ISPConfig 3 - GNUTLS

Discussion in 'Tips/Tricks/Mods' started by oprago, May 2, 2009.

  1. oprago

    oprago New Member

    Hi,

    i created a small work-a-round to use ISPConfig with gnutls.

    Install gnutls and disable SSL:

    Code:
    aptitude install libapache2-mod-gnutls
    a2enmod gnutls
    a2dismod ssl
    
    The next step is to modify the ISPConfig Apache template /usr/local/ispconfig/server/conf/vhost.conf.master to use gnuTLS:

    Change:

    Code:
    [...]
    <tmpl_if name='ssl_enabled'>
    <IfModule mod_ssl.c>
    [...]
    
    Code:
    [...]
        SSLEngine on
        SSLCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.crt
        SSLCertificateKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.key
    <tmpl_if name='has_bundle_cert'>
        SSLCACertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.bundle
    </tmpl_if>
    [...]
    
    to:

    Code:
    [...]
    <tmpl_if name='ssl_enabled'>
    <IfModule mod_gnutls.c>
    [...]
    
    Code:
    [...]
        GnuTLSEnable on
        GnuTLSPriorities NORMAL
        GnuTLSCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.crt
        GnuTLSKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.key
    [...]
    
    I don't use the ssl bundles, so i hide the form field. Edit /usr/local/ispconfig/interface/web/sites/form/web_domain.tform.php and change it to an hidden field:

    Code:
    'ssl_bundle' => array (
    			'datatype'	=> 'TEXT',
    			'formtype'	=> 'HIDDEN',
    			'default'	=> '',
    			'value'		=> '',
    			'cols'		=> '30',
    			'rows'		=> '10'
    		),
    
    and modify the template /usr/local/ispconfig/interface/web/sites/templates/web_domain_ssl.htm:

    Code:
    <div class="ctrlHolder" style="display:none;">
            <label for="ssl_bundle">{tmpl_var name='ssl_bundle_txt'}</label>
            <textarea name="ssl_bundle" id="ssl_bundle" rows='10' cols='30'>{tmpl_var name='ssl_bundle'}</textarea>
    </div>
    
    GnuTLS requires an ip address in the virtual host definition. So i had to disable the "*". First add the IP of the server into the isp config admin interface. Now disable the "*" in the file /usr/local/ispconfig/interface/web/sites/web_domain_edit.php by removing all $ip_select = "<option value='*'>*</option>"; entries.
     
  2. hfmark

    hfmark New Member

    Amazing code, very useful, thanks :)
     
  3. tio289

    tio289 Member

    I must edit file /etc/apache2/ports.conf yet to following:

    Code:
    NameVirtualHost your server ip:80
    Listen your server ip:80
    
    <IfModule mod_gnutls.c>
        NameVirtualHost your server ip:443
        Listen your server ip:443
    </IfModule>
    
    But I have ever problem with certificates, like with SSL..I turn on SLL on domain.sk and on domain.cz If I go to https://domain.sk server use certificate for domain.cz......I hoped that gnuTLS is solution, but.......Can everybody help me?? Thanks
     
    Last edited: May 12, 2009
  4. johnboy4809

    johnboy4809 New Member

    help with setting up

    i have tried implementing this into my debian Lenny system and cant seem to get it to work, all my sites use the same certificate instead of there own any got any pointers as to where to start fixing this
     
  5. tio289

    tio289 Member

    hello johnboy4809

    with gnutls you can have more virtual hosts on ONE IP with ssl but you must have one cert for all domains.

    with default ssl mod you can have only one virtualhost with ssl on one IP.

    and How create cert for all domains??

    you must edit this file /etc/ssl/openssl.cnf

    and look on this lines

    Code:
    0.organizationName              = Organization Name (eg, company)
    0.organizationName_default      = Internet Widgits Pty Ltd
    
    # we can do this but it is not needed normally :-)
    #1.organizationName             = Second Organization Name (eg, company)
    #1.organizationName_default     = World Wide Web Pty Ltd
    
    you easyli add more common names

    0.commonName = domain.com
    1.commonName = domain2.com
    2.commonName = domain3.com



    then you must recreate certificate, you can sign this certificate for example with cacert.org
     
