Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd May 2010, 17:12
ppoetsma ppoetsma is offline
Junior Member
 
Join Date: Mar 2007
Location: Zeewolde, The Netherlands
Posts: 14
Thanks: 0
Thanked 2 Times in 2 Posts
Default Server with NAT, what to use for IP?

Hi,

I have to enable SSL on a domain and therefore I need to assign an IP to that domain instead of the default "*". But my server is behind NAT. Let's say the internal address is 192.168.0.10 and the external address 123.123.123.123. What IP address do I use in menu "System - Server IP addresses" ? The internal or the external one?

Regards,
Paul
Reply With Quote
Sponsored Links
  #2  
Old 23rd May 2010, 21:02
CSsab CSsab is offline
Senior Member
 
Join Date: Apr 2010
Posts: 174
Thanks: 19
Thanked 32 Times in 27 Posts
Default

The dns A records for the domain will point to the IP of the domain (123.123.123.123)so you can still use the *.

Behind NAT you might have the facility to map 192.168.1.10 to 123.123.123.123 in a static dns configuration. EG: www.example.com ----->> mapped to 192.168.1.10.

Then all you have to do is make sure ports your common server ports are open to the internal IP.

Good Luck
Reply With Quote
  #3  
Old 23rd May 2010, 21:06
ppoetsma ppoetsma is offline
Junior Member
 
Join Date: Mar 2007
Location: Zeewolde, The Netherlands
Posts: 14
Thanks: 0
Thanked 2 Times in 2 Posts
Default

Enabling NAT is not the issue, it works fine. But in several posts, for example http://www.howtoforge.com/forums/sho...38&postcount=3, I read that I have to specify an IP address at the domain I want to use SSL instead of the default "*". The question is, which of the two IP addresses do I use in menu "System - Server IP addresses"?
Reply With Quote
  #4  
Old 23rd May 2010, 22:40
CSsab CSsab is offline
Senior Member
 
Join Date: Apr 2010
Posts: 174
Thanks: 19
Thanked 32 Times in 27 Posts
Default External redirecting vs Internal rewriting.

SSL's are associated with domain names and not with IP addresses - this is a good thing since IP addresses can change regularly which would make the cert useless.

I am thinking that you need a unique IP from your internal DHCP pool for an SSL enabled virtual host.

You can also set up SSL using the external IP but I remember reading somewhere it is not possible to have more than one SSL host behind nat.

Can anyone confirm this?
Reply With Quote
  #5  
Old 24th May 2010, 08:27
ppoetsma ppoetsma is offline
Junior Member
 
Join Date: Mar 2007
Location: Zeewolde, The Netherlands
Posts: 14
Thanks: 0
Thanked 2 Times in 2 Posts
Default

In the meantime I managed to get it working with "*" as IP address. But the certificate that I get presented in the browser when visiting the domain is different from the one that I created using ISPConfig. The certificate talks about "SomeOrganization" and "SomeOrganizationUnit" instead of the terms that I specified in ISPConfig. I've tried it with multiple domains but the certificate is still the same. Have a look at https://dikkeveter.nl/ to find the wrong certificate; it seems to be a standard one and it is definitely not mine.
Reply With Quote
  #6  
Old 24th May 2010, 13:21
CSsab CSsab is offline
Senior Member
 
Join Date: Apr 2010
Posts: 174
Thanks: 19
Thanked 32 Times in 27 Posts
Default

Yes you have a self signed certificate there and we have to choose to accept or reject it (as you know). This is what my browser tells me:

(1) The server's name "dikkeveter.nl" does not match the certificate's name "server1.example.com". Somebody may be trying to eavesdrop on you.
(2) The certificate for "server1.example.com" is signed by the unknown Certificate Authority "server1.example.com". It is not possible to verify that this is a valid certificate.

I've replaced your machine hostname.servername.com with server1.example.com here. Your root address is visible.

