011 14:25
rebuild ssl certificates for domain change whitty Installation/Configuration 1 6th June 2006 12:12
Chained / intermediate SSL certificates max Installation/Configuration 5 9th December 2005 05:03
Certificates for domains jdeponte Installation/Configuration 1 19th October 2005 08:55
To create certificates misterm Installation/Configuration 4 2nd October 2005 22:47


All times are GMT +2. The time now is 10:47.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.