Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 6th June 2007, 09:05
rbartz rbartz is offline
Member
 
Join Date: Apr 2006
Posts: 80
Thanks: 9
Thanked 6 Times in 5 Posts
Default SSL for virtual hosts on one certificate

What this WILL do is give you a way to provide an error free secure SSL connection for one to many virtual hosts that do not have their own IP addresses using ONE certificate that uses ONE IP address.

For example https://secure.myhost.com/joesplace/... and https://secure.myhost.com/jimsplace/... and and and...

What this WILL NOT do is to give you a way to use more than one certificate on one IP address. It will not let you hide the real certificate domain either.

The upside is you can provide SSL for several domains with one IP and one SSL certificate. The downside is that the certificate is in ONE domain name using what looks like sub-directories but are actually simple links....

===============
On our servers, we have several small hosted accounts that need SSL for a form or for a few sales a month. Using an IP address for each one, plus buying certificates, is more than they really want or need. However, they do need SSL for simple things. What we needed was a way to use a "server-wide" SSL certificate that would be easy and work well without certificate errors... and we wanted the certificate to work properly on all the virtual hosted sites with NO red warnings in the browser location bar!

Here are the steps we used:

Assumptions: You are running Linux and the virtual hosts are stored in /var/www. I do not know anything about doing this on Windows. Finally, you have root access to your server.

1. Choose the name you will use for the certificate. We wanted our little sites to at least have some semblance of credibility, so we just added secure to the host server's main domain name. If the server domain was www.myhost.com we wanted "secure.myhost.com" to be on the certificate AND IN THE URLs.

So we changed the "hostname" on the basis page from www to secure, then added back the www in co-domains tab. Finally, go to DNS Manager and add "secure" as a hostname on the advanced tab for your myhost.com domain.

If you are creating a new secure host site specifically for this, then register the site and then create it WITH SSL on your server. You might like something like "secure.besthost.com", but any domain will work. If you use "secure" for the hostname in the basis tab, then be sure to add the www (if you want www) to work in co-domains tab. Check to be sure that all your hostnames are in your DNS setup.

2. Create a cetificate in the domain's SSL tab using legitimate info, since you will use the request to get a genuine certified certificate. The ispConfig generated certificate request will be in whatever full domain name you used in the "hostname" + "domain" on the basis page.... that is why I changed the www to secure!

3. Assuming that your domain resolves, check to make sure that "https://secure.myhost.com" works. You will get the usual errors about the certificate not being trusted, which will disappear when you get a genuine certified SSL certificate from wherever. Make sure the certificate info shows your secure domain name... as in "secure.myhost.com"...

4. Go to the web directory for your secure host domain. Something like /var/www/web1/web. Create a link to some website you want to use the SSL cert on... You will need to know the root directory for the domain you want to use the SSL cert for. If the hosted domain is www.joesplace.com then can you must find the root directory for joesplace... something like /var/www/web12. Just look in /var/www or your virtual domains root. It should show you a list of links to all the webs. We will say your host domain is in web1 and joesplace.com is in web12

You HAVE to be root to do this...-> and you MUST be in your secure host sites web root directory!

The link creation will be like this:
ln -sf HOSTED_SITE_WEB_DIRECTORY LINK_NAME

ln -sf /var/www/web12/web joesplace

(yes, I think "joesplace.com" would work just as well)

5. Now you can use "https://secure.myhost.com/joesplace/" to open joesplace.com with your host SSL cert... Try it.... If it opens joesplace and the only SSL error you get is the certification path, then you can order your genuine SSL certificate with confidence all will work well later.

When you receive and your real, genuine, certified SSL certificate, the browser will no longer object to certification path errors or domain name errors if you did everything right. GREEN locations are GREAT...!

Conclusion: That is what we did to better serve our small clients with simple SSL needs. Now we simply create a new link in our secure domain web root for each site that we need simple SSL on, and advise our clients to tell people that they are using a shared secure server certificate provided by their host.

We run some sites on leased Linux servers with Fedora Core 3 or 4 that are setup with "The Perfect Setup" guides. Our ispConfig has always installed and upgraded without fault, and we have made very few changes from the standard setups and software versions.