  6. johnboy4809

    johnboy4809 New Member

    hi tio289

    thanks for getting back to me i think i miss understood gnutls, i thought it would allow me to have multiple SSL secure sites on a single IP or is this openssl cert separate to the virtual hosts cert, sorry if i sound dumb but learning as i go. the reason i was wanting this is i have my own server at home running lenny and ISPConfig 3, it hosts 3 sites 2 of which id now like to have SSL, My domains are all sent to my server via dyndns as i dont have a static ip. I dont know whether i am trying to achieve the impossible with this

    thanks
     
  7. tio289

    tio289 Member

    SSLMOD - ONE IP = ONE SSL based host

    GNUTLS - ONE IP (static or dynamic) = MANY SSL based hosts with ONE jointed certificate.

    In certificate doesnt any information abou IP. Important in certificate is CommonName, which is for example *.domain.com. Cert them will valid for anything.domain.com. When you want use gnuTLS and MANY SSL based host on one IP you must create certificate with MANY commonNames.

    For this must edit /etc/ssl/openssl.cnf file and add to it commonNames.
    For example. If you have 3 domains domainA.com, domainB.com and domainC.com. You must add all domains to openssl.cnf file.

    Code:
    [ req_distinguished_name ]
    0.commonName = Common Name (eg, YOUR name)
    0.commonName_default = *.domainA.com
    0.commonName_max = 64
    1.commonName = Common Name (eg, YOUR name)
    1.commonName_default = *.domainB.com
    1.commonName_max =64
    2.commonName = Common Name (eg, YOUR name)
    2.commonName_default = shop.domainC.com (only an example of subdomain added to ssl cert)
    2.commonName_max = 64
    3.commonName = Common Name (eg, YOUR name)
    3.commonName_default = My Secure Internet Services (example)
    3.commonName_max = 64 
    
    how?? look this http://www.sambarserver.info/viewtopic.php?t=740


    And when you want thank me use buttom for it :)
     
    Last edited: Jan 14, 2010
  8. Horfic

    Horfic Member

    I have to correct you, it is possible to use multiple cert files with gnutls. I just followed the instructions on this page and I created the ssl file in the webinterface. Works all!
     
  9. tio289

    tio289 Member

    I see, in my case this doesnt function :( so I created one cert :)
     
  10. johnboy4809

    johnboy4809 New Member

    thanks for your help tio289 but still seen to be doing something wrong. I decided to start with a fresh server so I rebuilt my server using the Debian Lenny Perfect setup for ISPconfig 3 from this site then as soon as everything was installed i followed oprago's setup of gnutls and also made the changes that tio289 outlined but still to no avail. My sites all still use the same cert. am at a loss now as to why it will not work
     
  11. tio289

    tio289 Member

    I had the same problem and therefore I used one cert with multiple commonNames.
     
  12. johnboy4809

    johnboy4809 New Member

    still cant get this to work

    hi guys, im still not able to get this to work using either methods on this post, do you know if there is anywhere to start with checking my server setup to find the problem, just a wild idea but could this be anything to do with using the PowerPC build of debian below is my virtualhost config file for my site. can anyone see any errors in this

    thanks for you time and help folks
    <Directory /var/www/thecraftykitten.co.uk>
    AllowOverride None
    Order Deny,Allow
    Deny from all
    </Directory>

    <VirtualHost 192.168.2.4:80>
    DocumentRoot /var/www/thecraftykitten.co.uk/web

    ServerName thecraftykitten.co.uk
    ServerAlias www.thecraftykitten.co.uk
    ServerAdmin webmaster@thecraftykitten.co.uk

    ErrorLog /var/log/ispconfig/httpd/thecraftykitten.co.uk/error.log

    ErrorDocument 400 /error/400.html
    ErrorDocument 401 /error/401.html
    ErrorDocument 403 /error/403.html
    ErrorDocument 404 /error/404.html
    ErrorDocument 405 /error/405.html
    ErrorDocument 500 /error/500.html
    ErrorDocument 503 /error/503.html

    <Directory /var/www/thecraftykitten.co.uk/web>
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all

    # ssi enabled
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Options +Includes
    </Directory>
    <Directory /var/www/clients/client2/web2/web>
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all

