Ssl

[KenMcGinnis]

One more related question: In your "perfect setup" you mention:

"I want to create a virtual network card eth0:0 with the IP address 192.168.0.101 (my main one is 192.168.0.100 in this example) so I select Add:"

Can this 'virtual IP' be used with an SSL Certificate? If not, what was the purpose? I don't see where you use the Virtual IP for anything.

[till]

Quote:

Originally Posted by KenMcGinnis

One more related question: In your "perfect setup" you mention:

"I want to create a virtual network card eth0:0 with the IP address 192.168.0.101 (my main one is 192.168.0.100 in this example) so I select Add:"

Can this 'virtual IP' be used with an SSL Certificate? If not, what was the purpose? I don't see where you use the Virtual IP for anything.

Yes, this virtual IP can be used for SSL or when you need an IP-Based vhost (site).

[KenMcGinnis]

I am still researching this as I have some clients breathing down my back.

Regarding your post above about the virtual ip. I do have a virtual IP 192.168.0.197 (in Suse9.3 - additional IP), however it is not in the drop down list for a site that I have setup. The site is now working fine on 192.168.0.195 but I want to change it so I can have a SSL cert.


I understand it is possible to have multiple vhosts on a single IP by using different ports. For example you could have one on xx.xx.xx.xx:80 and a different one on xx.xx.xx.xx:8080. Another way is to have a wildcard cert (http://www.digicert.com/wildcard-ssl-certificates.htm) Supposedly both of these work with apache2. Do either of these work with ispconfig?

[till]

Quote:

Originally Posted by KenMcGinnis

I am still researching this as I have some clients breathing down my back.

Regarding your post above about the virtual ip. I do have a virtual IP 192.168.0.197 (in Suse9.3 - additional IP), however it is not in the drop down list for a site that I have setup. The site is now working fine on 192.168.0.195 but I want to change it so I can have a SSL cert.

Have you entered the IP in the controlpanel under Management > Server > Settings?

Quote:

Originally Posted by KenMcGinnis

I understand it is possible to have multiple vhosts on a single IP by using different ports. For example you could have one on xx.xx.xx.xx:80 and a different one on xx.xx.xx.xx:8080. Another way is to have a wildcard cert (http://www.digicert.com/wildcard-ssl-certificates.htm) Supposedly both of these work with apache2. Do either of these work with ispconfig?

I've never tested wildcard certificates with ISPConfig. If you want to know how ISPConfig configures your apache serve, have a look at the
Vhost_ispconfig.conf file in the directory vhosts in your apache configuration directory.

[falko]

Quote:

I understand it is possible to have multiple vhosts on a single IP by using different ports. For example you could have one on xx.xx.xx.xx:80 and a different one on xx.xx.xx.xx:8080.

You can have as many vhosts as you like on a single IP address using the same port as long as they do not use SSL.
If you use SSL and only have one IP address you must use different ports, but then you have to type the port into the browser's address bar as long as it's not the standard https port (443). E.g. you would have to type https://www.example.com:8080. I don't think this is what your clients want...

Quote:

Another way is to have a wildcard cert (http://www.digicert.com/wildcard-ssl-certificates.htm) Supposedly both of these work with apache2. Do either of these work with ispconfig?

A wildcard certificate means that all subdomains of a domain (e.g. www.example.com. test.example.com, example.example.com, shop.example.com, etc.) can use that certificate, without a warning popping up in the visitor's browser. If you use a wildcard certificate, then all your clients would have to use a subdomain of example.com, and I don'T think your clients want that either...

[KenMcGinnis]

Thanks, that helps.
1. no I did not enter the virtual IP on the management screen. That is now fixed.

Regarding the options for multiple IPs with ports:
The port thing may work for me. I have the client go to a web page with http: as usual. They only need the encryption with cert when they download. So I have a link on the web page to the file to download. The client only sees the name of the file. The actual link can be anything so having the port appended is not a problem.

So I now have the domain www.mydomain.com set up on the IP 192.168.0.195 - it works fine.

1. I changed the IP to 192.168.0.197 (a virtual port) checked the 'SSL' box and created and saved the cert. How do I access it now?

2. I tried entering 192.168.0.195:445 in the management/server/settings and using that IP but it does not work. Note that when I do use that new port, I can only see 192.168.0.4 in the drop down box - maybe that is the problem?

I need a hint how to access a domain on an IP using a different port.

[falko]

Quote:

Originally Posted by KenMcGinnis

1. I changed the IP to 192.168.0.197 (a virtual port) checked the 'SSL' box and created and saved the cert. How do I access it now?

https://www.mydomain.com

Quote:

Originally Posted by KenMcGinnis

2. I tried entering 192.168.0.195:445 in the management/server/settings and using that IP but it does not work. Note that when I do use that new port, I can only see 192.168.0.4 in the drop down box - maybe that is the problem?

I need a hint how to access a domain on an IP using a different port.

You can only enter IP addresses under Management -> Server -> Settings, not IP addresses with ports.

You could copy your SSL vhost from the Vhosts_ispconfig.conf file to your main httpd.conf (so that the vhost doesn't get overwritten by ISPConfig anymore) and change port 443 to 445. Then you have to add

Code:

Listen 445

to the main section of your httpd.conf and restart Apache.

[guentherhoven]

Quote:

Originally Posted by falko

You can have as many vhosts as you like on a single IP address using the same port as long as they do not use SSL.
If you use SSL and only have one IP address you must use different ports, but then you have to type the port into the browser's address bar as long as it's not the standard https port (443). E.g. you would have to type https://www.example.com:8080. I don't think this is what your clients want...



A wildcard certificate means that all subdomains of a domain (e.g. www.example.com. test.example.com, example.example.com, shop.example.com, etc.) can use that certificate, without a warning popping up in the visitor's browser. If you use a wildcard certificate, then all your clients would have to use a subdomain of example.com, and I don'T think your clients want that either...

One thing you did not mention is that you can are still required to use only 1 ip address for even wildcard certificates.
Also, i keep seeing all of these CA's being posted, but you can actually buy them all at one place, ssl.com. Try these links out:
Standard certs - http://www.ssl.com/c-24-single-domain-name-fqdn.aspx
Wildcard certs - http://www.ssl.com/c-25-multiple-sub...-wildcard.aspx
SSL Information/Knowledge Base (good stuff) http://info.ssl.com