Godaddy SSL certificate and ISPConfig 3 Debian

Discussion in 'Installation/Configuration' started by sjswarts, Dec 24, 2011.

  1. sjswarts

    sjswarts New Member

    Hi guys,

    Some time late last night I decided it would be a great thing for my website mail to be certified by a trusted third party. Being a true skimp I purchased a certificate from GoDaddy that would cover

    My issue is this:

    No matter what I do and which ever help forum I try the result is the same, it just doesn't work.

    Keeps using my original certificate when I followed this tutorial

    Can someone please make this easy for me??

    I have my servers hostname as, but I want people to access their webmail via (as per tutorial). I also have the webmail listening and redirecting on port 50443 so when people go a redirect takes them to

    Is my understanding of certificates wrong in that if you have a certificate for it certifies anything

    Please explain it to me

    thanks in advance

  2. sjswarts

    sjswarts New Member

    Nobody has any helping ideas??
  3. cbj4074

    cbj4074 Member

    And why should we do that?

    My guess is that nobody has responded because you're asking for "everything under the sun" in a single post.

    Unless your Web-server (presumably Apache) is configured to listen for SSL requests on port 50433, this will not work. While it is certainly possible to run make Webmail available on any port desired, you should have a good reason for wanting to do so, as it is a non-standard configuration.

    You have this correct. The port number is the problem.

    What happens when you remove port 50443 from the equation altogether?
    Last edited: Jan 3, 2012
  4. sjswarts

    sjswarts New Member

    Thanks for the reply - cbj4074

    Good point, teach me then please

    Well I apologize for the "difficulty" of this question(s) but seeing that it all relates to my issue which I thought is quite simple in itself - Configuring a GoDaddy certificate for a ISPConfig setup. Seems funny if I don't post enough information on forums those who help complain about not enough information, if I post too much they complain as well.

    Well I followed this tutorial -

    - to extend the debian security installation and it told me to configure for webmail to be received on port 50443.

    Ok first bit of helpful information... I will remove the part of the tutorial that requires the port changes from standard to unknown. But I don't see why I can't have ISPConfig running on port 50443 along with Roundcube.

    If you could explain that to me that would be great.
  5. cbj4074

    cbj4074 Member

    I apologize for being a bit brash, but please understand that none of us are paid for the time we spend here. As such, nobody owes anybody anything.

    Those who understand ISPConfig inside and out have spent countless hours troubleshooting (and have endured considerable hair-loss in many cases) in order to come to that level of understanding. Fortunately, they're willing to share at least some of that knowledge.

    We're dealing with some very complex issues here (most of which have nothing to do with ISPConfig, directly), and your question is less simple than you may think. SSL, by its complex nature, carries with it many moving parts.

    I'll never complain about too much information unless it's clear that no effort has been made to troubleshoot on one's own. (You've shown at least some effort, hence my reply.)

    Now, all of that said...

    Thank you for posting the second tutorial that you followed. That's the most helpful thing you've posted yet (and I say that without sarcasm); it helps us determine the origin of your actions.

    While I understand the logic behind running Apache virtual hosts on non-standard ports, doing so qualifies as "security by obscurity" as far as I'm concerned. Any sophisticated piece of software is going to find ISPConfig whether it's running on port 80 or some random port much higher in the available range.

    Given that you've already followed the tutorial, there's no reason to undo those changes. It wasn't clear from your initial post that Webmail does function as expected (aside from the certificate issue). When you make statements such as

    it is difficult for us to know what, exactly doesn't work. We need screenshots, precise error messages, etc.

    To be clear, the only issue is that the wrong certificate (presumably ISPConfig's default certificate) is being used instead of the one you purchased from GoDaddy whenever you attempt to access Webmail?

    I haven't read the entire tutorial that you followed, but I don't see anything in there about installing your own SSL certificate. While that in itself is fine, it would be helpful if you told us what steps you took to install the GoDaddy certificate. We'll assume that you already have the actual certificate (.csr, .key, and .crt files), or, alternatively, a .pem file, as well as the CA's (GoDaddy's) .bundle file. If this is not the case, please do say so.
    Last edited: Jan 3, 2012
  6. sjswarts

    sjswarts New Member

    thank you cbj4074

    I also would like to mention that I really do appreciate the help I receive from this forum, I know that you guys all do this for free and using up your valuable time. So thanks to all who do contribute and help.

