installing ssl cert

Discussion in 'ISPConfig 3 Priority Support' started by kwickcut, Feb 7, 2018.

  1. kwickcut

    kwickcut Member

    hello i have created a CSR using the following
    Code:
    openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
    then filled out the info requested i then ran
    Code:
    cat yourdomain.csr
    i then copied and pasted into a certificate authority. i then receive an email to confirm its me and shortly after i receive the email for the download of the certs.
    there are 4 in the downloaded zip file
    1)AddTrustExternalCARoot
    2)mysite_com
    3)ADDTrustCA
    4)DomainValidationSecureServiceCA

    i have read and tried 2 different ways to install these certs all ending in a loss of apache causing me to reload the server because i am doing something wrong. my question is do i need to install all 4 certs and how do i do this safely.

    thank you for any direction and help

    kwick
     
  2. kwickcut

    kwickcut Member

    UPDATE
    i just received another email with a new zip file and only 2 files inside
    1)mysite_com.ca-bundle
    2)mysite_com
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Where do you want to install that, an ispconfig website? In that case, you will have to put the SSL key (that you created outside of ispconfig as it seems) into the key field, the .crt file into the certificate field and the bundle file content into the SSL bundle field.
     
    kwickcut likes this.
  4. kwickcut

    kwickcut Member

    thank you for the reply. i have done as stated and saved the info. when i exit the ssl page and then log back in i see the info that i had entered but i am having an issue. the site is using what i am assuming is the self singed cert from ISPCONFIG? the ssl cert that i bought was for 3 years. what should i be looking to edit thanks in advance. below is the output on a website ssl checker

    DNS resolves my_site.com to xx.xxx.xxx.xx
    SSL certificate

    Common Name = localhost

    Issuer = localhost

    Serial Number = FDD85BA0069C1ECE

    SHA1 Thumbprint = ED7AF483584FF7A90F919EC2AD7D4A53FE7677E4

    Key Length = 2048

    Signature algorithm = SHA1 + RSA (deprecated)

    Secure Renegotiation: Supported

    SSL Certificate has not been revoked
    OCSP Staple: Not Enabled
    OCSP Origin: Not Enabled
    CRL Status: Not Enabled

    SSL Certificate expiration
    The certificate expires May 17, 2035 (6306 days from today)
    Certificate does not match name my_site.com
    [​IMG]
    Subject localhost
    Valid from 22/May/2015 to 17/May/2035
    Issuer localhost
    SSL Certificate is not trusted
    The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    just put the ssl key, cert and bubdle in the ssl field, select 'save certificate' in the action field and press save. And ensure that you have the ssl checkbox enabled in that website on the first tab. Beside that, your web browser can show you the details of the ssl cert that is currently used.
     
  6. kwickcut

    kwickcut Member

    ok i have done as stated and it has been over 10 days and i run a check and get the same outcome whats my next step?


    mysstore.com resolves to xx.xx.xxx.xx

    Server Type: Apache/2.4.18 (Ubuntu)

    The certificate will expire in 6294 days.


    The certificate is self-signed. Users will receive a warning when accessing this site unless the certificate is manually added as a trusted certificate to their web browser. You can fix this error by buying a trusted SSL certificate

    None of the common names in the certificate match the name that was entered (aquamedsstore.com). You may receive an error when accessing this site in a web browser. Learn more about name mismatch errors.
    [​IMG] Common name: localhost
    Organization: NETGEAR Org. Unit: NETGEAR
    Location: SanJose, California, US
    Valid from May 22, 2015 to May 17, 2035
    Serial Number: 18291470629429059278 (0xfdd85ba0069c1ece)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: localhost
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    You seem to connect to a netgear device, not your ispconfig server.
     
  8. kwickcut

    kwickcut Member

    yes I seen that and changed the setting 443 was pointed at USB that was not connected. I forwarded 443 to server and rechecked ssl.

    IP Address (IPV4) xx.xxx.xxx.xx
    Server Type Apache/2.4.18(Ubuntu)
    Certificate Names
    [​IMG]Hostname matches

    Primary Domain:mystore.com

    Subject Alternative Domains:

    Certificate Signature Algorithm [​IMG]Sha256 With RSA Encryption
    Certificate Duration [​IMG]Certificate expires in 3638 days
    SCSV Fallback [​IMG]Enabled
    Heartbeat Extension [​IMG]Enabled
    Heartbleed Vulnerability [​IMG]Secure
    OCSP Stapling [​IMG]Disabled
    OCSP Status [​IMG]Unable to verify ocsp status with incomplete chain
    Strict-Transport-Security [​IMG]Disabled
    Encryption Methods
    [​IMG]TLS versions found available

    TLSv1

    TLSv1.1

    TLSv1.2

    Safe Ciphers
    [​IMG]Safe ciphers enabled

    AES256+EECDH

    AES256+EDH

    AES256-SHA

    AES128-SHA

    ECDHE-RSA-AES128-SHA

    ECDHE-RSA-AES256-SHA

    ECDHE-RSA-AES256-GCM-SHA384

    ECDHE-RSA-AES256-SHA384

    AES256-GCM-SHA384

    AES256-SHA256

    ECDHE-RSA-AES128-GCM-SHA256

    ECDHE-RSA-AES128-SHA256

    AES128-GCM-SHA256

    AES128-SHA256

    Unsafe Ciphers
    [​IMG]No unsafe ciphers enabled
    Certificate Chain
    [​IMG]Certificate chain is incomplete, missing intermediate(s)

    [​IMG]
    Serial Number: C2AD7DC81A8AAB9A
    Signature Algorithm: Sha256 With RSA Encryption
    Issuer Name: mystore
    Common Name: mystore.com
    Validity Period: February 8, 2018 toFebruary 6, 2028
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Ensure that you added the intermediate (bundle) ssl certs for the ssl cert into the ssl bundle field of the website. you get them from the ssl authority were you bought the ssl cert.
     
  10. kwickcut

    kwickcut Member

    all good thank you i had to move the bundle back into the field then saved it again. i had it like stated below.. i
    think the root to all this problem was i have port 443 assigned to the external usb. that was assigned on another tab not in the port forwarding tab.. thank you for all the help it now checks out.. just have to contact the ssl athuraty because it says i only have 89 days on the cert and i bought 3 years lol.


    kwick
     
    Last edited: Feb 22, 2018
    till likes this.

Share This Page