Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 1st January 2010, 21:05
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 426
Thanks: 33
Thanked 53 Times in 36 Posts
Send a message via Skype™ to SamTzu
Post Creating a SSL certificate - Quick guide

If you want to get Commercial SSL Certificate for 2048bit or stronger encryption (Godaddy etc.) you need to change ISPConfig3 core settings.

Follow this Quick guide to do it. If you just want to get your own non-commercial Certificate to work skip this ISPConfig3 hack and proceed to the Normal SSL configuration.

ISPConfig3 hack SSL guide.
  1. If you have already created a cert, delete it from the SSL tab for your site.
  2. Disable SSL for your website from the Website tab.
  3. Open /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php and change 1024 (second instance, not the default setting - although it may still work changing both) to 2048 or 4096.
  4. Save the file and restart apache2 (i.e. /etc/init.d/apache2 restart) for good measure.
  5. Note: If you experience an error restarting apache2 (e.g. "(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80") then do the following:
    • sudo lsof -i :80
    • Determine the pid of the running service and...
    • kill <pid from step 2>
    • /etc/init.d/apache2 restart
      It should start this time. I'm not sure what may cause this, but I had experienced it many times. It may have something to do with Subversion if you have it enabled under apache.
  6. Go back to ISPConfig and create a new certificate as you would normally.
  7. Go back to the SSL tab (may have to restart apache again if you do not see the keys in the first two fields (not sure why, but I experienced this a few times).
  8. Copy the code from the SSL request fields and provide that to GoDaddy as the request key.
  9. Once you download your certificate from GoDaddy, paste the contents of the yourdomain.com.crt file into the SSL Certificate field (replacing what is there), select Save Certificate form the pulldown and click Save. The SSL Bundle was left empty (not sure if I needed anything here or not...can anyone confirm).
  10. Restart apache2 for good measure and test it out.

Normal SSL configuration.
  1. Make sure that your (Linux) server has 1 IP address for each site that needs a Cert (and one for the server.)
  2. Make sure that those IP addresses are configured in 'ISPConfig3 | System | Edit Server IP' list.
  3. Make sure that the 'new' Certificate site does not have * as it's address in 'Sites | Website | IP-Address' field.
  4. Make sure that SSL is enabled in that same page
  5. Make sure that the DNS address points to that IP-Address that was defined for the website and not the old address (*) that you probably had to change when starting this process.
  6. On 'Sites | Website | SSL' enter your Certificate settings. (Your locale and Company info.)
  7. On the same page in 'SSL Action' 'Create Certificate' and Save.
  8. Wait a moment.
  9. Refresh SSL settings page. You should see the new Certificate code now.
You can now use the https://yourdomain.com
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent

Reply With Quote
The Following 6 Users Say Thank You to SamTzu For This Useful Post:
charlesrg (30th April 2010), DaRKNeSS666NL (22nd May 2010), falko (2nd January 2010), Germanius (14th February 2010), jon (3rd February 2010), till (2nd January 2010)
Sponsored Links
  #2  
Old 4th February 2010, 14:26
jon jon is offline
Member
 
Join Date: Jan 2007
Location: Canada
Posts: 87
Thanks: 11
Thanked 5 Times in 5 Posts
Send a message via Skype™ to jon
Default

I've tried three times but get the following error ...

[Thu Feb 04 08:25:44 2010] [error] Unable to configure RSA server private key
[Thu Feb 04 08:25:44 2010] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Reply With Quote
  #3  
Old 4th February 2010, 15:34
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,344
Thanks: 810
Thanked 5,173 Times in 4,055 Posts
Default

Looks as if you uploaded a ssl certificate that is not based on the csr created by ispconfig.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 4th February 2010, 18:16
jon jon is offline
Member
 
Join Date: Jan 2007
Location: Canada
Posts: 87
Thanks: 11
Thanked 5 Times in 5 Posts
Send a message via Skype™ to jon
Default

I agree it looks like that, but I used what was in the csr box. I also wonder if the key was right.

With Step 6 - Go back to ISPConfig and create a new certificate as you would normally. - Would that be normally as in the normal way you documented it below?

Also, I assume we should re-activate SSL for the site once the cert is in.

