how to implement a startssl.com class2 multi domain certificate

[Ovidiu]

I have a multidomain and wildcard certificate by startssl.com after following the tutorial from howtoforge and it is working properly for pureftp, postfix, courier, etc. but now I am wondering how to install it for some of the sites included in it.

using apache2 on a debian installation.

I am not sure how the ispcfg3 SSL tab is to be used with this certificate?
I saw the checkbox for ssl when editing a site, what does ticking the box do?
if I check the box, how do I get apache2 to use the certificate I have?

any hints?

[Ovidiu]

checked the ispcfg3 manual I bought:

Quote:

SSL: With this checkbox you can enable SSL for this web site. Please note that you can have only one SSL web site per IP address, and it is not possible to use a wildcard (*) in the IP-Address field.

so how do I implement my wildcard-multi-domain certificate for websites with apache2?

[falko]

Just create a self-signed certificate as you would normally do, and after the cert, key, etc. have been created, rename them (e.g.

Code:

mv yoursite.crt yoursite.crt_orig

)
and create symlinks to the appropriate files in the ISPConfig ssl folder:

Code:

ln -s /usr/local/ispconfig/interface/ssl/ispconfig.crt yoursite.crt

Restart Apache afterwards.

[Ovidiu]

Thanks Falko that worked very well but how about the last step in the startssl howto namely where you are required to edit ispconfig.vhost and add this line:
SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt ?

I had to add SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class2.server.ca.crt but I guess I need to add that for every domain I am securing, right? If so, manually editing each vhost or can I somehow add that via ISPCFG3?

[falko]

You can place the bundle certificate on the SSL tab of the website in ISPConfig.

[Ovidiu]

sorry this is a bit weird. with this settings I still get the "This certificate was signed by an unknown authority" warning.

Quote:

h1870666:/var/www/premaman.co.za/ssl# ls -al
total 16
drwxr-x--x 2 web36 client20 4096 Feb 9 07:31 .
drwxr-x--x 6 web36 client20 4096 Dec 13 12:37 ..
lrwxrwxrwx 1 root root 68 Feb 9 07:31 premaman.co.za.bundle -> /usr/local/ispconfig/interface/ssl/startssl.sub.class2.server.ca.crt
lrwxrwxrwx 1 root root 48 Feb 9 07:31 premaman.co.za.crt -> /usr/local/ispconfig/interface/ssl/ispserver.crt
-rw-r--r-- 1 root root 1402 Feb 9 07:16 premaman.co.za.crt.bckp
lrwxrwxrwx 1 root root 48 Feb 5 11:21 premaman.co.za.csr -> /usr/local/ispconfig/interface/ssl/ispserver.csr
lrwxrwxrwx 1 root root 48 Feb 5 11:22 premaman.co.za.key -> /usr/local/ispconfig/interface/ssl/ispserver.key

If I edit /etc/apache2/sites-enabled/100-premaman.co.za.vhost and add the line:

Quote:

SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class2.server.ca.crt

instead the warning is gone!?

[falko]

Did you paste the contents of the startssl.sub.class2.server.ca.crt file into the bundle field in ISPConfig? If so and you still get warnings, can you post the vhost configuration file that ISPConfig wrote after you pasted the bundle cert into the bundle field?

[Ovidiu]

yes I did paste the contents of the right file, I just double-checked.
since that didn't work, I even deleted the premaman.co.za.bundle file that ISPCFG3 generated and symlinked to the original file as you can see above but that doesn't work either.

Only if I manually add this line to the vhost does it work: SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class2.server.ca.crt

here is the generated vhost file including the line I added manually:

Quote:

<Directory /var/www/premaman.co.za>
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>

<VirtualHost *:80>
DocumentRoot /var/www/premaman.co.za/web

ServerName premaman.co.za
ServerAlias www.premaman.co.za
ServerAlias webmail.premaman.co.za
ServerAdmin webmaster@premaman.co.za

ErrorLog /var/log/ispconfig/httpd/premaman.co.za/error.log


ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 502 /error/502.html
ErrorDocument 503 /error/503.html

<IfModule mod_ssl.c>
</IfModule>
<Directory /var/www/premaman.co.za/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/clients/client20/web36/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/clients/client20/web36/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>