    Ok so I will try to outline exactly what I did and where it fails.

    1. I purchased a SSL certificate from GoDaddy to certify my single domain which for the sake of anonymity i will say
    2. I opened ISPConfig and went to my website listed for default user (only have 1 currently)
    3. Under SSL I copied the SSL request and logged into GoDaddy and submitted that to them.
    4. Selected Apache as the download option and received 2 files - and gd_bundle.crt
    5. Under ISPConfig I pasted the contents of to the box under SSL request.

    Now my apache fails to restart.

    Under /var/log/ispconfig/httpd/ it lists these errors:

    [warn] RSA server certificate CommonName (CN) `' does NOT match server name!?
    [Tue Jan 03 13:01:08 2012] [error] Unable to configure RSA server private key
    [Tue Jan 03 13:01:08 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

    The only way I can get Apache to start again is to comment out the SSL section in: /etc/apache/sites-available/

    Then Apache restarts
    Last edited: Jan 3, 2012
  7. sjswarts

    sjswarts New Member

    Ok so an update

    I did what I said before but instead of choosing save I also added into the bundle section the contents of the gd_bundle.crt

    Now apache restarts but the log /var/log/ispconfig/httpd/ outputs a warning only that the Common Name doesn't match the server name.

    However when I try to access the website it still keeps a record of the old certificate that was self signed and certified. I don't know where it keeps this though.
  8. cbj4074

    cbj4074 Member

    Excellent, thanks for the detailed post. That makes it easy to help you.

    It sounds like you're simply using the wrong certificate components in the wrong places.

    The basic anatomy of a SSL certificate is:

    - .csr (Certificate Signing Request, which you created in ISPConfig interface) (belongs in "SSL Request" field within ISPC interface)
    - .crt (public certificate) (belongs in "SSL Certificate" field within ISPC interface)
    - .key (private key file; must remain protected) (is generated by ISPC when the CSR is created)
    - .bundle (CA chain; required to prevent authenticity warnings) (belongs in "SSL Bundle" field within ISPC interface)

    Note: The key and the certificate are sometimes combined into a single .pem file.

    All of the files are important, but based on your previous post, you seem to be missing the most important file of the bunch (the .key file). Or, you just didn't know where it was created or why it was important.

    Once the certificate has been issued, the .csr file serves no urgent purpose and can be ignored.

    The .key file and .crt files, however, are required. ISPConfig stores these files in a couple different locations:

    a.) ISPConfig's own "default" certificate components are stored in the following locations:

    Note: These are probably the certificates that Apache is continuing to use.

    b.) Each site's own certificate files, when managed with the ISPConfig interface, are stored in

    The first thing you need to do is copy the GoDaddy-issued .crt and .bundle files to this location, and be sure the names follow the convention that ISPConfig expects, e.g.:

    You also need to ensure that the .key file is present (ISCP should have created it when you made the CSR via the ISPC interface):

    When you restart Apache, your certificate should be used.

    service apache2 restart
    At this point, there's really no need to paste the certificate parts into the ISPConfig interface. You will, however, have to ensure that the SSL box is checked for the website in question (it sounds as though that's already the case).

    Of course, you could paste the certificate contents into the ISPConfig interface and choose "Save certificate" for the SSL Action before clicking the Save button, which will copy the certificate contents into the database (and perhaps overwrite the files that you just copied to /var/www/, which should be fine), but this step really isn't necessary unless you're OCD and want everything to be just-so in the ISPConfig interface (and there's nothing wrong with that). My point is simply that the risk is unnecessary in any sort of production environment.

    Any luck?
    Last edited: Jan 3, 2012
  9. sjswarts

    sjswarts New Member

    Quick thing I've noticed while i'm busy trying out your response (Thank you by the way) is that I don't get sent a .key from GoDaddy all I get is:

    On their explanation of how to install a certificate into a apache environment is to find the .csr and .key on the server.

