Enable SSL in main domain

Discussion in 'ISPConfig 3 Priority Support' started by Davide, Nov 15, 2017.

  1. Davide

    Davide Member HowtoForge Supporter

    Hi
    I have "old configuration" for SSL on ispconfig panel:

    /etc/apache2/sites-available/ispconfig.vhost
    NameVirtualHost *:443
    <VirtualHost _default_:443>
    [..]
    SSLEngine On
    SSLProtocol All -SSLv3
    SSLCertificateFile /etc/apache2/ssl/mydomain_com.crt
    SSLCertificateKeyFile /etc/apache2/ssl/myserver.key
    SSLCACertificateFile /etc/apache2/ssl/intermediate.crt

    It's answering on "https://hostname.mydomain.com"

    As I have a wildcard certificate, I'd like to serve all "mydomain,com" (including ispconfig login) with the same certificate and listening in 443
    Is it possible?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, that's possible. But the ispconfig vhost file should not be edited, your changes in that file will get removed anyway. Instead of editing that file, put your SSL certificate, key and bundle into the ISPConfig ssl directory (/usr/local/ispconfig/interface/ssl/) and replace the files that exist there without changing the file names.

    additionally, you will have to set your SSL cert in the default ssl vhost file of your Linux system.

    This thread might help you with that as well:

    https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/
     
  3. Davide

    Davide Member HowtoForge Supporter

    Hi

    Do you mean this one (Debian 8)?
    /etc/apache2/sites-available/default-ssl.conf

    There is a lot more configuration to change on that file...

    Or you mean to put certificate on "mydomain.com" site on ispconfig panel?

    If I follow instructions on the link you sent me, I end with domains like
    "mail.server.mydomain.com"
    But I own a wildcard domain (*.mydomain.com), and those are not legal domains for wildcard domain.

    I want domains like "www.mydomain.com" or "mail.mydomain.com" (or "panel.mydomain.com" for ISPConfig Panel)

    Is that possible?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You can create wildcard SSL certs with Let's encrypt but this requires the dns auth method which is not supported by ISPConfig, so you'll have to create that wildcard SSL cert manually then with let's encrypt.
     
  5. Davide

    Davide Member HowtoForge Supporter

    I'm sorry I'm not explaining myself :(

    I already own a wildcard certificate for mydomain.com. I'm using it for panel.mydomain.com (where ISPConfig panel resides) and for pop/imap/smtp/ftp...

    I want to use it also for "*.mydomain.com" site (created through ISPConfig panel)

    I can't make it to work. Is it possible at all?

    Thank you!
     
  6. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    if you have the cert, you need to activate SSL the old fashioned way = enable ssl and put the cert details from the LE-files into webfrontend manually - also update them.
    It can be automated though until wildcard LE feature arrives.
     
  7. Davide

    Davide Member HowtoForge Supporter

    Please, take in account I have ispconfig panel listening on port 443, not 8080

    I've taken this steps so far:

    1) I've put my existing certificate in www.mydomain.com ssl tab and enabled ssl. www.mydomain.com it's working now with ssl
    2) I've put certificates in /usr/local/ispconfig/interface/ssl/ as suggested by till
    3) I've had to uncomment commented out line:
    # SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    in ispconfig.vhost
    4) At this point, every time I try to reach panel (panel.mydomain.com port 443), I finish in www.mydomain.com homepage port 443.

    At this point, if I change port from 443 to 8080 in ispconfig.vhost it works. But I need it listening on 443.

    I had to change the following in ispconfig.vhost to make it work:
    <VirtualHost _default_:443>
    by
    <VirtualHost w.x.y.z:443>
    (w.x.y.z is one of the two public IPs of my server)

    Doing so makes everything work as expected:
    https://www.mydomain.com serves contents in /var/www/mydomain.com/web
    and
    panel.mydomain.com servers ISPConfig panel.

    I think this behaviour is due to have any other domain listening on 443 on the same IP. This line on other domains listening on 443:
    <VirtualHost w.x.y.z:443>
    makes our petition panel.mydomain.com:443 not matching _default_ :443 because it resolves to w.x.y.z:443, which is defined in other vhost.

    I suppose this changes made in ispconfig.vhost will be overwritten in next update. Is there any way of avoiding it?
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Sure, all templates are customizable in an update-safe way. Copy the file install/tpl/apache_ispconfig.vhost.master of the ispconfig tar.gz file to /usr/local/ispconfig/server/conf-custom/install/
     
    ztk.me likes this.

Share This Page