Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 6th June 2007, 20:42
isalandr isalandr is offline
Junior Member
 
Join Date: Jun 2007
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default SSL and ISPConfig/Apache issues (Help!)

we're trying to get SSL support working under ISPConfig (and/or Apache) and it's just not working. i'm hoping somebody here might have some suggestions.

it's a SLES10 machine with postfix-2.2.9-10 with courier-imap-4.0.6-15, apache2-2.2.3-16.2, mysql-5.0.18-20.8, i can't find the version number for ISPConfig, but i'm pretty sure it's the latest release,it was only installed last month.

the system is hosting about 20 or so virtual domains, and we want to enable squirrelmail over SSL, but we're having trouble getting apache to work with ssl properly. we don't know if this is an ISPConfig problem or something else in apache, so i'm here asking for help.

uname -a returns Linux <hostname removed> 2.6.16.27-0.9-smp #1 SMP Tue Feb 13 09:35:18 UTC 2007 i686 i686 i386 GNU/Linux

we're using openssl-0.9.8a-18.13, and that appears to be installed correctly. Webmin and postfix/courier are using SSL with no problems at all, webmin in particular runs on https perfectly. i can connect to pop3/pop3s, imap/imaps, all of that stuff works without a hitch.

but, when we try to connect to apache on any port via https, it doesn't work. we can connect to http://domain:80 and http://domain:443, but without ssl. i've tried everything i can think of, followed a number of howtos and advice from quite a few troubleshooting tips and tricks, but to no avail. nothing we try works. we've tried enabling SSL via the ISPConfig control panel, that doesn't seem to help either. what are we doing wrong?

if you need to see the various config files and so on, let me know. anyone with suggestions or questions can e-mail me directly, mac AT triad DOT ath DOT cx. we're kind of under a deadline, i'd like to get this sorted before the server has to go live. we can go live without SSL if we have to, but we'd really prefer to have this working first. thanks in advance for any help.

--Mac
Reply With Quote
Sponsored Links
  #2  
Old 7th June 2007, 09:58
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,494
Thanks: 813
Thanked 5,262 Times in 4,126 Posts
Default

Have you enabled SSL as described here:

http://www.howtoforge.com/perfect_se...ensuse_10.2_p7

The configuration for SLES should be similar.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 7th June 2007, 17:20
isalandr isalandr is offline
Junior Member
 
Join Date: Jun 2007
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default

yes, SSL and Apache are configured just as that Howto says to do them.

what's happening is, everything indicates that we have to use the line "SSLEngine On" for the virtual host we want to enable SSL with. but if we use that, at startup Apache returns this error:

"[error] Init: Multiple RSA server certificates not allowed"

obviously it's loading another certificate somewhere, or thinks it is. we can't for the life of us see where in the config it's doing that, though, which is what makes me thing maybe it's something in ISPConfig, 'cause we can't find anything in Apache that might be responsible. perhaps we're looking in the wrong place or looking for the wrong thing?

this document
http://groups.google.com/group/alt.a...5512850d44ca97

indicates that this might be a problem with Apache and a statically compiled mod_ssl, and that recompiling Apache with mod_ssl as a DSO worked for him. i'm not sure that's our answer, but i'm running out of ideas, and it seems like an awful lot of folks have had issues getting SSL working under Apache 2.2.x.

any further suggestions before i either try to recompile with mod_ssl as a DSO or uninstall Apache 2.2.3 and revert to Apache 2.0.59?

thanks again
--Mac
Reply With Quote
  #4  
Old 7th June 2007, 21:54
chuckl chuckl is offline
Senior Member
 
Join Date: May 2007
Location: Uxbridge, Middlesex, UK
Posts: 166
Thanks: 1
Thanked 20 Times in 20 Posts
Default

Single IP address?
Reply With Quote
  #5  
Old 7th June 2007, 22:49
isalandr isalandr is offline
Junior Member
 
Join Date: Jun 2007
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default

well, technically it has two IP addresses. the machine has two NICs, configured with one public IP address and one private IP address. it is set up to listen for internet traffic on the public IP and local network traffic on the private IP.

