Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 2nd February 2012, 11:02
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
Default how to implement a startssl.com class2 multi domain certificate

I have a multidomain and wildcard certificate by startssl.com after following the tutorial from howtoforge and it is working properly for pureftp, postfix, courier, etc. but now I am wondering how to install it for some of the sites included in it.

using apache2 on a debian installation.

I am not sure how the ispcfg3 SSL tab is to be used with this certificate?
I saw the checkbox for ssl when editing a site, what does ticking the box do?
if I check the box, how do I get apache2 to use the certificate I have?

any hints?
Reply With Quote
Sponsored Links
  #2  
Old 3rd February 2012, 10:11
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
Default

checked the ispcfg3 manual I bought:
Quote:
SSL: With this checkbox you can enable SSL for this web site. Please note that you can have only one SSL web site per IP address, and it is not possible to use a wildcard (*) in the IP-Address field.
so how do I implement my wildcard-multi-domain certificate for websites with apache2?
Reply With Quote
  #3  
Old 3rd February 2012, 13:20
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

Just create a self-signed certificate as you would normally do, and after the cert, key, etc. have been created, rename them (e.g.
Code:
mv yoursite.crt yoursite.crt_orig
)
and create symlinks to the appropriate files in the ISPConfig ssl folder:
Code:
ln -s /usr/local/ispconfig/interface/ssl/ispconfig.crt yoursite.crt
Restart Apache afterwards.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
Ovidiu (5th February 2012)
  #4  
Old 7th February 2012, 14:56
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
Default

Thanks Falko that worked very well but how about the last step in the startssl howto namely where you are required to edit ispconfig.vhost and add this line:
SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt ?

I had to add SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class2.server.ca.crt but I guess I need to add that for every domain I am securing, right? If so, manually editing each vhost or can I somehow add that via ISPCFG3?
Reply With Quote
  #5  
Old 8th February 2012, 20:48
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

You can place the bundle certificate on the SSL tab of the website in ISPConfig.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
Ovidiu (9th February 2012)
  #6  
Old 9th February 2012, 08:43
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
Default

sorry this is a bit weird. with this settings I still get the "This certificate was signed by an unknown authority" warning.

Quote:
h1870666:/var/www/premaman.co.za/ssl# ls -al
total 16
drwxr-x--x 2 web36 client20 4096 Feb 9 07:31 .
drwxr-x--x 6 web36 client20 4096 Dec 13 12:37 ..
lrwxrwxrwx 1 root root 68 Feb 9 07:31 premaman.co.za.bundle -> /usr/local/ispconfig/interface/ssl/startssl.sub.class2.server.ca.crt
lrwxrwxrwx 1 root root 48 Feb 9 07:31 premaman.co.za.crt -> /usr/local/ispconfig/interface/ssl/ispserver.crt
-rw-r--r-- 1 root root 1402 Feb 9 07:16 premaman.co.za.crt.bckp
lrwxrwxrwx 1 root root 48 Feb 5 11:21 premaman.co.za.csr -> /usr/local/ispconfig/interface/ssl/ispserver.csr
lrwxrwxrwx 1 root root 48 Feb 5 11:22 premaman.co.za.key -> /usr/local/ispconfig/interface/ssl/ispserver.key
If I edit /etc/apache2/sites-enabled/100-premaman.co.za.vhost and add the line:

Quote:
SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class2.server.ca.crt
instead the warning is gone!?
Reply With Quote
  #7  
Old 10th February 2012, 17:17
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

Did you paste the contents of the startssl.sub.class2.server.ca.crt file into the bundle field in ISPConfig? If so and you still get warnings, can you post the vhost configuration file that ISPConfig wrote after you pasted the bundle cert into the bundle field?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #8  
Old 10th February 2012, 19:12
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
Default

yes I did paste the contents of the right file, I just double-checked.
since that didn't work, I even deleted the premaman.co.za.bundle file that ISPCFG3 generated and symlinked to the original file as you can see above but that doesn't work either.

Only if I manually add this line to the vhost does it work: SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class2.server.ca.crt

here is the generated vhost file including the line I added manually:

Quote:
<Directory /var/www/premaman.co.za>
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>

<VirtualHost *:80>
DocumentRoot /var/www/premaman.co.za/web

ServerName premaman.co.za
ServerAlias www.premaman.co.za
ServerAlias webmail.premaman.co.za
ServerAdmin webmaster@premaman.co.za

ErrorLog /var/log/ispconfig/httpd/premaman.co.za/error.log


ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 502 /error/502.html
ErrorDocument 503 /error/503.html

<IfModule mod_ssl.c>
</IfModule>
<Directory /var/www/premaman.co.za/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/clients/client20/web36/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/clients/client20/web36/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>



