Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #21  
Old 13th January 2006, 18:55
senzapaura senzapaura is offline
Junior Member
 
Join Date: Nov 2005
Posts: 27
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I did follow the Suse 10 howto to the letter to the best of my ability when I installed ISPConfig. I then set-up a virtual site once I felt it was running correctly, I used openssl to create my crt and key files using the directions provided by the supplier of my CA certificate. I then went into ISPConfig and configured the SSL using the certificates I got from the CA I am using.Then I made sure the Vhosts_ispconfig.conf file was pointing to the corrrect certificate files. I was trying to follow a solution posted on this forum.
I had trouble using an upload fuction after I created the original site and I did add the PHP configuration setting in the Vhosts_ispconfig.conf file manually. Now I know how to do it using ISPConfig so I will not have to do that in the future.
If the Vhosts_ispconfig.conf file is correct what else does apache use to provide SSL service for a web site? I am using one IP address and apparently apache can see the http side of the site (www.amg01.info) because my remote testers are using that address now. I have another Fedora site set up and SSL is working there, so I have compared things and they seem to be the same. The Fedora site was setup prior to Suse 10 release and my knowing about ISPConfig. I would like to replace the Fedora server with anothe Suse/ISPConfig setup as soon as I can figure out this problem.
Reply With Quote
Sponsored Links
  #22  
Old 13th January 2006, 20:09
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,001
Thanks: 840
Thanked 5,650 Times in 4,460 Posts
Default

Quote:
Originally Posted by senzapaura
I did follow the Suse 10 howto to the letter to the best of my ability when I installed ISPConfig. I then set-up a virtual site once I felt it was running correctly, I used openssl to create my crt and key files using the directions provided by the supplier of my CA certificate. I then went into ISPConfig and configured the SSL using the certificates I got from the CA I am using.Then I made sure the Vhosts_ispconfig.conf file was pointing to the corrrect certificate files. I was trying to follow a solution posted on this forum.
I had trouble using an upload fuction after I created the original site and I did add the PHP configuration setting in the Vhosts_ispconfig.conf file manually. Now I know how to do it using ISPConfig so I will not have to do that in the future.
If the Vhosts_ispconfig.conf file is correct what else does apache use to provide SSL service for a web site? I am using one IP address and apparently apache can see the http side of the site (www.amg01.info) because my remote testers are using that address now. I have another Fedora site set up and SSL is working there, so I have compared things and they seem to be the same. The Fedora site was setup prior to Suse 10 release and my knowing about ISPConfig. I would like to replace the Fedora server with anothe Suse/ISPConfig setup as soon as I can figure out this problem.
Ok this explains the problems. You created the SSL certificate wrong. You dont have to create the SSL cert manually and you dont have to change anything in the vhost configuration file manually. If you do so, the system might fail like in your case. All changes you made manually in the Vhosts_ispconfig.conf will be overridden by the system when you change anything in ISPConfig.

1) Remove anything SSL related you configured manually.

In Ispconfig:

2) Enable the SSL checkbox in the web you need SSL encryption and save the the website.
3) Open the site again, there you will find an SSL tab. Fill out the fields and leave the SSL certificate and certificate request fields empty. Select "Create certificate" in the action field and hit safe. ISPConfig creates now a certificate request and self signed certificate with the appropriete settings, that can take up to 1 - 2 minutes. When you open the ssl tab again, you find there the certificate request that you can use to get a signed certificate for your domain from an SSL authority. When you got the SSL cert from the authority, you can replace the certificate shown on the SSL tab and select save as action.

This is also described in the ISPConfig manual.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #23  
Old 16th January 2006, 23:41
ctroyp ctroyp is offline
Senior Member
 
Join Date: Sep 2005
Posts: 292
Thanks: 3
Thanked 2 Times in 1 Post
Default

Thanks guys for th insight inside this thread. It answeredmost all of my questions on how to use ISPConfig to work with the sertificates.