Apache and pretty much most all other services are set up to listen on both interfaces. could this be causing a problem? the current apache config doesn't name any addresses specifically, it uses *:80 and *:443 for pretty much everything.

what i can't figure out is where that error "Multiple RSA server certificates not allowed" is coming from when we load SSLEngine On. we've tried using Listen 443 https in listen.conf but that returns the same error. my guess is, it's calling SSL from somewhere else during apache's initial startup, but buggered if i can see where.
Reply With Quote
  #6  
Old 8th June 2007, 07:31
chuckl chuckl is offline
Senior Member
 
Join Date: May 2007
Location: Uxbridge, Middlesex, UK
Posts: 166
Thanks: 1
Thanked 20 Times in 20 Posts
Default

Without doing a bit of 'cheating', you can only have one SSL cert per IP address. See here:

http://www.howtoforge.com/forums/showthread.php?t=13215
Reply With Quote
  #7  
Old 8th June 2007, 17:05
mlz mlz is offline
Senior Member
 
Join Date: Dec 2006
Posts: 189
Thanks: 16
Thanked 9 Times in 9 Posts
Default

It may be that it is barfing on the *:443 entry. My config only has a :443 when there is an active SSL, and never with a *:443...
Reply With Quote
  #8  
Old 8th June 2007, 17:34
isalandr isalandr is offline
Junior Member
 
Join Date: Jun 2007
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default

yes, i understand this. one cert per address. so far as i know, we are only using one cert total. where is it loading the second cert? do we need to disable the second NIC in order to make this work?

what i'm having trouble understanding is how/why/where it's loading the second cert from. the config, as near as i can tell, only calls for the one cert. where are the references to any others?

would the *:443 cause it to respond with that multiple RSA error message? that's what i'd really like to figure out. what's causing that error. if we could at least identify, hopefully eliminate, whatever is referencing SSL and/or RSA before the SSLEngine On statement, that would really help.
Reply With Quote
  #9  
Old 8th June 2007, 18:37
chuckl chuckl is offline
Senior Member
 
Join Date: May 2007
Location: Uxbridge, Middlesex, UK
Posts: 166
Thanks: 1
Thanked 20 Times in 20 Posts
Default

I have a similar config, in that I have multiple domains on a server with 1 IP and only a couple of them need SSL. I have it set up with NO ssl enabled in ispconfig on any of the domains - vhosts has no ref at all to :443, and for any domain that needs ssl I add an entry in apache2.conf, below the line that calls vhosts_ispconfig.conf that is the def for that ssl virtual host:

<IfModule mod_ssl.c>
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerName www.xxxxxxxxx.com:443
ServerAdmin webmaster@xxxxxxxxx.com
UseCanonicalName On
DocumentRoot /var/www/webxx/web
ServerAlias xxxxxxxxx.com
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
ScriptAlias /cgi-bin/ /var/www/webxx/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
ErrorLog /var/www/webxx/log/error.log
AddType application/x-httpd-php .php .php3 .php4 .php5
php_admin_flag safe_mode Off
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
SSLEngine on
SSLCertificateFile /var/local/ssl/xxxxxxx_server.pem
SSLCertificateKeyFile /var/local/ssl/xxxxxxx_privatekey.pem
Alias /error/ "/var/www/webxx/web/error/"
ErrorDocument 400 /error/invalidSyntax.html
ErrorDocument 401 /error/authorizationRequired.html
ErrorDocument 403 /error/forbidden.html
ErrorDocument 404 /error/fileNotFound.html
ErrorDocument 405 /error/methodNotAllowed.html
ErrorDocument 500 /error/internalServerError.html
ErrorDocument 503 /error/overloaded.html
AliasMatch ^/~([^/]+)(/(.*))? /var/www/webxx/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /var/www/webxx/user/$1/web/$3
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>

i.e. it is an ispconfig ssl server def, moved out of the vhosts file
Reply With Quote
  #10  
Old 8th June 2007, 18:44
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,494
Thanks: 813
Thanked 5,262 Times in 4,126 Posts
 
Default

Why do you add this manually? This config is written when you enable SSL in ISPConfig automatically.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
ZuG (8th June 2007)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Not all virtual hosts work - ispconfig/apache dmtrotter Server Operation 6 30th January 2007 11:45


All times are GMT +2. The time now is 10:46.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.