# suexec enabled
SuexecUserGroup web36 client20
# Clear PHP settings of this website
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
# php as fast-cgi enabled
# For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
<IfModule mod_fcgid.c>
FcgidIdleTimeout 300
FcgidProcessLifeTime 3600
# FcgidMaxProcesses 1000
FcgidMinProcessesPerClass 0
FcgidMaxProcessesPerClass 100
FcgidConnectTimeout 3
FcgidIOTimeout 360
FcgidBusyTimeout 300
</IfModule>
<Directory /var/www/premaman.co.za/web>
AddHandler fcgid-script .php .php3 .php4 .php5
FCGIWrapper /var/www/php-fcgi-scripts/web36/.php-fcgi-starter .php
Options +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/clients/client20/web36/web>
AddHandler fcgid-script .php .php3 .php4 .php5
FCGIWrapper /var/www/php-fcgi-scripts/web36/.php-fcgi-starter .php
Options +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>

RewriteEngine on
RewriteCond %{HTTP_HOST} ^webmail.premaman.co.za$ [NC]
RewriteRule ^/(.*)$ /webmail/$1 [L]

# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web36 client20
</IfModule>

<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client20/web36/webdav>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/premaman.co.za/web

ServerName premaman.co.za
ServerAlias www.premaman.co.za
ServerAlias webmail.premaman.co.za
ServerAdmin webmaster@premaman.co.za

ErrorLog /var/log/ispconfig/httpd/premaman.co.za/error.log


ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 502 /error/502.html
ErrorDocument 503 /error/503.html

<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /var/www/clients/client20/web36/ssl/premaman.co.za.crt
SSLCertificateKeyFile /var/www/clients/client20/web36/ssl/premaman.co.za.key
SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class2.server.ca.crt
</IfModule>
<Directory /var/www/premaman.co.za/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/clients/client20/web36/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>



# suexec enabled
SuexecUserGroup web36 client20
# Clear PHP settings of this website
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
# php as fast-cgi enabled
# For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
<IfModule mod_fcgid.c>
FcgidIdleTimeout 300
FcgidProcessLifeTime 3600
# FcgidMaxProcesses 1000
FcgidMinProcessesPerClass 0
FcgidMaxProcessesPerClass 100
FcgidConnectTimeout 3
FcgidIOTimeout 360
FcgidBusyTimeout 300
</IfModule>
<Directory /var/www/premaman.co.za/web>
AddHandler fcgid-script .php .php3 .php4 .php5
FCGIWrapper /var/www/php-fcgi-scripts/web36/.php-fcgi-starter .php
Options +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/clients/client20/web36/web>
AddHandler fcgid-script .php .php3 .php4 .php5
FCGIWrapper /var/www/php-fcgi-scripts/web36/.php-fcgi-starter .php
Options +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>

RewriteEngine on
RewriteCond %{HTTP_HOST} ^webmail.premaman.co.za$ [NC]
RewriteRule ^/(.*)$ /webmail/$1 [L]

# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web36 client20
</IfModule>

<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client20/web36/webdav>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>
<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client20/web36/webdav>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>


</VirtualHost>
Reply With Quote
  #9  
Old 11th February 2012, 13:39
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

And the SSLCertificateChainFile line isn't added by ISPConfig? What's your ISPConfig version?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #10  
Old 11th February 2012, 18:03
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
 
Default

nope, I added that line manually.
I have the latest ISPCFG version since to generate my request I performed an update to ISPCFG 3.0.4.2

actually I just did an experiment:

edited the vhost via ISPCFG3 interface, simply increased the site's quota by 1MB and saved.

the following happend:
in the part of the vhost where port http is define this was added:

Quote:
<IfModule mod_ssl.c>
SSLCACertificateFile /var/www/clients/client20/web36/ssl/premaman.co.za.bundle
</IfModule>
in the https part this section still looked like this:

Quote:
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /var/www/clients/client20/web36/ssl/premaman.co.za.crt
SSLCertificateKeyFile /var/www/clients/client20/web36/ssl/premaman.co.za.key
SSLCACertificateFile /var/www/clients/client20/web36/ssl/premaman.co.za.bundle
</IfModule>
weird, I have done this several times already. Now it all seems to work just fine !?
confused, but we can close this topic I guess :-(
Reply With Quote
Reply

Bookmarks

Tags
apache2, certificate, ssl

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
how do I install a SSL cert for a website? mangoo General 3 3rd February 2012 13:46
Issues with Baruwa - The Perfect Spamsnake Ubuntu 10.10 neofire HOWTO-Related Questions 44 31st May 2011 16:09
SSL for virtual hosts on one certificate rbartz Tips/Tricks/Mods 8 20th November 2007 18:59
550-The recipient cannot be verified email problem safoo Installation/Configuration 7 29th November 2006 20:55
SSL related problems senzapaura Installation/Configuration 45 25th March 2006 15:15


All times are GMT +2. The time now is 22:13.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.