debian 8 ISPConfig 3 single IP how to enable multisites SSL ecrypted

Discussion in 'Installation/Configuration' started by Niubbo75, Nov 28, 2016.

  1. Niubbo75

    Niubbo75 Member

    Hello to all, I've a webserver where I give shared hosting, I will give the opportunity to install SSL Cert for all websites but I have a single public IP, how can I enable this service? Server was made following the Howto's the perfect server debian 8 apache dovecot...
    Is there a way to have it work w/out need to manually add every single vhost?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This is called SNI and is active automatically, so no need for any additional configuration.simply create ssl certs for your sites.
     
  3. NdK

    NdK Member

    Currently all major browsers support SNI, that allows the server to know the destination vhost w/o having to try all the secret keys.
    So you should have no problems, unless someone tries to use a very old SO / browser (for example, IIRC on XP SNI was not supported).
     
  4. Niubbo75

    Niubbo75 Member

    Hello to all, maybe I've explain it in a worst way, I'm not talking about SNI, I'm talking about ssl cert for websites, but every websites will have they own ssl cert. I've try in ISPConfig adding my public IP to configuration and then add SSL to websites using startssl cert per domain name, I have done this:
    1. Add my public static IP to ISPConfig
    2. Assign that IP to websites
    3. Create ssl cert (I'm not write every steps for startssl)
    4. Save SSL configuration per website
    But browser can't recognize correct SSL cert. ATM I've got only one website that works with SSL but if I add other websites in the same way all gone down with the classi warning from browser of bad certificate.
    Am I doing something wrong? I do not assign public IP and use wildcard (*) on every websites?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    You are talking about SNI. SNI is the technology that is used when several websites share the same IP address under SSL.

    You can use your private IP in apache or *. The public IP in routed networks is only used in dns, never in apache as the router translates between public and private IP, not the web server.
     
  6. Niubbo75

    Niubbo75 Member

    Ok so I use * for every websites and I create for every websites ssl cert from startssl and I'm done?
     
  7. NdK

    NdK Member

    Yep. As long as the client supports SNI.
    If the client doesn't support it, it gets the first site and probably a "certificate mismatch".
     
  8. Niubbo75

    Niubbo75 Member

    No, it doesn't work :(
    I got the correct website but with cert of the first one and so users get warning and it's not a client issue because I've check it with https://www.sslshopper.com and all is ok exept for the cert that is the one of the first website.
    [EDIT] if I use EDGE on WIN10 I got also the first website. [/EDIT]
     
  9. NdK

    NdK Member

    Are you sure you pasted the correct PEM data under 'SSL' tab for that site?
    What if you try LetsEncrypt?
     
  10. Niubbo75

    Niubbo75 Member

    I have done this steps
    1. Go to Websites, choose the one I need to add SSL Cert, open SSL Tab in ISPConfig
    2. Fill info with the same I have use on startssl's website, choose SSL Domain, generate SSL Key
    3. Copy SSL Key and paste it on startssl's website, generated Certificate Request
    4. getting website SSL Cert and root cert (to use into SSL Bundle)
    5. copy and paste SSL Certificate into SSL Certicate box
    6. copy and paste SSL root cert (SSL Bundle) into SSL Bundle box
    those are the same steps I had done with the other website that work like a charm (checked also it with sslshopper and I get no issue).

    Let'sencrypt. I have think about it and in my new infrastructure I'll integrate it with ISPConfig 3.1.1 (or whatever release it will have the day I'll do that) but ATM I'm not in the mood to install & configure it, if there are no *easy* way to have this working, I'll wait till next month when I'll build up the new ones.
     
  11. NdK

    NdK Member

    Maybe a silly question but... did you enable SSL from the first tab after saving the cert?
    Another possible issue is the order of the certs in the chain: I've always had to wreste with it a bit... I never remember if the first must be the first or the second intermediate (IIRC root must not be included). That's one of the reasons that made me migrate to LE :)
    For other possible problems it's better to check all error.log files (at least the one in /var/log/apache2 and the one for the vhost).
    For my checks I usually use ssllabs.com that gives many hints.
    BTW, no need to reinstall, just upgrade ispc with ispconfig_update.sh : 3.1 is stable. No need for the SSL tab completely, just select "Let's Encrypt SSL" from the "Domain" tab. Couldn't be easier than that :)

    PS: IIRC, startssl always included the 2nd level domain in the cert, so you can have troubles if you have both c.b.a and e.b.a domains because both certs would be valid for *.b.a .
     
  12. Niubbo75

    Niubbo75 Member

    Sure I did!
    I've check that twice and after that I've re-check it twice again, I can be quiet sure to have out them in the right place.
    Check but I've not see anythings wrong (I mean under warnings and/or errors).
    I've try it now and he have find the cert files of the first website (the one that works great).
    I'm scared on what could be happen if something went wrong! :eek::eek::eek:
    It's not my case, I have differents domain name and 2nd levels, I'm not trying to add SSL cert i.e. to domain.com and mail.domain.com I'm trying to have :
    domain.com - www.domain.com for the first one
    and
    seconddomain.com www.seconddomain.com
     
  13. NdK

    NdK Member

    The only other thing I can think of (even if ISPC usually takes care of keeping 'em updated!) is looking at the content of the files under /var/www/seconddomain.com/ssl/ and check they match what you entered in ISPC and then check that /etc/apache2/sites-available/seconddomain.com.vhost references the correct files.
    If all this is OK, I don't know what else to check...
     
  14. Niubbo75

    Niubbo75 Member

    Nothing, I've check all the things and all are correct. The last thing I want to try is to change the chain cert, I'm thinking the problem is there because is the only thing that seems to be "in common" with the other website, but ATM I can't do that because I do not have access to startssl with this PC on that credentials, Tomorrow I'll get the PC that have that cert file and I'll try to change chain cert.
     
  15. NdK

    NdK Member

    You can save the certificates as single files (brom BEGIN CERTIFICATE to END CERTIFICATE) and verify their content with openssl:
    openssl x509 -noout -text -in file.pem​
    Start dumping the server's one and look at the issuer data. Then dump the first cert of the chain and check that the subject matches the issuer data in the server's cert, then verify its issuer matches the subject of the next cert in the chain & so on.
    You can speed up the process a bit if you change the files directly and manually restart Apache, w/o having to wait for ISPC's cron. Then, once the chain is verified, you copy it in ISPC to keep the db in sync with the files.
     
  16. Niubbo75

    Niubbo75 Member

    No way :( Still having certificate name mismatch. I've checked both path in vhost and cert in /ssl folder and are both ok but I still have not trusted certificate because it load the one of the first website.
     
  17. Jesse Norell

    Jesse Norell Active Member

    Sure sounds like you've mixed '*' and the ip address in one of your website settings, you might double-check that (again). Maybe check `apachectl -S` output to see what apache is using for all your vhosts.
     
  18. Niubbo75

    Niubbo75 Member

    Done again right now and I have no website using IP, all of them are using '*' plus ATM I have only 1 website on https and 1 that I'm trying to be https so I have with apachectl -S *:443 defualt server myfirstwebsite.com and mysecondwebsite.com other websites are all on *80
     

Share This Page