how to implement a startssl.com class2 multi domain certificate

Discussion in 'HOWTO-Related Questions' started by Ovidiu, Feb 2, 2012.

  1. Ovidiu

    Ovidiu Active Member

    I have a multidomain and wildcard certificate by startssl.com after following the tutorial from howtoforge and it is working properly for pureftp, postfix, courier, etc. but now I am wondering how to install it for some of the sites included in it.

    using apache2 on a debian installation.

    I am not sure how the ispcfg3 SSL tab is to be used with this certificate?
    I saw the checkbox for ssl when editing a site, what does ticking the box do?
    if I check the box, how do I get apache2 to use the certificate I have?

    any hints?
     
  2. Ovidiu

    Ovidiu Active Member

    checked the ispcfg3 manual I bought:
    so how do I implement my wildcard-multi-domain certificate for websites with apache2?
     
  3. falko

    falko Super Moderator

    Just create a self-signed certificate as you would normally do, and after the cert, key, etc. have been created, rename them (e.g.
    Code:
    mv yoursite.crt yoursite.crt_orig
    )
    and create symlinks to the appropriate files in the ISPConfig ssl folder:
    Code:
    ln -s /usr/local/ispconfig/interface/ssl/ispconfig.crt yoursite.crt
    Restart Apache afterwards.
     
  4. Ovidiu

    Ovidiu Active Member

    Thanks Falko that worked very well but how about the last step in the startssl howto namely where you are required to edit ispconfig.vhost and add this line:
    SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt ?

    I had to add SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class2.server.ca.crt but I guess I need to add that for every domain I am securing, right? If so, manually editing each vhost or can I somehow add that via ISPCFG3?
     
  5. falko

    falko Super Moderator

    You can place the bundle certificate on the SSL tab of the website in ISPConfig.
     
  6. Ovidiu

    Ovidiu Active Member

    sorry this is a bit weird. with this settings I still get the "This certificate was signed by an unknown authority" warning.

    If I edit /etc/apache2/sites-enabled/100-premaman.co.za.vhost and add the line:

    instead the warning is gone!?
     
  7. falko

    falko Super Moderator

    Did you paste the contents of the startssl.sub.class2.server.ca.crt file into the bundle field in ISPConfig? If so and you still get warnings, can you post the vhost configuration file that ISPConfig wrote after you pasted the bundle cert into the bundle field?
     
  8. Ovidiu

    Ovidiu Active Member

    yes I did paste the contents of the right file, I just double-checked.
    since that didn't work, I even deleted the premaman.co.za.bundle file that ISPCFG3 generated and symlinked to the original file as you can see above but that doesn't work either.

    Only if I manually add this line to the vhost does it work: SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class2.server.ca.crt

    here is the generated vhost file including the line I added manually:

     
  9. falko

    falko Super Moderator

    And the SSLCertificateChainFile line isn't added by ISPConfig? What's your ISPConfig version?
     
  10. Ovidiu

    Ovidiu Active Member

    nope, I added that line manually.
    I have the latest ISPCFG version since to generate my request I performed an update to ISPCFG 3.0.4.2

    actually I just did an experiment:

    edited the vhost via ISPCFG3 interface, simply increased the site's quota by 1MB and saved.

    the following happend:
    in the part of the vhost where port http is define this was added:

    in the https part this section still looked like this:

    weird, I have done this several times already. Now it all seems to work just fine !?
    confused, but we can close this topic I guess :-(
     
  11. falko

    falko Super Moderator

    I've added this to our bugtracker, so we will check that.
     

Share This Page