Creating a SSL certificate - Quick guide

Discussion in 'Tips/Tricks/Mods' started by SamTzu, Jan 1, 2010.

  1. SamTzu

    SamTzu Member HowtoForge Supporter

    If you want to get Commercial SSL Certificate for 2048bit or stronger encryption (Godaddy etc.) you need to change ISPConfig3 core settings.

    Follow this Quick guide to do it. If you just want to get your own non-commercial Certificate to work skip this ISPConfig3 hack and proceed to the Normal SSL configuration.

    ISPConfig3 hack SSL guide.

    1. If you have already created a cert, delete it from the SSL tab for your site.
    2. Disable SSL for your website from the Website tab.
    3. Open /usr/local/ispconfig/server/plugins-available/ and change 1024 (second instance, not the default setting - although it may still work changing both) to 2048 or 4096.
    4. Save the file and restart apache2 (i.e. /etc/init.d/apache2 restart) for good measure.
    5. Note: If you experience an error restarting apache2 (e.g. "(98)Address already in use: make_sock: could not bind to address") then do the following:
      • sudo lsof -i :80
      • Determine the pid of the running service and...
      • kill <pid from step 2>
      • /etc/init.d/apache2 restart
        It should start this time. I'm not sure what may cause this, but I had experienced it many times. It may have something to do with Subversion if you have it enabled under apache.
    6. Go back to ISPConfig and create a new certificate as you would normally.
    7. Go back to the SSL tab (may have to restart apache again if you do not see the keys in the first two fields (not sure why, but I experienced this a few times).
    8. Copy the code from the SSL request fields and provide that to GoDaddy as the request key.
    9. Once you download your certificate from GoDaddy, paste the contents of the file into the SSL Certificate field (replacing what is there), select Save Certificate form the pulldown and click Save. The SSL Bundle was left empty (not sure if I needed anything here or not...can anyone confirm).
    10. Restart apache2 for good measure and test it out.

    Normal SSL configuration.

    1. Make sure that your (Linux) server has 1 IP address for each site that needs a Cert (and one for the server.)
    2. Make sure that those IP addresses are configured in 'ISPConfig3 | System | Edit Server IP' list.
    3. Make sure that the 'new' Certificate site does not have * as it's address in 'Sites | Website | IP-Address' field.
    4. Make sure that SSL is enabled in that same page
    5. Make sure that the DNS address points to that IP-Address that was defined for the website and not the old address (*) that you probably had to change when starting this process.
    6. On 'Sites | Website | SSL' enter your Certificate settings. (Your locale and Company info.)
    7. On the same page in 'SSL Action' 'Create Certificate' and Save.
    8. Wait a moment.
    9. Refresh SSL settings page. You should see the new Certificate code now.
    You can now use the
  2. jon

    jon Member HowtoForge Supporter

    I've tried three times but get the following error ...

    [Thu Feb 04 08:25:44 2010] [error] Unable to configure RSA server private key
    [Thu Feb 04 08:25:44 2010] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Looks as if you uploaded a ssl certificate that is not based on the csr created by ispconfig.
  4. jon

    jon Member HowtoForge Supporter

    I agree it looks like that, but I used what was in the csr box. I also wonder if the key was right.

    With Step 6 - Go back to ISPConfig and create a new certificate as you would normally. - Would that be normally as in the normal way you documented it below?

    Also, I assume we should re-activate SSL for the site once the cert is in.

    I did notice some strangeness with boxes being populated (as you mentioned). I wonder is it possible / better (for now) to create a certificate the old fashioned way and then save it in place of the .csr .key and .crt that ISPConfig spits out?
  5. weezul

    weezul New Member

    heres what i did:

    goto ispconfig uncheck ssl and delete the certificates... click save..
    now wait a few minutes or just run the cron urself.

    now edit ispconfig settings:

    # vi /usr/local/ispconfig/server/plugins-available/
    goto line 140 and change 1024 to 2048 or 4096.

    run the cron again, u should see ispconfig generate new keys.

    at this step i reloaded apache..

    go back into ispconfig, click create certificate and enable ssl.

    run the cron, u should see ispconfig creating the keys now...

    reload apache, relogin in ispconfig.. your certs should be there now.

    now u can use your ssl request file and let it sign from whereever u get your certificate.. replace the certificate created by ispconfig with your signed one.

    at this step it worked for me.. also i followed another tutorial so i added 2 more files and pasted the following lines into the options / apache directives form.
    SSLCertificateChainFile /var/www/domain.tld/ssl/
    SSLCACertificateFile /var/www/domain.tld/ssl/ca.pem
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The SSL encryption has been set to 2048 in SVN, so this part will be fixed with the next ispconfig release (3.0.2).
  7. bswinnerton

    bswinnerton New Member

    As far as I know, yes it's required. It can be found here: as gd_bundle.crt
  8. Fantu

    Fantu New Member

    the more simple procedure (example base on certificate class 1 in is:
    - create certificate in ispconfig
    - take the field SSL Request content and do the certificate with this in startssl site
    - take the content of certificate create and copy in "SSL Certificate" and take content of and ca.pem and copy in "SSL Bundle" on ispconfig and select save option
    Finish and work, sorry if i not explain good^^''
  9. rylangrant

    rylangrant New Member

    I tried following your instructions it didn't work for me. I originally generated a 1024 bit one until I realized godaddy required 2048 or 4096. I followed your instructions but it never generates the key for me. Even after gong back to the 1024 setting, it still won't generate a key. Any ideas on where to look or what to do? I've looked for errors and I can't find any, and I can restart apache without problems.

  10. Fantu

    Fantu New Member

    the my instruction is tested only on 3.0.2 from svn (but near to stable)
  11. rylangrant

    rylangrant New Member

    I'm running

    Any suggestions on how to get this going? I would assume there has to be some way of doing it.
  12. Fantu

    Fantu New Member

    vi /usr/local/ispconfig/server/plugins-available/

    goto line 140 and change 1024 to 2048 or 4096...on command for certificare create (take from this post, i'm not sure is correct number line for your version)

    delete certificate create in ispc before and create another
  13. rylangrant

    rylangrant New Member

    That's what I did.

    When you say to delete the certificate in ISPC, do you mean in the web interface, ie the action is to delete, or do you mean manually delete it somewhere via command line? In the web interface there isnt anything to delete, the action always goes back to none after a minute or two.
  14. Fantu

    Fantu New Member

    you have select delete in "SSL Action" and click to sava button? (after wait the cron execution for effective delete)
  15. rylangrant

    rylangrant New Member

    ok yes that is exactly what I was doing.

    I couldn't find the cron job to run, how/where do i run that cron job manually? I was waiting a few minutes which I assume would do the same thing.
  16. falko

    falko Super Moderator ISPConfig Developer

    You can find the command in the output of
    crontab -l
  17. abubin

    abubin New Member

    if commercial ssl cert is using 2048, why not just change 2048 for everyone? Why still need to use 1024? Can't self generated script work for 2048?

    Also, is it possible to add an option during the ssl generation for user to choose 1024, 2048 or 4096 bit type of SSL? If I remember correctly most control panels have this option.
  18. onestone

    onestone New Member

    on my ispconfig3 (last version) 2048 is the default...
  19. jeeva

    jeeva New Member

    I'm running latest ISPconfig so it is already 2048 bits. But how do I display the 'csr' output when I first installed the server?

  20. onestone

    onestone New Member

Share This Page