# suexec enabled
SuexecUserGroup web36 client20
# Clear PHP settings of this website
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
# php as fast-cgi enabled
# For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
<IfModule mod_fcgid.c>
FcgidIdleTimeout 300
FcgidProcessLifeTime 3600
# FcgidMaxProcesses 1000
FcgidMinProcessesPerClass 0
FcgidMaxProcessesPerClass 100
FcgidConnectTimeout 3
FcgidIOTimeout 360
FcgidBusyTimeout 300
</IfModule>
<Directory /var/www/premaman.co.za/web>
AddHandler fcgid-script .php .php3 .php4 .php5
FCGIWrapper /var/www/php-fcgi-scripts/web36/.php-fcgi-starter .php
Options +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/clients/client20/web36/web>
AddHandler fcgid-script .php .php3 .php4 .php5
FCGIWrapper /var/www/php-fcgi-scripts/web36/.php-fcgi-starter .php
Options +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>

RewriteEngine on
RewriteCond %{HTTP_HOST} ^webmail.premaman.co.za$ [NC]
RewriteRule ^/(.*)$ /webmail/$1 [L]

# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web36 client20
</IfModule>

<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client20/web36/webdav>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/premaman.co.za/web

ServerName premaman.co.za
ServerAlias www.premaman.co.za
ServerAlias webmail.premaman.co.za
ServerAdmin webmaster@premaman.co.za

ErrorLog /var/log/ispconfig/httpd/premaman.co.za/error.log


ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 502 /error/502.html
ErrorDocument 503 /error/503.html

<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /var/www/clients/client20/web36/ssl/premaman.co.za.crt
SSLCertificateKeyFile /var/www/clients/client20/web36/ssl/premaman.co.za.key
SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class2.server.ca.crt
</IfModule>
<Directory /var/www/premaman.co.za/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/clients/client20/web36/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>



# suexec enabled
SuexecUserGroup web36 client20
# Clear PHP settings of this website
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
# php as fast-cgi enabled
# For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
<IfModule mod_fcgid.c>
FcgidIdleTimeout 300
FcgidProcessLifeTime 3600
# FcgidMaxProcesses 1000
FcgidMinProcessesPerClass 0
FcgidMaxProcessesPerClass 100
FcgidConnectTimeout 3
FcgidIOTimeout 360
FcgidBusyTimeout 300
</IfModule>
<Directory /var/www/premaman.co.za/web>
AddHandler fcgid-script .php .php3 .php4 .php5
FCGIWrapper /var/www/php-fcgi-scripts/web36/.php-fcgi-starter .php
Options +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/clients/client20/web36/web>
AddHandler fcgid-script .php .php3 .php4 .php5
FCGIWrapper /var/www/php-fcgi-scripts/web36/.php-fcgi-starter .php
Options +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>

RewriteEngine on
RewriteCond %{HTTP_HOST} ^webmail.premaman.co.za$ [NC]
RewriteRule ^/(.*)$ /webmail/$1 [L]

# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web36 client20
</IfModule>

<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client20/web36/webdav>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>
<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client20/web36/webdav>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>


</VirtualHost>

[falko]

And the SSLCertificateChainFile line isn't added by ISPConfig? What's your ISPConfig version?

[Ovidiu]

nope, I added that line manually.
I have the latest ISPCFG version since to generate my request I performed an update to ISPCFG 3.0.4.2

actually I just did an experiment:

edited the vhost via ISPCFG3 interface, simply increased the site's quota by 1MB and saved.

the following happend:
in the part of the vhost where port http is define this was added:

Quote:

<IfModule mod_ssl.c>
SSLCACertificateFile /var/www/clients/client20/web36/ssl/premaman.co.za.bundle
</IfModule>

in the https part this section still looked like this:

Quote:

<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /var/www/clients/client20/web36/ssl/premaman.co.za.crt
SSLCertificateKeyFile /var/www/clients/client20/web36/ssl/premaman.co.za.key
SSLCACertificateFile /var/www/clients/client20/web36/ssl/premaman.co.za.bundle
</IfModule>

weird, I have done this several times already. Now it all seems to work just fine !?
confused, but we can close this topic I guess :-(