Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 2nd May 2009, 09:32
oprago oprago is offline
Junior Member
 
Join Date: May 2009
Posts: 1
Thanks: 0
Thanked 5 Times in 1 Post
Default ISPConfig 3 - GNUTLS

Hi,

i created a small work-a-round to use ISPConfig with gnutls.

Install gnutls and disable SSL:

Code:
aptitude install libapache2-mod-gnutls
a2enmod gnutls
a2dismod ssl
The next step is to modify the ISPConfig Apache template /usr/local/ispconfig/server/conf/vhost.conf.master to use gnuTLS:

Change:

Code:
[...]
<tmpl_if name='ssl_enabled'>
<IfModule mod_ssl.c>
[...]
Code:
[...]
    SSLEngine on
    SSLCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.crt
    SSLCertificateKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.key
<tmpl_if name='has_bundle_cert'>
    SSLCACertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.bundle
</tmpl_if>
[...]
to:

Code:
[...]
<tmpl_if name='ssl_enabled'>
<IfModule mod_gnutls.c>
[...]
Code:
[...]
    GnuTLSEnable on
    GnuTLSPriorities NORMAL
    GnuTLSCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.crt
    GnuTLSKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.key
[...]
I don't use the ssl bundles, so i hide the form field. Edit /usr/local/ispconfig/interface/web/sites/form/web_domain.tform.php and change it to an hidden field:

Code:
'ssl_bundle' => array (
			'datatype'	=> 'TEXT',
			'formtype'	=> 'HIDDEN',
			'default'	=> '',
			'value'		=> '',
			'cols'		=> '30',
			'rows'		=> '10'
		),
and modify the template /usr/local/ispconfig/interface/web/sites/templates/web_domain_ssl.htm:

Code:
<div class="ctrlHolder" style="display:none;">
        <label for="ssl_bundle">{tmpl_var name='ssl_bundle_txt'}</label>
        <textarea name="ssl_bundle" id="ssl_bundle" rows='10' cols='30'>{tmpl_var name='ssl_bundle'}</textarea>
</div>
GnuTLS requires an ip address in the virtual host definition. So i had to disable the "*". First add the IP of the server into the isp config admin interface. Now disable the "*" in the file /usr/local/ispconfig/interface/web/sites/web_domain_edit.php by removing all $ip_select = "<option value='*'>*</option>"; entries.
Reply With Quote
The Following 5 Users Say Thank You to oprago For This Useful Post:
falko (3rd May 2009), hfmark (5th May 2009), Mark_NL (13th January 2010), tio289 (12th May 2009), zenny (27th October 2011)
Sponsored Links
  #2  
Old 5th May 2009, 15:10
hfmark hfmark is offline
Junior Member
 
Join Date: May 2009
Posts: 1
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Amazing code, very useful, thanks
__________________
-------------------------
limewire for linux
Reply With Quote
  #3  
Old 12th May 2009, 23:30
tio289 tio289 is offline
Member
 
Join Date: Mar 2009
Posts: 70
Thanks: 2
Thanked 14 Times in 9 Posts
Default

I must edit file /etc/apache2/ports.conf yet to following:

Code:
NameVirtualHost your server ip:80
Listen your server ip:80

<IfModule mod_gnutls.c>
    NameVirtualHost your server ip:443
    Listen your server ip:443
</IfModule>
But I have ever problem with certificates, like with SSL..I turn on SLL on domain.sk and on domain.cz If I go to https://domain.sk server use certificate for domain.cz......I hoped that gnuTLS is solution, but.......Can everybody help me?? Thanks

Last edited by tio289; 12th May 2009 at 23:54.
Reply With Quote
  #4  
Old 13th January 2010, 14:13
johnboy4809 johnboy4809 is offline
Junior Member
 
Join Date: Jan 2006
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default help with setting up

i have tried implementing this into my debian Lenny system and cant seem to get it to work, all my sites use the same certificate instead of there own any got any pointers as to where to start fixing this
Reply With Quote
  #5  
Old 13th January 2010, 15:46
tio289 tio289 is offline
Member
 
Join Date: Mar 2009
Posts: 70
Thanks: 2
Thanked 14 Times in 9 Posts
Default

hello johnboy4809

with gnutls you can have more virtual hosts on ONE IP with ssl but you must have one cert for all domains.

with default ssl mod you can have only one virtualhost with ssl on one IP.

and How create cert for all domains??

you must edit this file /etc/ssl/openssl.cnf

and look on this lines

Code:
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Internet Widgits Pty Ltd