I did notice some strangeness with boxes being populated (as you mentioned). I wonder is it possible / better (for now) to create a certificate the old fashioned way and then save it in place of the .csr .key and .crt that ISPConfig spits out?
Reply With Quote
  #5  
Old 10th February 2010, 11:48
weezul weezul is offline
Member
 
Join Date: Jul 2008
Posts: 43
Thanks: 3
Thanked 3 Times in 2 Posts
Default

heres what i did:

goto ispconfig uncheck ssl and delete the certificates... click save..
now wait a few minutes or just run the cron urself.

now edit ispconfig settings:


Code:
# vi /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php
goto line 140 and change 1024 to 2048 or 4096.

run the cron again, u should see ispconfig generate new keys.

at this step i reloaded apache..

go back into ispconfig, click create certificate and enable ssl.

run the cron, u should see ispconfig creating the keys now...

reload apache, relogin in ispconfig.. your certs should be there now.

now u can use your ssl request file and let it sign from whereever u get your certificate.. replace the certificate created by ispconfig with your signed one.

at this step it worked for me.. also i followed another tutorial so i added 2 more files and pasted the following lines into the options / apache directives form.
Code:
SSLCertificateChainFile /var/www/domain.tld/ssl/sub.class1.server.ca.pem
SSLCACertificateFile /var/www/domain.tld/ssl/ca.pem
Reply With Quote
The Following 2 Users Say Thank You to weezul For This Useful Post:
finn (9th February 2011), till (10th February 2010)
  #6  
Old 10th February 2010, 13:02
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,344
Thanks: 810
Thanked 5,173 Times in 4,055 Posts
Default

The SSL encryption has been set to 2048 in SVN, so this part will be fixed with the next ispconfig release (3.0.2).
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
bswinnerton (5th March 2010)
  #7  
Old 5th March 2010, 23:33
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 16 Times in 13 Posts
Default

Quote:
Originally Posted by SamTzu View Post
[*]Once you download your certificate from GoDaddy, paste the contents of the yourdomain.com.crt file into the SSL Certificate field (replacing what is there), select Save Certificate form the pulldown and click Save. The SSL Bundle was left empty (not sure if I needed anything here or not...can anyone confirm).
As far as I know, yes it's required. It can be found here: https://certs.godaddy.com/anonymous/repository.seam as gd_bundle.crt
Reply With Quote
  #8  
Old 6th March 2010, 15:08
Fantu Fantu is offline
Junior Member
 
Join Date: Nov 2007
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default

the more simple procedure (example base on certificate class 1 in startssl.com) is:
- create certificate in ispconfig
- take the field SSL Request content and do the certificate with this in startssl site
- take the content of certificate create and copy in "SSL Certificate" and take content of sub.class1.server.ca.pem and ca.pem and copy in "SSL Bundle" on ispconfig and select save option
Finish and work, sorry if i not explain good^^''
Reply With Quote
  #9  
Old 8th March 2010, 06:31
rylangrant rylangrant is offline
Junior Member
 
Join Date: Dec 2009
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I tried following your instructions it didn't work for me. I originally generated a 1024 bit one until I realized godaddy required 2048 or 4096. I followed your instructions but it never generates the key for me. Even after gong back to the 1024 setting, it still won't generate a key. Any ideas on where to look or what to do? I've looked for errors and I can't find any, and I can restart apache without problems.

Thanks
Reply With Quote
  #10  
Old 8th March 2010, 07:32
Fantu Fantu is offline
Junior Member
 
Join Date: Nov 2007
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

the my instruction is tested only on 3.0.2 from svn (but near to stable)
Reply With Quote
Reply

Bookmarks

Tags
certificate, quick guide, ssl

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig 3 - CentOS 5.4 - SSL Problems!?! owainbaber Installation/Configuration 4 26th July 2011 17:12
Is my postfix is hacked? bzzik Server Operation 21 15th July 2009 14:13
SSL for virtual hosts on one certificate rbartz Tips/Tricks/Mods 8 20th November 2007 17:59
ISPConfig 2.2.14 released till General 48 19th July 2007 23:46
Problem with the apache (I can't start ist) M.Behrens Installation/Configuration 11 31st March 2006 10:48


All times are GMT +2. The time now is 08:22.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.