    My question is where do I find this .key that seems to be elusive.

    Thank you again
  10. sjswarts

    sjswarts New Member

    I found a key for the site at


    Is that right??
  11. cbj4074

    cbj4074 Member

    Please see my updated post above. I clarified several points in a subsequent edit.

    It's worth noting that ISPConfig overwrites various configuration files (including those relevant to Apache) when certain changes are initiated via the interface. Further, such overwriting occurs when Apache will not start after an interface-initiated change (ISPConfig attempts to roll-back to a previous, working configuration), which is why the old certificate keeps being restored to use.

    Not until a proper, functioning certificate is in-place will ISPConfig cease to perform these overwrite operations.
  12. sjswarts

    sjswarts New Member

    Ok I followed your post (thanks for the edit) and it still uses the old certificate.

    Self signed and verified by myself.

    I've restarted apache and the error log still lists the only error as

    Common Name not the same as the server name
  13. cbj4074

    cbj4074 Member

    What value do these thee directives have in /etc/apache2/sites-available/

    Also, what domain are you using when you try to access your site,

    If you are testing this all by reloading the ISPConfig interface, then you will continue to see the default certificate.

    If you want to use this certificate for the ISPConfig interface, you need to copy the .key and .crt files to the location that ISPConfig uses for its own certificates (see two posts ago).
  14. sjswarts

    sjswarts New Member

    There is no mention of:


    in that file /etc/apache2/sites-available/

    I have seen it in there before but currently there is nothing in there, I have also made sure that SSL is ticked on the website.
  15. sjswarts

    sjswarts New Member

    I connect using which is the domain I registered with GoDaddy...

    In ISPConfig I have selected from the list instead of - I choose
  16. sjswarts

    sjswarts New Member

    Ok I might have fixed the problem...

    1. I changed to
    2. I ran /usr/local/ispconfig/server/
    3. I restarted apache [/etc/init.d/apache2 restart]
    This made a new example.vhost which had the right lines in it.
    4. I copied the and and (don't think this is needed) to /usr/local/ispconfig/interface/ssl
    5. Changed existing ispserver.(crt,key,csr) to back.ispserver.(crt,key,csr)
    6. Changed,key,csr) to ispserver.(crt,key,csr)
    7. Restarted apache again [/etc/init.d/apache2 restart]

    So its seems to working fantastically...
    I will update if anything else goes wrong...

    Thank you,
    cbj4074 - don't know your name but thanks :D
  17. cbj4074

    cbj4074 Member

    Nice! Glad to hear it.

    Not sure exactly what got disconnected there, but it's academic at this point.

    You're welcome, holler if anything else comes up. Oh, and my name's Ben ;).
  18. cbj4074

    cbj4074 Member

  19. sjswarts

    sjswarts New Member

    Apparently its not fixed...

    I didn't notice anything wrong.. but my mate and my iPhone both came up with a warning message saying its untrusted.

    However I added into /etc/apache2/sites-available/ispconfig.vhost a line that said:

    SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/gd_bundle.crt

    I have copied the gd_bundle.crt that I received to that location and restarted Aapache.

    however whenever I try to check with the GoDaddy installation tool it comes up with a error: "Results:SSL Connection Failed!"

    To summarize:

    1. I have changed the one site that I have in ISPConfig to incorporate the signed certificate and the gd_bundle.crt (copied and pasted into ISPConfig under sites > > Selected SSL > SSL Tab)
    2. I have copied and gd_bundle.crt to /usr/local/ispconfig/interfaces/ssl
    3. Backed up original certificate and changed the names of the GoDaddy certificates to the ISPConfig self generated ones.
    4. Edited /etc/apache2/sites-available/ispconfig.conf and inputted a line in the SSL enabled section:
    SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/gd_bundle.crt
    5. Restarted apache2 by doing a - "/etc/init.d/apache2 restart"
  20. cbj4074

    cbj4074 Member

    gd_bundle.crt should not be used for the SSLCertificateChainFile directive (it should be used for the SSLCACertificateFile).

    Please see:

Share This Page