Adding a WoSign SSL certificate to a website

Discussion in 'General' started by Been Told, Mar 16, 2015.

  1. Been Told

    Been Told Member

    Hello!
    I have signed up for an SSL certificate at Wogsign and after going through their setup process and generating a Certificate Request in ISP (and enabling SSL for the website) I received a zip archive with crt and spc files. The folder marked "for Apache" (which my vServer runs on) has two files in it:
    1_root_bundle.crt
    2_[domainname.tld].crt

    Do I just open the files with a text editor and paste them in the corresponding fields for the website in ispConfig?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    yes
     
    Been Told likes this.
  3. Been Told

    Been Told Member

    Thanks till!
    I did this. But I get an error im my browser when visiting the site via https.
    The error is:
    [domain.tld] uses an invalid security certificate.
    The certificate is not trusted because it is self-signed.
    (Error code: sec_error_unknown_issuer)
     
  4. S0ft

    S0ft Member HowtoForge Supporter

    I also had that confusion, I solved it as well.
    hopefully translate well since I speak Spanish.

    1.-ispconfig3 creates a certificate

    2.-textarea ispconfig3 SSL Request send wosign so generate you the certificate
    then you replaced certificate wosign that had already created ispconfig3
     
  5. Been Told

    Been Told Member

    Thanks loadingjkr!
    I did this too. What did you put in the field SSL Bundle?
     
  6. Been Told

    Been Told Member

    Ok, I am an idiot. I forgot to select "Save certificate" and click ok.
    Now there is no error message...

    However, there is a little warning sign icon next to the site's address. And when you hover over it, it says:
    "This website does not supply identity information."
    Is that how it should be?
     
  7. S0ft

    S0ft Member HowtoForge Supporter

  8. Been Told

    Been Told Member

    Thanks!
    The sslshopper check was all green. The SSLlabs one gave me these two errors/warnings:
    • This server accepts the RC4 cipher, which is weak. Grade capped to B.
    • The server does not support Forward Secrecy with the reference browsers.
    As for how to fix this, I am not quite sure yet. I am looking for information on how to disable acceptance of RC4 cipher and enable forward secrecy with ISPconfig.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    The ssl cipher settings are not ISPConfig specific.

    The default ssl ciphers of most linux distributons are not set that strictly to ensure that also older clients (browsers) can connect to them. If you wnat to have only strong ciphers, then you can find a good article here:

    https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

    The file where you add it depends on the Linux distribution that you use.
     
    Been Told likes this.
  10. Been Told

    Been Told Member

    Thanks very much till! I started following the tutorial, but when I enter these commands:
    Code:
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    I get the error message: command not found.

    Where as this works:
    Code:
    openssl ciphers -v 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
    I set up my vServer with the perfect server tutorial Debian 7 here on HowToForge. So I am running ISPConfig 3 on Debian 7.
    Is there something obvious I am missing?
     
  11. S0ft

    S0ft Member HowtoForge Supporter

    Attached Files:

    • bit.png
      bit.png
      File size:
      93 KB
      Views:
      53
  12. Been Told

    Been Told Member

  13. till

    till Super Moderator Staff Member ISPConfig Developer

    These are no commands, that are settings for the apache config file, so you have to set it in the apache ssl config file. On Debian it is the file /etc/apache2/mods-available/ssl.conf
     
    Been Told likes this.
  14. Been Told

    Been Told Member

    Thanks till!
    I've now added the lines to the above file and now the error is a different one. :D
    It says the website does not provide owner information. As far as I have been able to figure it out, that's because I'm using a free SSL certificate. That green symbol thing appears in the browser only if you purchase one of those more expensive certificates. Right?
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. But be carefull when buying a cert, there are cheaper domain validated verts and expensive certs with extended validation. For example you can see a cheaper one here at howtoforge, the ssl cert is just domain validated, the expensive ones are the certs where you see the company name in the url bar in chrome, e.g. paypal.com
     
  16. Been Told

    Been Told Member

    Thanks till!
    I'm gonna check and compare. This has definitely been a learning experience for me! Never dealt with SSL before. Thanks guys for helping me!
     

Share This Page