Changing SSL box not affect vhost file

Discussion in 'Installation/Configuration' started by Mike007, Oct 23, 2011.

  1. Mike007

    Mike007 New Member

    ISPconfig ver 3.0.3.3
    OS: CentOS 5.7 x86_64
    Problem: Sites-->Website --> Webdomain --> SSL checkbox
    No matter if it is checked or not - there are no changes saved to vhost file ;(

    Here is log from debug loglevel ispconfig.log while
    ->first: unchecking SSL box
    Code:
    23.10.2011-18:21 - DEBUG - Found 1 changes, starting update process.
    23.10.2011-18:21 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    23.10.2011-18:21 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    23.10.2011-18:21 - DEBUG - exec: chmod 751 /var/www/clients/client23/web91/
    23.10.2011-18:21 - DEBUG - exec: chmod 751 /var/www/clients/client23/web91/*
    23.10.2011-18:21 - DEBUG - exec: chmod 710 /var/www/clients/client23/web91/web
    23.10.2011-18:21 - DEBUG - exec: chmod 777 /var/www/clients/client23/web91/tmp
    23.10.2011-18:21 - DEBUG - exec: chmod 755 /var/www/clients/client23/web91/log
    23.10.2011-18:21 - DEBUG - exec: usermod --groups sshusers web91
    23.10.2011-18:21 - DEBUG - exec: chown web91:client23 /var/www/clients/client23/web91
    23.10.2011-18:21 - DEBUG - exec: chown web91:client23 /var/www/clients/client23/web91/log/error.log
    23.10.2011-18:21 - DEBUG - Disable SSL for: my.domain
    23.10.2011-18:21 - DEBUG - Writing the vhost file: /etc/httpd/conf/sites-available/my.domain.vhost
    23.10.2011-18:21 - DEBUG - Apache status is: 1
    23.10.2011-18:21 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    23.10.2011-18:21 - DEBUG - Apache online status after restart is: 1
    
    and then (a few time later)
    -> check this SSL box on again.

    Code:
    23.10.2011-18:23 - DEBUG - Found 1 changes, starting update process.
    23.10.2011-18:23 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    23.10.2011-18:23 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    23.10.2011-18:23 - DEBUG - exec: chmod 751 /var/www/clients/client23/web91/
    23.10.2011-18:23 - DEBUG - exec: chmod 751 /var/www/clients/client23/web91/*
    23.10.2011-18:23 - DEBUG - exec: chmod 710 /var/www/clients/client23/web91/web
    23.10.2011-18:23 - DEBUG - exec: chmod 777 /var/www/clients/client23/web91/tmp
    23.10.2011-18:23 - DEBUG - exec: chmod 755 /var/www/clients/client23/web91/log
    23.10.2011-18:23 - DEBUG - exec: usermod --groups sshusers web91
    23.10.2011-18:23 - DEBUG - exec: chown web91:client23 /var/www/clients/client23/web91
    23.10.2011-18:23 - DEBUG - exec: chown web91:client23 /var/www/clients/client23/web91/log/error.log
    23.10.2011-18:23 - DEBUG - Disable SSL for: my.domain
    23.10.2011-18:23 - DEBUG - Writing the vhost file: /etc/httpd/conf/sites-available/my.domain.vhost
    23.10.2011-18:23 - DEBUG - Apache status is: 1
    23.10.2011-18:23 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    23.10.2011-18:23 - DEBUG - Apache online status after restart is: 1
    
    Both cases are the same info:
    23.10.2011-18:21 - DEBUG - Disable SSL for: my.domain (this one is OK)
    23.10.2011-18:23 - DEBUG - Disable SSL for: my.domain

    File my.domain.vhost got new timestamp only.
    BTW. Changing other attributes eg. IP address working fine.
     
  2. falko

    falko Super Moderator

    After you have enabled the SSL checkbox, you must go to the SSL tab and create a certificate. This is also described in the ISPConfig 3 Manual.
     
  3. till

    till Super Moderator

    Thats ok, it means that there is no valid ssl certificate created yet for that website. Go to the ssl tab and create a ssl cert.
     
  4. Mike007

    Mike007 New Member

    I have Comodo CA cert already installed
    I did it by copy and paste into texboxes:
    1. SSL Request - content of filename: AddTrustExternalCARoot.crt
    2. SSL Certificate - content of filename: my.domain.crt
    3. SSL Bundle - content of filename: COMODOHigh-AssuranceSecureServerCA.crt

    Then i choose SSL Action: Save Certificate.
    Saving makes debug info:
    Code:
    24.10.2011-10:33 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
    24.10.2011-10:33 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
    24.10.2011-10:33 - WARNING - Network configuration disabled in server settings.
    24.10.2011-10:33 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
    
    WARNING - Network configuration disabled in server settings.
    I think this warning info has nothing related to this problem, am i right ?

