Replacing SSL Cert

[jonwatson]

Hi All,

Been messing around with this for a while this morning and have given up. I am attempting to install a chained SSL cert from GoDaddy into an ISPConfig installation but am failing. The ISPConfig apache fails to launch, yet try as I might I cannot find a single log entry anywhere telling me why. I know it's SSL related, but without logs I'm pretty much in the dark.

I have:

A CSR file in /root/ispconfig/httpd/conf/ssl.csr
A CRT file in /root/ispconfig/httpd/conf/ssl.crt
A ca-bundle.crt file in /root/ispconfig/httpd/conf/ssl.crt

I have entries in /root/ispconfig/httpd/httpd.conf that point to all of these files, but no go. When I run /etc/init.d/ispconfig restart it happily tells me that it wasn't started, then tells me it is started, but it is not (at least port 81 apache is not up).

I see that this has been discussed before on the forums, but I'm obviously missing something. Can someone please, for the love of god, point me to the logs that the port 81 apache is supposed to be writing so I can see what's wrong?

Or, alternatively, is there some definitive guide somewhere on how to install a chained cert into ISPConfig? Seems to me that this is fairly poorly understood by a lot of people.

Thanks

Jon

[till]

The log files are in /root/ispconfig/httpd/logs/

As far as I know, you will have to put the ca bundle in a separate file and not in the ssl.crt file together with the certificate. The bundle file is loded into the apache configuration with:

SSLCACertificateFile /path/to/the/bundle/cert/file/ca.txt

[jonwatson]

HI Till,

I seem to have everything in the right place, but the ISPConfig apache just won't start. It doesn't log anything either. Very frustrating.

I'm going to play around a little more and maybe just move to a better cert that doesn't have a bundle.

Thanks

Jon

[tensor]

Check these config directives:
SSLCertificateFile - should point to bare certificate
SSLCertificateKeyFile - should point to bare key (possibly protected with a password)
SSLCertificateChainFile - should point to bundle (contatenation) of certificates of all intermediate and root CAs, the Root CA cert should be at the bottom of the file, the closest intermediate CA to you cert at the top of the file.

That way it works for me for self generated certs. And yes, we do have inhouse intermediate CAs.

[jonwatson]

Hi,

Yes, all that was set up correctly, yet ISPConfig would not start it's own port 81 apache and would not log the problem.

I've since moved to a direct cert from RapidSSL and all is good.

Jon