    # ssi enabled
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Options +Includes
    </Directory>

    # cgi enabled
    <Directory /var/www/clients/client2/web2/cgi-bin>
    Order allow,deny
    Allow from all
    </Directory>
    ScriptAlias /cgi-bin/ /var/www/clients/client2/web2/cgi-bin/
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    # suexec enabled
    SuexecUserGroup web2 client2
    # mod_php enabled
    AddType application/x-httpd-php .php .php3 .php4 .php5
    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@thecraftykitten.co.uk"
    php_admin_value upload_tmp_dir /var/www/clients/client2/web2/tmp
    php_admin_value session.save_path /var/www/clients/client2/web2/tmp
    php_admin_value open_basedir /var/www/clients/client2/web2/web:/var/www/clients/client2/web2/tmp:/usr/share/php5


    </VirtualHost>



    #<IfModule mod_ssl.c>
    ###########################################################
    # SSL Vhost
    ###########################################################

    <IfModule mod_gnutls.c>
    ###########################################################
    # GNUTLS SSL Vhost
    ###########################################################


    <VirtualHost 192.168.2.4:443>
    DocumentRoot /var/www/thecraftykitten.co.uk/web

    ServerName thecraftykitten.co.uk
    ServerAlias www.thecraftykitten.co.uk
    ServerAdmin webmaster@thecraftykitten.co.uk

    ErrorLog /var/log/ispconfig/httpd/thecraftykitten.co.uk/error.log

    ErrorDocument 400 /error/400.html
    ErrorDocument 401 /error/401.html
    ErrorDocument 403 /error/403.html
    ErrorDocument 404 /error/404.html
    ErrorDocument 405 /error/405.html
    ErrorDocument 500 /error/500.html
    ErrorDocument 503 /error/503.html

    # SSLEngine on
    # SSLCertificateFile /var/www/clients/client2/web2/ssl/thecraftykitten.co.uk.crt
    # SSLCertificateKeyFile /var/www/clients/client2/web2/ssl/thecraftykitten.co.uk.key
    #
    GnuTLSEnable on
    GnuTLSPriorities NORMAL
    GnuTLSCertificateFile /var/www/clients/client2/web2/ssl/thecraftykitten.co.uk.crt
    GnuTLSKeyFile /var/www/clients/client2/web2/ssl/thecraftykitten.co.uk.key

    <Directory /var/www/thecraftykitten.co.uk/web>
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all

    # ssi enabled
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Options +Includes
    </Directory>
    <Directory /var/www/clients/client2/web2/web>
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all

    # ssi enabled
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Options +Includes
    </Directory>

    # cgi enabled
    <Directory /var/www/clients/client2/web2/cgi-bin>
    Order allow,deny
    Allow from all
    </Directory>
    ScriptAlias /cgi-bin/ /var/www/clients/client2/web2/cgi-bin/
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    # ssi enabled
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    # suexec enabled
    SuexecUserGroup web2 client2
    # mod_php enabled
    AddType application/x-httpd-php .php .php3 .php4 .php5
    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@thecraftykitten.co.uk"
    php_admin_value upload_tmp_dir /var/www/clients/client2/web2/tmp
    php_admin_value session.save_path /var/www/clients/client2/web2/tmp
    php_admin_value open_basedir /var/www/clients/client2/web2/web:/var/www/clients/client2/web2/tmp:/usr/share/php5:/tmp


    </VirtualHost>
    </IfModule>
     
  13. tio289

    tio289 Member

    You must specify more closely the problem. Post error log etc...
     
  14. johnboy4809

    johnboy4809 New Member

    the problem im having is that all hosted sites still try to use the same certificate, will have a look at the error logs, but not sure which one deals with the certificates
     
  15. tio289

    tio289 Member

    Yes, I had this problem too, I solved it by using one cert for all sites, I wrote about this in previevious posts.
     
  16. johnboy4809

    johnboy4809 New Member

    i tried your method too about adding the domains to the openssl conf file but this did not work either
     
  17. tio289

    tio289 Member

    and after adding domains to openssl.conf you must recreate certificate.......(create new key and csr for signing)
     
  18. johnboy4809

    johnboy4809 New Member

    yep i did tht and had the certificate signed by CaCert
     
  19. johnboy4809

    johnboy4809 New Member

    did you disable gnutls and reactivate ssl in order to get this mehod to work?
     
  20. tio289

    tio289 Member

    if you deactivate gnutls and activate ssl, them you can use only one virtual ssl based host per IP.
     

Share This Page