Have you had a look at this howto in tips and tricks?

http://howtoforge.com/forums/showthread.php?t=42341
Reply With Quote
  #7  
Old 24th May 2010, 14:48
ppoetsma ppoetsma is offline
Junior Member
 
Join Date: Mar 2007
Location: Zeewolde, The Netherlands
Posts: 14
Thanks: 0
Thanked 2 Times in 2 Posts
Default

I had a look at it. I did not update the apache2_plugin.inc.php file as I do use the latest release and the update from 1024 to 2048 or higher has been made in there.

The vhost configuration files that are generated do contain the lines to include the public and private certificates. Module mod_ssl is installed and no changes were made to /etc/httpd/conf.d/ssl.conf.

I have enable debugging in apache. In the /var/log/httpd/ssl_error.log logfile I find messages like

Code:
[Mon May 24 14:42:19 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
And in /var/log/ispconfig/httpd/dikkeveter.nl/error.log is

Code:
[Mon May 24 14:42:19 2010] [info] Loading certificate & private key of SSL-aware server
[Mon May 24 14:42:19 2010] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required
[Mon May 24 14:42:19 2010] [info] Configuring server for SSL protocol
[Mon May 24 14:42:19 2010] [debug] ssl_engine_init.c(406): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Mon May 24 14:42:19 2010] [debug] ssl_engine_init.c(730): Configuring RSA server certificate
[Mon May 24 14:42:19 2010] [debug] ssl_engine_init.c(769): Configuring RSA server private key
[Mon May 24 14:42:19 2010] [info] Loading certificate & private key of SSL-aware server
[Mon May 24 14:42:19 2010] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required
[Mon May 24 14:42:19 2010] [info] Configuring server for SSL protocol
[Mon May 24 14:42:19 2010] [debug] ssl_engine_init.c(406): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Mon May 24 14:42:19 2010] [debug] ssl_engine_init.c(730): Configuring RSA server certificate
[Mon May 24 14:42:19 2010] [debug] ssl_engine_init.c(769): Configuring RSA server private key
It seems to be doing something but how do I get apache to tell me what certificates it loaded?
Reply With Quote
  #8  
Old 24th May 2010, 15:18
ppoetsma ppoetsma is offline
Junior Member
 
Join Date: Mar 2007
Location: Zeewolde, The Netherlands
Posts: 14
Thanks: 0
Thanked 2 Times in 2 Posts
Default

Aha, I used the external IP address but when I replaced it with the internal one (192.168.0.xxx) it works.

So, for the records: My server with ISPConfig and Apache is a VM behind NAT. Traffic on certain ports is forwarded from the firewall to the VM. In systems - Server IP addresses add the internal address. Then use this address in Sites - your-domain - IP-Address. Finally, generate the certificate.
Reply With Quote
The Following User Says Thank You to ppoetsma For This Useful Post:
CSsab (24th May 2010)
  #9  
Old 24th May 2010, 16:57
CSsab CSsab is offline
Senior Member
 
Join Date: Apr 2010
Posts: 174
Thanks: 19
Thanked 32 Times in 27 Posts
Default

Thanks for the information which clarifies how SSL works on ISPConfig 3 - is great for noobies like me

The only other thing to say again is that the DNS A record for the virtual host must point to the public IP.

Cheers
Reply With Quote
  #10  
Old 24th May 2010, 17:20
ppoetsma ppoetsma is offline
Junior Member
 
Join Date: Mar 2007
Location: Zeewolde, The Netherlands
Posts: 14
Thanks: 0
Thanked 2 Times in 2 Posts
 
Default

Hmm, I have multiple domains on that single-behind-NAT-server. And when I create a certificate and enable SSL for a second domain, the browser gets presented the certificate of the first SSL domain. This seems to be the issue of having a single IP with multiple domains. The next challenge to solve.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Centos5.4/ISPConfig 3--Virtual site not working MichaelCaditz Installation/Configuration 25 25th March 2011 11:37
Email doesn't work... Ventzy Installation/Configuration 1 14th February 2010 11:49
Random Questions dclardy General 9 3rd September 2009 23:39
procmail problem - mail delivery Lobanak Installation/Configuration 4 1st March 2009 22:24
cacti problem - graphs have huge gaps Chip Installation/Configuration 7 7th February 2008 23:24


All times are GMT +2. The time now is 13:54.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.