Install Free SSL Certificate from startssl.com on the website

Discussion in 'ISPConfig 3 Priority Support' started by JohnnyBeGood, Oct 16, 2016.

  1. JohnnyBeGood

    JohnnyBeGood Member

    Hi,

    So I've spent hours trying to install in on my website (dedicated Ubuntu server with ISPConfig v3.1).
    I've followed this tutorial and although StartSSL.com interface has changed I was able to follow and paste ca.pem from StartSSL.com into “SSL Bundle” also since it didn't work with I've tried to paste both 1_root_bundle.crt and 2_www.mydomain.com.crt from Apache zip file downloaded from FreeSSL.com
    When I open https://www.mydomain.com it still tells me that connection is not private instead of green lock just like on this site. I'm using Google browser.
    Can someone please help me with this?
     
    Last edited: Oct 16, 2016
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    paste the data from startssl into the ssl-tab of the website and choose save cert.
     
  3. JohnnyBeGood

    JohnnyBeGood Member

    Thanks for taking time to reply!
    In which box under SSL do 1_root_bundle.crt and 2_www.mydomain.com.crt go?
     
  4. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    bundle into bundle, key into key and crt into cert
     
  5. JohnnyBeGood

    JohnnyBeGood Member

    That helps a lot but I just need to reference files from StartSSL. Bellow are cert files downloaded after cert is being generated on StartSSL:

    main_zip_file.JPG apache_zip_file.JPG otherserver_zip_file.JPG

    Sorry I had to use screenshots to explain what I'm talking about.
    Do I need to use OtherServer.zip ?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Use the apache server zip. The content of the .com.crt file goes into the certificate field, the content of the bundle.crt file into the bundle field.
     
  7. rob_morin

    rob_morin Member HowtoForge Supporter

    Not sure if i should add to this post, but I am having an issue also...
    I pasted key/cert and bundle in the appropriate boxes. I made sure the the SSL checkbox was checked before hand and then clicked on save certificate.
    Now when i go here to check it...

    https://www.sslshopper.com/ssl-checker.html#hostname=webmail.dido.ca

    I get an error "
    The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate."

    I tested the key/cert and bundle on the same website by pasting here...
    https://www.sslshopper.com/certificate-key-matcher.html

    And all was good....
    Any ideas?

    my default-ssl.conf file located in /etc/apache2/sites-enabled/ has these lines in it
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/star_dido_ca.crt
    SSLCertificateKeyFile /etc/ssl/certs/star_dido_ca.key
    SSLCertificateChainFile /etc/ssl/certs/star_dido_ca_bundle.crt

    I simply pasted same files into ispconfig for the aforementioned domain
     
  8. rob_morin

    rob_morin Member HowtoForge Supporter

    Just a note i noticed that a file named webmail.dido.ca.vhost.err and webmail.dido.ca.vhost exists in sites-available but is not in sites-enabled and bot files are the same as I checked with teh diff command.

    Thanks
     
  9. rob_morin

    rob_morin Member HowtoForge Supporter

    I also noted this in apache log file

    [Tue Oct 18 15:04:03.550158 2016] [ssl:error] [pid 18206] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=*.dido.ca / issuer: CN=RapidSSL SHA256 CA,O=GeoTrust Inc.,C=US / serial: 16CEB303942AA4911183A2780BC191DE / notbefore: Aug 24 00:00:00 2016 GMT / notafter: Aug 24 23:59:59 2019 GMT]

    [Tue Oct 18 15:04:03.550304 2016] [ssl:warn] [pid 18206] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
     
  10. JohnnyBeGood

    JohnnyBeGood Member

    Thank you! After multiple tries and clearing browser cache I finally got it to work and now I have green lock icon!
    When testing its important to clear browser cache.

    I'm also getting this odd error when testing it:
    None of the common names in the certificate match the name that was entered (mydomain.com). You may receive an error when accessing this site in a web browser. It looks like you just need to add the "www." when accessing the site with SSL.
    Testing this forum domain does not give that warning?
    https://www.sslshopper.com/ssl-checker.html#hostname=howtoforge.com
    also another random domain https://www.sslshopper.com/ssl-checker.html#hostname=mixrack.com
    How can that be fixed?
     
    Last edited: Oct 19, 2016
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    The error means that the SSL certificate was issued for a different domain or subdomain than the domain that you use for this website.
     
  12. rob_morin

    rob_morin Member HowtoForge Supporter

    Thats what I thought, but it's a * cert good for anything that is *.dido.ca
    So let me ask you this.... where should the ssl statements be? in /etc/apache2/sites-enabled i have ...

    000-ispconfig.vhost: SSLEngine On
    000-ispconfig.vhost: SSLProtocol All -SSLv3
    000-ispconfig.vhost: SSLCertificateFile /etc/ssl/certs/star_dido_ca.crt
    000-ispconfig.vhost: SSLCertificateKeyFile /etc/ssl/certs/star_dido_ca.key
    000-ispconfig.vhost: SSLCACertificateFile /etc/ssl/certs/star_dido_ca_bundle.crt
    and...

    default-ssl.conf: SSLCertificateFile /etc/ssl/certs/star_dido_ca.crt
    default-ssl.conf: SSLCertificateKeyFile /etc/ssl/certs/star_dido_ca.key
    default-ssl.conf: # Point SSLCertificateChainFile at a file containing the
    default-ssl.conf: # the referenced file can be the same as SSLCertificateFile
    default-ssl.conf: SSLCertificateChainFile /etc/ssl/certs/star_dido_ca_bundle.crt

    SHould i have only in one then?
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    The ssl stamement is in the vhost file of the website where you added the ssl cert to. The files that you listed above are not related to the ssl settings of a website.
     
  14. rob_morin

    rob_morin Member HowtoForge Supporter

    Dam, had the wrong intermediate cert! Sorry for the stupid post! :)
     
  15. JohnnyBeGood

    JohnnyBeGood Member

    Ok, that makes sense because when I was creating the certificate I entered www.mydomain.com and www part would be subdomain. Can I generate another one for just mydomain.com ? Where would I enter it on ISPconfig? Would I use again same SSL Request key from ISPconfig SSL tab?
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Change the domain name in the website, then change the SSL domain on the SSL tab before you create a new SSL cert.
     
  17. JohnnyBeGood

    JohnnyBeGood Member

    Ok, so my domain is using a Wordpress and there I have both set to https://www.mydomain.com
    In ISPconfig under SSL tab for SSL Domain: I have selected www.mydomain.com
    My question is under SSL tab do I set it to mydomain.com in ISPconfig or do I change it to *.mydomain.com ?
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Why do you want to set it to * when you don't use it? Never enable something that you don't use. If you want an ssl cert for mydomain.com, theh select mydomain.com. If you want an ssl cert for www.mydomain.com, then select www.mydomain.com.
     
  19. JohnnyBeGood

    JohnnyBeGood Member

  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Then you enter "domain.tld" in the domain field of the website and select "auto subdomain = www" in the auto subdomain field. Additionally, you need dns records for the domain and www domain off course.
     

Share This Page