Importing existing ssl key/cert into ISPConfig site

Discussion in 'Installation/Configuration' started by zetnsh, Jan 17, 2008.

  1. zetnsh

    zetnsh New Member

    Hi there,

    I have created an SSL Site within ISPConfig, but I don't want to create an SSL Certificate - I am migrating a site in from another ISP, and I already have the X509 Key/Cert pair. Whilst I can paste in a CSR (for what it's worth!), and the key, I can't immediately see a way to input the existing private key.

    Can anyone give me a clue as to how I might do this with ISPConfig? I can't imagine I'm the first to ask!

    Thanks in advance,

    Neil
     
  2. till

    till Super Moderator

    1) Create a new "dummy" SSL cert in ISPConfig.
    2) Replace the key, cert and csr files in the ssl directory of the website with the existing ones from the old server.
    3) Replace the ssl cert and csr in the ispconfig interface with your existing csr and cert.
     
  3. zetnsh

    zetnsh New Member

    That worked great. I think it would be good to build that into ISPConfig though - it should be easy enough to do, I've actually done it myself with a server admin system I wrote a few years ago (which now belongs to my former employer!).

    Thanks for the help!
     
  4. ahsamuel

    ahsamuel New Member

    Hi,

    i've done that, but i'm not getting it to work.

    i filled the fields about the ssl (Country etc), and chose "create certificate" and then pressed save.
    then i went back into it and clicked save certificate and save.
    then i replaced the .key, .csr and .crt files in the ssl directory
    then i copy&pasted the contents of the .csr into the first, and of the .crt into the second field and clicked save certificate.

    when i now open my site with https://, i get a wrong cert. , based on the fields i filled with "dummy" stuff.

    what i have:
    - a .key, a .cert and a self-made .csr (made with the .key)
    - got the certificate with my hosting at ovh (they gave me the .key and a dedicated IP, i have a root server there)

    i run ispconfig, everything else works fine.

    any ideas or more details on how to do this?
     
  5. zetnsh

    zetnsh New Member

    Difficult to say on this one. I'm not an ISPConfig expert (I've only been using it since August last year), but I wonder if it's the lack of a CSR that could be causing the problem.

    Now you don't actually need the CSR in order for the web server to start - that just reads the key and the cert (from separate files such as /var/www/web1/ssl/www.mysite.com.key etc), but I just wonder if perhaps this is causing problems with ISPConfig rather than apache.

    What you could do is put the correct .key and .cert files in the relevant directory manually again, don't touch ISPConfig, and restart apache (eg. apachectl restart or /etc/init.d/httpd restart etc).

    In fact, if you do apachectl configtest first, that should tell you if the key/cert is valid. You can then test the site again in a browser (close it and re-open just to be sure) to see if it's the right cert. If it is, then you can test again putting the CSR and the Cert into the site's SSL tab in ISPConfig. I've done this successfully, but then again I did have the original CSR used to generate the certificate. I would have thought you might struggle without that.

    With this sort of problem, you usually find the solution by careful step-by-step analysis of what's actually going on, and careful reasoning. (aka trial and error!)

    Hope you get it sorted. Feel free to post back - not sure I could be any more help though...

    Thanks,

    Neil
     
  6. ahsamuel

    ahsamuel New Member

    Thank you for your answer, i don't know why, but it somehow fixed itself overnight.

    It still brings an error, but i cannot read what the problem is.

    maybe someone could check: https://www.hotelvaladon.fr

    Thankyou!
     
  7. zetnsh

    zetnsh New Member

    Last edited: Feb 5, 2008
  8. ahsamuel

    ahsamuel New Member

    it works with my IE7, but not with FF.

    :p
     
  9. zetnsh

    zetnsh New Member

    I have tried it with Firefox, and I see your point.

    It's definately nothing to do with ISPConfig though. It's to do with the Certification Authority who provided the SSL Certificate. I think it's basically because Firefox doesn't have the root certificates for OVH Secure Certification Authority, whoever they are.

    Unless I've missed something here, I think the only resolution is to obtain an SSL Certificate from a reputable provider such as Thawte or Verisign (yes, I know Verisign own Thawte now! ;-) Thawte do a reasonably priced budget certificate called SSL-123. But that's still paying twice, unless you can get a refund.

    If you go for a less well known SSL provider, unfortunately you run the risk of the CA not being recognised by some of the browsers. In this case, it seems to work with IE7 and Safari, but not in Firefox or Opera.

    Thanks,

    Neil
     
  10. ahsamuel

    ahsamuel New Member

    Thank you a lot, I'll try and contact them. Will keep you (all) updated.
     
  11. zetnsh

    zetnsh New Member

  12. till

    till Super Moderator

    It might be that your SSL authority requires a chained root certificate. If they provided you with such a master certificate, save it to a file in the sll directory of your site and the add a line like this in the apache directives field of the site:

    SSLCACertificateFile /var/www/www.yourdomain.com/ssl/ca.txt
     
  13. ahsamuel

    ahsamuel New Member

    Thank you Till, I tried this, since they gave me a .chain file too.

    I added the Line in my ispconfig:
    SSLCACertificateFile /var/www/web55/ssl/www.hotelvaladon.fr.chain

    but there is one file i didn't put there:
    ls -lah /var/www/web55/ssl/
    -rw-r--r-- 1 root root 5.0K 2008-02-05 11:30 www.hotelvaladon.fr.chain
    -rw-r--r-- 1 root root 2.0K 2008-02-04 18:17 www.hotelvaladon.fr.crt
    -rw-r--r-- 1 root root 997 2008-02-04 18:10 www.hotelvaladon.fr.csr
    -r-------- 1 root root 1.7K 2008-02-04 18:15 www.hotelvaladon.fr.key
    -rw-r--r-- 1 root root 951 2008-02-04 18:10 www.hotelvaladon.fr.key.org

    the .key.org is not from me, must be from ispconfig!?

    any suggestion?
     
  14. falko

    falko Super Moderator

    Yes, that's right.
     
  15. ahsamuel

    ahsamuel New Member

    i don't know how (i didn't change anything since my trouble ticket @ovh), but it works now with IE & FF.

    thanks all for your support!

    Samuel

    (loving ispconfig btw)
     

Share This Page