*:443 not reachable?

[SparkyRih]

I've read a lot of threads o nthis forum, but non of them have a clear answer for my issue...

So I have a SSL certificate, installed it for one of my websites in the ISPConfig 3 contorlpanel... I also enabled SSL on the main config screen of the website...

But whenever I go to https://domain.nl(:443) IE gives me the error:


Internet Explorer cannot display the webpage.

/etc/apache2/apache2.conf is listening to port 443... but why is it still not working?

[ChrisZ]

This is the only thing I can think of off the top of my head. Did you specify "443" when ISPConfig asked which port to make the interface available on?

Chris

[SparkyRih]

Quote:

Originally Posted by ChrisZ

This is the only thing I can think of off the top of my head. Did you specify "443" when ISPConfig asked which port to make the interface available on?

Chris

Good question...
Where can I check this?

[ChrisZ]

http://www.howtoforge.com/forums/showthread.php?t=42519

Quote:

Originally Posted by gkot

edit

etc/apache2/sites-available/ispconfig.vhost

change line 7-10 to

Code:

 Listen 8080
NameVirtualHost *:8080

<VirtualHost _default_:8080>

login SSH to reboot apache

Code:

/etc/init.d/apache2 restart

I hope this helps!

[SparkyRih]

I guess you misunderstand my issue...
I'm able to login to the ISPConfig control panel (over port 8080, with an unsigned certificate, I'm fine with that)...

I'm trying to add an SSL certificate to one of the websites which is hosted on that server via ISPConfig...
The settings in ISPConfig seem right, I pasted the SSL cert into the second large field on the SSL tab of the website (including the ---begin, end--- delimiters), I enabled SSL on the main tab of that website, and if I go to my FTP server I can see that it did save the *.crt file correctly in the /ssl folder (if I open the file, it is the certificate signed by GeoTrust)...

I also tried to add this directive via ISPConfig

SSLCertificateChainFile /var/www/domain.ext/ssl/domain.ext.crt

After saving, when I go to the /etc/apache2/sites-availabledomain.ext.vhost I can see that that directive is presont on the last line (within the vhost tags)
I still end up with IE not being able to open any page (if I use https, http is fine)...

Edit: also tried editing the vhost tag from *:80 to *:443 or ext.ip.address:443 orr just *)...but nothing...

[till]

Please do not edit any of the apache config files manually, if you did any changes already, undo them as tehy will prevent the ssl website to work later. The procedure to install a ssl certificate in a website is:

1) Select the IP address in the site settings instead of *. If the IP does not show up, add it under System > Server IP.
2) Enable the ssl checkbox in the site settings.
3) Create a ssl certificate on the ssl certificate tab. If you have already created a cert that does not work, then delete this cert by selecting delete as action and press on save before you create a new ssl cert. Now test that the ssl site works with the self signed ssl cert.
4) If you want to use a signed ssl cert, then use the csr that ispconfig shows in the first field. Dont use any other csr as the crt and key will not match later and the sl site will fail.

[SparkyRih]

Config is back to defaults...

Do I really need to set that fixed IP? if I do, all my other sites redirect to that one site... if so I need to get a separate IP for every SSL site? (not really a problem, but just confirming before I get a second IP)...

But I can't get a new cert, I already generated the csr via openssl and purchased the ssl cert with GeoTrust...

Apache gives this error though: [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

But that's probably pretty much the same thign as you're telling me, but I thought maybe it's still usefull for anyone...

Edit: I did do what you told me, I added the fixed IP instead of the *, enabled SSL, createda a self signed certificate via the SSL tab, saved it, still nothing...

[till]

Quote:

Do I really need to set that fixed IP? if I do, all my other sites redirect to that one site... if so I need to get a separate IP for every SSL site? (not really a problem, but just confirming before I get a second IP)...

Just dont mix * and IP. If you switch all sites to use the IP, it will work again.

Quote:

But I can't get a new cert, I already generated the csr via openssl and purchased the ssl cert with GeoTrust...

Then you will have to replace cert and key manually in the ssl folder. But the ssl authority should also resign your cert for free based on the csr created in ispconfig. Thats nemed rekeying.

Quote:

Edit: I did do what you told me, I added the fixed IP instead of the *, enabled SSL, createda a self signed certificate via the SSL tab, saved it, still nothing...

Did you delete the cert before you created a new one?

[SparkyRih]

I got it to work for a minute with a self signed cert, but when I try te add my own cert (replacing the key manually) it does not work anymore...

The virtualhost with ip:443 was added (by ISPConfig) in the vhosts file of the website, but now the virtual host is not created anymore...

1. Created self signed cert: working

After this
1. Deleted the self signed certificate
2. Inserted the real certificate data in the certificate field, saved (gave the system some time, and waited for the *.crt file to appear in the ssl folder)...
3. added the www.domain.ext.key file manually to the ssl dir...

Edit: So it works now, agian with a self signed cert, now I replaced the files in the ssl dir, but it keeps using the self signed cert...

Edit 2: Got it... I removed al the certs from the ssl dir, and uploaded my own stuff, now it takes the signed certificate... and it just works perfect

Thanks for the help!

[ChrisZ]

Quote:

Originally Posted by SparkyRih

I guess you misunderstand my issue...

Yes, I sure did. I'm sorry. I actually thought, at first, that's what you meant and then read it again.