One further question. FYI, I used the perfect setup for Debian Sarge. I have heard that you can create your own CA functionality on this system. What are the pros and cons in setting up your own CA? I am completely new to CA and SSL, so bare with me.

Furthermore, can someone recommend a low $ CA that is reputible?

Thanks!
Reply With Quote
  #24  
Old 17th January 2006, 00:22
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Quote:
Originally Posted by ctroyp
One further question. FYI, I used the perfect setup for Debian Sarge. I have heard that you can create your own CA functionality on this system. What are the pros and cons in setting up your own CA? I am completely new to CA and SSL, so bare with me.
I don't see any advantage in being your own CA, because whenever someone visits a site with an SSL cert from your own CA, a warning will pop up in the user's browser...

Quote:
Originally Posted by ctroyp
Furthermore, can someone recommend a low $ CA that is reputible?
I've always used InstantSSL ( www.instantssl.com ), never had problems with them. They used to be very cheap, but they've increased their prices now , but they are still among the cheapest.
Other CAs are Verisign, Thawte, Geotrust, Entrust, and RapidSSL.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #25  
Old 17th January 2006, 01:01
senzapaura senzapaura is offline
Junior Member
 
Join Date: Nov 2005
Posts: 27
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Till, Thanks again for your help.

Well I am feeling pretty stupid because, I may have painted myself into a corner. I was trying to add the PHP specific code to the site I had, prior to looking at redoing the SSL Certificate as you indicated. Thus avoiding any manual intervention as preferred, to make a long story short I must have made a mistake, the site disappeared and now I cannot create it again because I get this error message. “The name www.amg01.info is already in use by another site or domain.” There is no other site on this system.

How can I recover from this error?
Is there any graceful way?
Should I uninstall ISPConfig and reinstall?
If uninstalling ISPConfig is recommended would the partial deinstallation be preferred if I am going to recreate this site?

Also, according to the directions from my CA, I must install an intermediate certificate prior to installing the Web Server SSL Certificate. Thus creating a chain from a trusted root CA, through an intermediate certificate and ending with a Web Server SSL Certificate issued to me. This seems to add another step which your solution did not seem to address. Since I already have the certificate, I was trying to use the solution presented to theduke on the forum “REAL SSL Cert install problems thread.” Would this have been appropriate?
Reply With Quote
  #26  
Old 17th January 2006, 01:11
ctroyp ctroyp is offline
Senior Member
 
Join Date: Sep 2005
Posts: 292
Thanks: 3
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by falko
I don't see any advantage in being your own CA, because whenever someone visits a site with an SSL cert from your own CA, a warning will pop up in the user's browser...


I've always used InstantSSL ( www.instantssl.com ), never had problems with them. They used to be very cheap, but they've increased their prices now , but they are still among the cheapest.
Other CAs are Verisign, Thawte, Geotrust, Entrust, and RapidSSL.
Thanks falko!
Reply With Quote
  #27  
Old 17th January 2006, 09:36
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Quote:
Originally Posted by senzapaura
Till, Thanks again for your help.

Well I am feeling pretty stupid because, I may have painted myself into a corner. I was trying to add the PHP specific code to the site I had, prior to looking at redoing the SSL Certificate as you indicated. Thus avoiding any manual intervention as preferred, to make a long story short I must have made a mistake, the site disappeared and now I cannot create it again because I get this error message. “The name www.amg01.info is already in use by another site or domain.” There is no other site on this system.
Have you tried ISPConfig's search function to find a site with this name? Did you have a look into the recycle bins?

