Problem installing SSL for WebSite

[jtheed]

I needed to get an actual SSL Cert for one of the 3 websites I am running under ISPCONFIG. I put in the information and chose create certificate and saved. Then I copied the SSL Request and put it into my application for a key. Got the key and pasted it into the SSL Certificate box in ISPCONFIG for the website I need the key for, saved it and restarted ispconfig_server. All restarted but I can not get to the website. I am using Fedora Core 7 setup using the how to for FC7 and asked for a mod ssl type key. Does everything have to be the same as far as company information that was entered during the how to for openssl, even the department? I setup ISPCONFIG using my company name etc.. but the department I used was web. I am using www for the website. Just so I am clear, IPCONFIG is setup as web.mydomainname.com and my website is www.mydomainname.com. Also does the number of days play a factor as I plan to buy a 3 year cert?

httpd does not start and the error I am getting in the error log of the website is:
Unable to configure RSA server private key
SSL Library error: 185073780 error:0B080074:x509 certificate routines:x509_check_private_key:key values mismatch

Do I need to regen my keys on the server using the same code as in the how to for FC7 or just the x509 ones?

Trying to figure it all out but don't want to do anything that is going to cause me to start over...


John

[till]

Quote:

Do I need to regen my keys on the server using the same code as in the how to for FC7 or just the x509 ones?

No.

You must copy the certificate that you received back to the certificate box and not the key of the SSL certificate and then select save and not create as action.

[jtheed]

Quote:

Originally Posted by till

No.

You must copy the certificate that you received back to the certificate box and not the key of the SSL certificate and then select save and not create as action.

I may be using the word KEY in the wrong context because that's what I did. I entered the information at the top of the SSL form in ISPCONFIG and chose create to make the SSL Request, then I chose save, after that I copied the request into the CA's form and when I got the files from the CA, I took the one that ended in .crt and pasted it into SSL Certificate and chose save as the option and then clicked on save. When I restarted ISPCONFIG, httpd failed to restart with the error.

I also recieved a file called my_domain_name.ca-bundle. Was I supposed to do anything with this?

Thanks

John

[jtheed]

Could part of my problem be that I am calling the ISP Server web.mydomainname.com and then I have setup a website called www.mydomainname.com?

Can I change the name of the ISP server or will I have to re-install ISPCONFIG in order to change the name, if it's causing me a problem.

Hoping to get this resolved soon. I am trying to go live with this by this weekend.

Thanks

John

[falko]

Quote:

Originally Posted by jtheed

Could part of my problem be that I am calling the ISP Server web.mydomainname.com and then I have setup a website called www.mydomainname.com?

No, that's no problem.

Did you take a look at this guide? http://www.howtoforge.com/faq/14_49_en.html

[jtheed]

I think I have it worked out.

While viewing the cert created by ISPCONFIG for the ISP Server, I realized that when I installed ISPCONFIG, I always used MY email address and setup the oranganization as web. SO, this time, I logged in as admin, deleted the existing cert that was created by ISPCONFIG, logged out, logged back in as myself, created a request using web as the organization and submitted it. Now, there are no errors bring ISPCONFIG and httpd back up and the cert shows my CA's name.

I am running this at home this week while I am off (some vacation), so it still shows as can't be trusted, but that has to be because it's not sitting at the IP it is supposed to be at, yes?

Thanks for the replies guys and the fantastic work you all do in helping everyone on this site.... it's really appreciated.

John

[falko]

Quote:

Originally Posted by jtheed

I am running this at home this week while I am off (some vacation), so it still shows as can't be trusted, but that has to be because it's not sitting at the IP it is supposed to be at, yes?

The IP doesn't matter, but I guess you're also using a different hostname?

[jtheed]

The IP address that the domain is sitting at right now is the only thing that is different. The DNS points to the IP address at work and right now, I am just running it on my home DSL Non-Static IP. I just change my host files on my workstation to match the current IP to connect to the server for testing. I'll know more tomorrow as I am taking it back to work. Hopefully, the warning stops popping up then.

John

[jtheed]

Update: I contacted my SSL CA and they said I was getting the not trusted warning because of no intermediate file being installed., So I added the intermediate ca file, as per their instructions, to the .conf files, both the httpd.conf and the httpd.conf.https files where they are looking for the SSLCertificateChainFile. They were commented out originally. Not sure I needed it in both conf files, but now. IE 6 or IE7 do not complain, but Firefox 2.0.0.6 still complains even though the CA is listed as an Authority. Does anyone know why this might be happening only in Firefox? It may in others, but I only have FireFox and IE6 - IE7.

50% of the way there....

[till]

What is the exact error message that you get in firefox?