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd
you easyli add more common names

0.commonName = domain.com
1.commonName = domain2.com
2.commonName = domain3.com



then you must recreate certificate, you can sign this certificate for example with cacert.org
Reply With Quote
  #6  
Old 13th January 2010, 16:53
johnboy4809 johnboy4809 is offline
Junior Member
 
Join Date: Jan 2006
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default

hi tio289

thanks for getting back to me i think i miss understood gnutls, i thought it would allow me to have multiple SSL secure sites on a single IP or is this openssl cert separate to the virtual hosts cert, sorry if i sound dumb but learning as i go. the reason i was wanting this is i have my own server at home running lenny and ISPConfig 3, it hosts 3 sites 2 of which id now like to have SSL, My domains are all sent to my server via dyndns as i dont have a static ip. I dont know whether i am trying to achieve the impossible with this

thanks
Reply With Quote
  #7  
Old 13th January 2010, 23:56
tio289 tio289 is offline
Member
 
Join Date: Mar 2009
Posts: 70
Thanks: 2
Thanked 14 Times in 9 Posts
Default

SSLMOD - ONE IP = ONE SSL based host

GNUTLS - ONE IP (static or dynamic) = MANY SSL based hosts with ONE jointed certificate.

In certificate doesnt any information abou IP. Important in certificate is CommonName, which is for example *.domain.com. Cert them will valid for anything.domain.com. When you want use gnuTLS and MANY SSL based host on one IP you must create certificate with MANY commonNames.

For this must edit /etc/ssl/openssl.cnf file and add to it commonNames.
For example. If you have 3 domains domainA.com, domainB.com and domainC.com. You must add all domains to openssl.cnf file.

Code:
[ req_distinguished_name ]
0.commonName = Common Name (eg, YOUR name)
0.commonName_default = *.domainA.com
0.commonName_max = 64
1.commonName = Common Name (eg, YOUR name)
1.commonName_default = *.domainB.com
1.commonName_max =64
2.commonName = Common Name (eg, YOUR name)
2.commonName_default = shop.domainC.com (only an example of subdomain added to ssl cert)
2.commonName_max = 64
3.commonName = Common Name (eg, YOUR name)
3.commonName_default = My Secure Internet Services (example)
3.commonName_max = 64
how?? look this http://www.sambarserver.info/viewtopic.php?t=740


And when you want thank me use buttom for it :-)

Last edited by tio289; 14th January 2010 at 00:02.
Reply With Quote
  #8  
Old 15th January 2010, 09:05
Horfic Horfic is offline
Senior Member
 
Join Date: Mar 2009
Location: Austria
Posts: 322
Thanks: 55
Thanked 89 Times in 54 Posts
Send a message via Skype™ to Horfic
Default

I have to correct you, it is possible to use multiple cert files with gnutls. I just followed the instructions on this page and I created the ssl file in the webinterface. Works all!
__________________
web wack creations - We create your custom web application
Mailuser interface for ISPConfig 3
Reply With Quote
  #9  
Old 15th January 2010, 11:06
tio289 tio289 is offline
Member
 
Join Date: Mar 2009
Posts: 70
Thanks: 2
Thanked 14 Times in 9 Posts
Default

I see, in my case this doesnt function so I created one cert
Reply With Quote
  #10  
Old 15th January 2010, 16:30
johnboy4809 johnboy4809 is offline
Junior Member
 
Join Date: Jan 2006
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

thanks for your help tio289 but still seen to be doing something wrong. I decided to start with a fresh server so I rebuilt my server using the Debian Lenny Perfect setup for ISPconfig 3 from this site then as soon as everything was installed i followed oprago's setup of gnutls and also made the changes that tio289 outlined but still to no avail. My sites all still use the same cert. am at a loss now as to why it will not work
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPconfig setup - DNS, router and general access problems ingvar Installation/Configuration 6 31st July 2010 13:13
Install a Comodo InstantSSL Certificate for ISPconfig Apache, Postfix, Imap & Pop gwa7 Tips/Tricks/Mods 1 30th September 2009 18:08
Install a Comodo InstantSSL Certificate for ISPconfig Apache, Postfix, Imap & Pop gwa7 Installation/Configuration 0 10th April 2009 04:54
ISPConfig 2.3.1-dev released till General 0 8th May 2006 22:18
SP-Server Setup - Ubuntu 5.10 "Breezy Badger" - Page 6 (changes) LuisC-SM HOWTO-Related Questions 0 21st April 2006 15:16


All times are GMT +2. The time now is 19:23.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.