Quote:
Originally Posted by senzapaura
Also, according to the directions from my CA, I must install an intermediate certificate prior to installing the Web Server SSL Certificate. Thus creating a chain from a trusted root CA, through an intermediate certificate and ending with a Web Server SSL Certificate issued to me. This seems to add another step which your solution did not seem to address. Since I already have the certificate, I was trying to use the solution presented to theduke on the forum “REAL SSL Cert install problems thread.” Would this have been appropriate?
I also had to install an intermediate certificate from InstantSSL.com. This is how I did it:

I added this to my Apache configuration:

Code:
<IfModule mod_ssl.c>
SSLCACertificateFile /etc/apache/ssl.crt/ca-bundle.crt
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
and copied the intrermadiate certificate to /etc/apache/ssl.crt/ca-bundle.crt and restarted Apache.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #28  
Old 17th January 2006, 23:55
senzapaura senzapaura is offline
Junior Member
 
Join Date: Nov 2005
Posts: 27
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks again for all the help.

Apparently I did not look in all the recycle bins. I was able to recover the site from one of them. In fact the good news is I now have everything going through ISPConfig, including the PHP directives. The only manual changes I have made are those Falko recommended when using an intermediate certificate. I am using apache2 so I had to make the appropriate change to the path. The bad news is it is still not working; I cannot get to the https side of this site. Despite this problem I think I am making some headway. For sure I am beginning to see the light and think I understand things a bit more.

After I made all the suggested changes, when I restart apache I am no longer asked for my passphrase even though I am using all the same certificates. In particular the one I created with a passphrase for this site. I am not sure if ISPConfig has changed anything or not. When I was applying for the certificate I did not get the option to say no to the passphrase unlike when I was installing ISPConfig.

The following are the directions from Starfield Technologies the company I purchase the SSL certificates from.
=================
INSTALLATION INSTRUCTIONS - APACHE 2.X
Installing Your Web Server Certificate and the Intermediate Certificate:
- Copy your issued certificate, intermediate certificate and key file (generated when you created the Certificate Signing Request (CSR)) into the directory that you will be using to hold your certificates.
- Open the Apache ssl.conf file and add the following directives:

SSLCertificateFile /path to certificate file/your issued certificate
SSLCertificateKeyFile /path to key file/your key file
SSLCertificateChainFile/path to intermediate certificate/sf_issuing.crt

- Save your ssl.conf file and restart Apache.
========================
I am assuming the ssl.conf directory is my httpd.conf directory.

Since I cannot make this work with the certificate and key files I have. Maybe I should start all over again. I can reissue the certificates, but I am not sure how to do this using ISPConfig. Since this is a reissue, will the steps outlined on page 62-63 of the manual work. And where or when do I make use of the intermediate certificate and change the httpd.conf file as indicated by Falko. I am also assuming that Falko meant to cp the sf_config.crt file (intermediate file returned by Starfield) to the file ca-bundle.crt.

I guess the other option is to continue trying to make the existing certificates work, anymore suggestions?
Reply With Quote
  #29  
Old 18th January 2006, 08:18
mjrpes mjrpes is offline
Junior Member
 
Join Date: Jan 2006
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I just went through the process of adding SSL support to my site, using a cert I bought from godaddy. Everything works fine with ISPConfig in this respect, but I ran into trouble using the SSLChainFile supplied by godaddy. ISPConfig does not support ChainFiles directly, but you can easily add support on a site by site basis by adding a reference to it in the Apache Directives textarea within the ISPConfig control panel.

First, upload the Chain file to the ssl folder of your website. Next, add a reference to it in the Apache Directives field. In my case, this was:

SSLCertificateChainFile /home/www/web1/ssl/sf_issuing.crt
Reply With Quote
  #30  
Old 18th January 2006, 13:53
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,001
Thanks: 840
Thanked 5,650 Times in 4,460 Posts
 
Default

Yes, thats the way i'am doing this too for my InstantSSL chain files
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems with groups/grpconv linuxfast General 28 21st April 2008 10:35
problems mysql rayit General 15 1st April 2006 05:57
2 Questions (1 SSL Related and 1 dns forward related) phamels Installation/Configuration 11 4th January 2006 02:33
Debian 3.1 Related problems! AdykOSu Installation/Configuration 1 21st December 2005 23:32
Problems getting through the installation klausagnoletti Installation/Configuration 4 26th September 2005 13:23


All times are GMT +2. The time now is 21:36.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.