Hoping this helps others,

RDB
Reply With Quote
The Following User Says Thank You to rbartz For This Useful Post:
chuckl (6th June 2007)
Sponsored Links
  #2  
Old 6th June 2007, 11:38
chuckl chuckl is offline
Senior Member
 
Join Date: May 2007
Location: Uxbridge, Middlesex, UK
Posts: 166
Thanks: 1
Thanked 20 Times in 20 Posts
Default

Useful compilation RDB, thanks for that.
It's also possible to use one cert with one IP and multiple Vhosts by using the server name as the CN, and subjectAltname defines in the certificate signing request, where each define is for one of the vhost sites.
e.g.
CN - ourserver.usefulhosting.com
subjectAltname1 - www.domain1.com
subjectAltname2 - www.domain2.com

etc etc
Not very practical if one is adding and removing sites on a daily basis, but it does work
Reply With Quote
  #3  
Old 6th June 2007, 13:10
rbartz rbartz is offline
Member
 
Join Date: Apr 2006
Posts: 80
Thanks: 9
Thanked 6 Times in 5 Posts
Default

I looked at reverse proxying first, however, we needed something we could change often without getting a new certificate.

As soon as I that adding a new domain would require a new certificate, well that ruled it pretty much out. Even a 3 month free one takes time!!! Of course you could use the one generated, but... that stupid RED warning!

Also, it is easy to create and save certs in ispConfig. Adding subjectAltname lines to the CSR seemed to mean manual work... and I hate work! I did not see any way to do that within ispConfig and I am never eager to make simple things more complex.

I was pretty happy when I realized that an SSL site connection would follow links on the same server. That makes it SO easy after you have a working, certified SSL cert installed. Just create the link! Nothing to edit, and it seems to work exactly like a site installed SSL cert, except for the URL of course...

Regards,

RDB
Reply With Quote
  #4  
Old 19th November 2007, 21:39
d31373 d31373 is offline
Junior Member
 
Join Date: Nov 2007
Posts: 11
Thanks: 1
Thanked 0 Times in 0 Posts
Default

I am using this guide to setup a shared SSL certificate, but am having problems.
I was in the new secured site root directory, and used the command
ln -sf /var/www/web1/web web1

I then attempted to view the page by typing
https://secure.mydomain.com/web1
SSL is enabled, but I am getting an error which states

------------------------------------------------------------------
403 Error- Forbidden!

The following error occurred:

You are not permitted to access the requested URL
Please contact the Webmaster with any queries
------------------------------------------------------------------

Anyone have any idea why? or how to rectify the issue?
Reply With Quote
  #5  
Old 20th November 2007, 01:57
rbartz rbartz is offline
Member
 
Join Date: Apr 2006
Posts: 80
Thanks: 9
Thanked 6 Times in 5 Posts
Default

My first question will be about your SSL cert. Does "https://secure.yourdomain.com" work?
Reply With Quote
  #6  
Old 20th November 2007, 03:53
d31373 d31373 is offline
Junior Member
 
Join Date: Nov 2007
Posts: 11
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Yes the SSL cert works.
It works when I type https://secure.mydomain.com
It also works when i type https://secure.mydomain.com/web1
but gives me a 403 Error - Forbidden...

I have a feeling it has something to do with ownership...or permissions

The symlinks that I create look like:
lrwxrwxrwx 1 root root 17 Nov 19 21:39 web1 -> /var/www/web1/web/

The symlinks that ISPConfig creates look like:
lrwxrwxrwx 1 apache web1 13 Nov 15 14:32 www.sample.com -> /var/www/web1/
Reply With Quote
  #7  
Old 20th November 2007, 15:31
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Please make sure that symlinks are allowed in your Apache configuration.

Code:
Options +FollowSymLinks
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #8  
Old 20th November 2007, 17:53
d31373 d31373 is offline
Junior Member
 
Join Date: Nov 2007
Posts: 11
Thanks: 1
Thanked 0 Times in 0 Posts
Default

It currently has an entry of
Options -Indexes FollowSymLinks MultiViews
I rewrote it it to
Options -Indexes MultiViews
Options +FollowSymLinks

Restarted httpd, attempted to goto the site, and I am still presented with the error.
Reply With Quote
  #9  
Old 20th November 2007, 17:59
d31373 d31373 is offline
Junior Member
 
Join Date: Nov 2007
Posts: 11
Thanks: 1
Thanked 0 Times in 0 Posts
 
Default

Sorry about the post...I just figured it out...I made the change in the wrong virtual host...
Thanks falko!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Virtual Hosts SSL 443 DaddyFix Installation/Configuration 16 9th May 2012 19:51
Hostname issue with SSL Certificate request. mhpcomputerservices General 3 19th December 2006 15:25
ISPConfig & SSL certificate ikaros General 5 27th September 2006 23:26
ssl Certificate Invalid simplyworks Installation/Configuration 8 16th August 2006 16:44
from http to https after installation? Mahir Installation/Configuration 25 7th December 2005 20:40


All times are GMT +2. The time now is 20:50.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.