ISPConfig 3 secured with StartSSL, what about main domain?

Discussion in 'Installation/Configuration' started by deltaxfx, May 29, 2012.

  1. deltaxfx

    deltaxfx New Member

    Hello,

    I have what is probably an easy question, but I have read through a bunch of tutorials and even purchased the manual and haven't seen an answer. I followed the Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL and it worked awesome, just like the rest of your tutorials. But my question is, since that SSL certificate is for mydomain.com, I would be able to use that on my actual website as well, right?

    Here is what I think I would do, please let me know if this is correct,
    • in the panel, go to Sites
    • select mydomain.com (my ISPConfig server and all services are running on myserver.mydomain.com and the StartSSL cert is level 1 for mydomain.com and myserver.mydomain.com)
    • tick the SSL box
    • assign it the same IP as the server itself (1.1.1.1:8080 is ISPconfig, so 1.1.1.1 for this site?)
    • finally, copy/paste what I received from StartSSL into the appropriate boxes on the SSL tab

    Thanks for any help, and if there is a tutorial that describes doing this please just point me there!
     
  2. till

    till Super Moderator

    Thats described in the manual, see chapter:

    5.4.1 How Do I Import An Existing SSL Certificate Into A Web Site
    That Was Created Later In ISPConfig?
     
  3. deltaxfx

    deltaxfx New Member

    Thank you. I did read that part, that's where I got the info for copying/pasting the cert into the panel. I suppose my questions should have been more directly, is it correct to use the same IP for my ISPConfig panel and my website with the same name, mydomain.com (because SSL requires a unique IP)?
     
  4. till

    till Super Moderator

    As long as you did not use port 443 for the ispcpnfig login (the default port for the ispconfig login is port 8080), then you can use the same IP address for the website.
     
  5. deltaxfx

    deltaxfx New Member

    I messed something up.
    I followed the instructions in section 5.4.1. I set the IP for example.com to be the same as the ISPConfig IP (ISPConfig is using the default 8080), ticket the SSL box, and created a certificate as directed (5.4.1 directs you to 5.4 to make the self signed certificate to get started).
    ls -l /var/www/example.com/ssl showed .crt, .csr, .key, and .key.org files, I went to the HTTPS version of the site and got the firefox error as expected, and viewed the certificate and it had the current date on it so I knew it was the one I just made.
    I copied the crt, csr, and key from /usr/local/ispconfig/interface/ssl to /var/www/example.com/ssl and renamed them to match the files that were created earlier. Pasted the .csr and .crt contents into the appropriate boxes on the SSL tab of ISPConfig, and reloaded the webpage, but there was no change. So I restarted apache, and now I just get connection timed out errors when trying to access example.com either http or https. Also, I can't get to my ISPConfig panel anymore either, not even by accessing it via IP address.
    Apache appears to be running though:
    18664 pts/0 R+ 0:00 grep /usr/sbin/httpd

    Any ideas before I do a clean wipe and start over?

    Thanks again!
     
  6. till

    till Super Moderator

    There is no need to reinstall, just disable the vhost where you created the ssl cet by deleting the link with the domain name in /etc/apache2/sites-enabled/ and then restart apache.
     
  7. deltaxfx

    deltaxfx New Member

    Deleted the link the SSL cert was setup on, but no dice. Could it be an issue with setting the IP address for that site? Setting it the same as for ISPConfig?
     
  8. till

    till Super Moderator

    Then you must have changed something else in apache as deleting the link removes the whole site from the apache configuration.

    No, as ISPConfig runs on a different port.
     
  9. deltaxfx

    deltaxfx New Member

    Ok, well, I reloaded everything and got back to a base install of ISPConfig, and setup my first site on it. I am running my own nameserver as well, setup with the howto on this site.

    Right now I have self signed certificates working just fine for the control panel (mydomain.com:8080) and mydomain.com.

    Back to the nameserver thing and one site per IP for SSL, in my DNS zone for mydomain.com I have A records for 'mail' and 'www' with the same IP as the record for 'mydomain.com.' (ns1 and ns2 are a different IP). Should I change mail and www to another IP?
     
  10. deltaxfx

    deltaxfx New Member

    Does anyone have an answer for this? What records in a zone should have the static IP that is being used for an SSL site?
     
  11. falko

    falko Super Moderator

    That's totally up to you. Normally these would be the domain itself and www. If you are unsure, create a wildcard DNS record:

    Code:
    * A 1.2.3.4
    (Replace 1.2.3.4 with your own IP.)
     

Share This Page