SSL On Dedicated IP

[Hawker]

I'm not sure what's happening here. I have 4 IP addresses on my system. 1 Shared IP and 3 dedicated IPs.

I have a site set on a dedicated IP with no other sites committed to that IP. I've placed that site's SSL Certificate (pasted into ISPConfig), the key file and the CA certificate in /var/www/www.website.com/ssl directory.

I put these apache mod in the site's ISPConfig...
SSLCACertificateFile /var/www/www.website.com/ssl/rapidssl_01.cer
SSLCertificateKeyFile /var/www/www.website.com/ssl/www.website.com.key
SSLCertificateFile /var/www/www.website.com/ssl/www.website.com.crt

Any attempts to access the https address result in the Fedora test page coming up with the ssl cert for localhost.

Any ideas?

[Hawker]

OK, here's what I've done/found so far...

I remove these apache mods in the site's ISPConfig they aren't needed...
SSLCACertificateFile /var/www/www.website.com/ssl/rapidssl_01.cer
SSLCertificateKeyFile /var/www/www.website.com/ssl/www.website.com.key
SSLCertificateFile /var/www/www.website.com/ssl/www.website.com.crt

Now, I do have the SSL working properly but it took a while to get it to work.

I generated a CSR. Which in turn generated a KEY.

When I restarted HTTPD, it would not come back up. So, I rebooted the system. During boot at HTTPD Start the system asked me for a Private Key password. Well, this is unusual since when I installed ISPConfig I did NOT encrypt the key files. However when installing FC3 per the perfect setup instructions I DID encrypt those keys. Is this the problem? And if so, can I regenerate those keys?

Now, I did however get the SSL to work since this is a simple transfer of web sites and I had an existing SSL/Key set. I simply pasted the SSL Cert into ISPConfig and saved it. Then deleted the key generated by ISPConfig and replaced it with the existing key for the SSL cert.

It still bothers me that I'd be asked for a password on boot. Especially since I'll need to generate a new CSR for that site in about 2 weeks.

[falko]

Quote:

Originally Posted by Hawker

It still bothers me that I'd be asked for a password on boot.

Are you referring to your main Apache or ISPConfig's Apache?
If it's ISPConfig's Apache, take a look here: http://www.ispconfig.org/manual_installation.htm

Quote:

In step 7 ("Encrypting RSA private key of CA with a pass phrase for security [ca.key]")and step 8 ("Encrypting RSA private key of SERVER with a pass phrase for security [server.key]") of the certificate creation process you are asked if you want to encrypt the respective key now. Choose n there because otherwise you will always be asked for a password whenever you want to restart the ISPConfig system which means it cannot be restarted without human interaction!

[Hawker]

Quote:

Originally Posted by falko

Are you referring to your main Apache or ISPConfig's Apache?
If it's ISPConfig's Apache, take a look here: http://www.ispconfig.org/manual_installation.htm

The ISPConfig Apache. I did NOT encrypt the key. I can reboot all day long and not be asked for a key password.

What happened is when I created a certificate request in ISPConfig a key was generated. When HTTPD tried to restart it failed. So, I rebooted and when HTTPD tried to start it asked for a key password. The first HTTPD start not the ISPConfig start.

The only SSL key that is encrypted is the Postfix SSL. But it never asks for a password on boot.

[till]

Plesea dont mix up the ISPConfig apache and your main apache webserver. You can not create a SSL key or certificate for the ISPConfig apache webserver that is running on port 81.

To create a new unencrypted SSL cert for the ISPConfig apache webserver, please follow the steps described here:

http://www.howtoforge.com/forums/showthread.php?t=121

[Hawker]

I think we're getting a little mixed up here. It might be my fault with the way I worded things.

I can currently re-boot without ever being asked for a key password. ISPconfig was compiled with a NON-encrypted key.

Here's where the problem came in...
I created a new website on a free IP address.
In ISPconfig I created a CSR for the new website which also created a key for that CSR
HTTPD would not restart from within ISPConfig <---
I rebooted the machine <---
At HTTPD start I was asked for a key password?? <---

To get past this....
I had to do a manual start and not start httpd or ispconfig.
I removed the new key that was created in /var/web/webXX/ssl <---
I rebooted the machine without a problem. <---

[falko]

Which distribution do you use?
Did you install your main Apache from your distribution's packages, or did you compile it manually?

[Hawker]

ISPConfig version: 2.2.10 - Setup per instructions

On a Fedora Core 3 perfect setup.

Somehow, this problem seems to have vanished on it's own. I'm not sure what caused it but I generated the SSL CSR again today for that web site and it didn't happen. I even re-booted after doing it to be sure. It might have been gremlins.

By the way, on the CSR topic is it possible to keep the CRT and KEY files that already exist intact? That is until the new CRT is received. Fortunately I had backup copies so the site can still operate under SSL until the new CRT is received.

[till]

Quote:

By the way, on the CSR topic is it possible to keep the CRT and KEY files that already exist intact? That is until the new CRT is received. Fortunately I had backup copies so the site can still operate under SSL until the new CRT is received.

Thy stay intact as long as you dont chose to create a new certificate. Dont chose create as option if you only want to update / save a existing certificate.