    Certificates are saved in this location:
    Code:
    # ls -l /var/www/clients/client3/web91/ssl
    total 12
    -rw-r--r-- 1 root root 1788 Oct 23 12:13 my.domain.bundle
    -rw-r--r-- 1 root root 2089 Oct 23 12:13 my.domain.crt
    -rw-r--r-- 1 root root 1520 Oct 23 12:13 my.domain.csr
    
    PS. my.domain is not real domain name of course.
     
  5. till

    till Super Moderator

    Have you created the csr for this certificate in this ispconfig website? If not, then the ssl cert is incomplete as the key file is missing. To fix this, you will have to install the key in the ssl folder manually in the file my.domain.crt and then enable the ssl cert in ispconfig again.
     
  6. Mike007

    Mike007 New Member

    Thank You,

    I removed certificate by choosing SSL action 'Delete Certificate'. Folder .../web/ssl/ is empty now. I also cleared all textboxes on 'Web Domain' and I checked vhost file (OK - it is without SSL directives).

    Now I started from the beginning.
    I filled all required fields (Now State, Locality, Organisation, Organisation Unit, Country, SSL Domain) and choose SSL Action 'Create Certificate'.
    And... It works! :)

    Folder .../web/ssl has now these files:
    Code:
    # ls -l /var/www/clients/client23/web91/ssl
    total 16
    -rw-r--r-- 1 root root 1322 Oct 24 12:14 my.domain.crt
    -rw-r--r-- 1 root root 1115 Oct 24 12:14 my.domain.csr
    -r-------- 1 root root 1675 Oct 24 12:14 my.domain.key
    -rw-r--r-- 1 root root 1743 Oct 24 12:14 my.domain.key.org
    
    SSL works but of cource certificate is untrusted.
    Now I have to figure out how to put COMODO Certificate.

    SSL Bundle textbox is empty so I should fill this box with intermediate cert (file: COMODOHigh-AssuranceSecureServerCA.crt) ?
    What else should I do ?
     
  7. till

    till Super Moderator

    You have to sign the csr now so that you get a new trusted certificate from comodo. Comodo should to the reiussue of the certificate for free. So the step sre now:

    1) Login to your comodo account and request a reissue of the ssl cert base on the csr that is shown in the ispconfig interface.
    2) You will get a new ssl certificate from comodo then, copy the ontnets of this new certificate into the certificate field in ispconfig and the content of the ssl intermediate cert into the ssl bundle field. Then select save certificate as action and click on save.
     
  8. Mike007

    Mike007 New Member

    I did it my way and it works now - but it was a bit sneaky idea ;)
    While SSL is working now (I mean vhost file contain SSL info), I copied into Website Webdomain texboxes content of files I own before:
    1. SSL Request - content of filename: my.domain.csr
    2. SSL Certificate - content of filename: my.domain.crt
    3. SSL Bundle - content of filename: COMODOHigh-AssuranceSecureServerCA.crt

    Then simply apply SSL Action 'Save Certificate'

    my.domain.csr file that I previously generated myself for CA Authority (COMODO) for certificate request process.
    my.domain.crt - domain certificate received from CA.

    Then I copied my.domain.key file to .../web/sssl folder. This file was also created during certificate request process for signing my.domain.csr file. That file replaced created by the ISPconfig one.

    But... there is a little problem while restart httpd service:
    Code:
    # service httpd restart
    Stopping httpd:                                            [  OK  ]
    Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
    Some of your private key files are encrypted for security reasons.
    In order to read them you have to provide the pass phrases.
    
    Server my.domain:443 (RSA)
    Enter pass phrase:
    
    OK: Pass Phrase Dialog successful.
    
     
    Last edited: Oct 24, 2011
  9. till

    till Super Moderator

    You created a encyrpted ssl key, so that it requires a password now. Make sure that you dont reboot the server now, it will not come up again until you fix your key. You will have to decrypt the key and store the decrypted key instead of the encrypted one.
     
  10. Mike007

    Mike007 New Member

    Yes, I decrypted the key
    Code:
    # openssl rsa -in my.domain.key -out new.my.domain.key
    Enter pass phrase for my.domain.key:
    writing RSA key
    # cp new.my.domain.key my.domain.key
    I rather thought that problem is because I should use ispserver.key to sign out *.csr file, but I see that ispserver.key is not encrypted too. ISPconfig has encrpyted key file: ispserver.key.secure and encrypted files like *.domain.key.org created on the SSL websites.

    Anyway thanks for a great help.

    [PROBLEM SOLVED]
     
    Last edited: Oct 24, 2011

Share This Page