ISPConfig & RapidSSL

Discussion in 'Tips/Tricks/Mods' started by kextra1, Mar 28, 2009.

  1. kextra1

    kextra1 ISPConfig Developer

    I just bought a new RapidSSL Certificate,

    I have to enter the CSR....which i'm assuming comes from /root/ispconfig/httpd/conf/ssl.crt/ssl.crt

    please correct me if I'm wrong,

    Then I enter the name and all that.

    Last time I tried to submit it gave me the error CSR parse failure.

    Possibly I have the wrong contact information entered on the SSL providers site....any suggestions? Should I regenerate the certificate?

    I want this to be my main ispconfig cert...the one that's used to access https://www.domain.com:81 ispconfig panel.

    Also, there is a field where it asks u what type of cert....

    It gives u the options Apache + OpenSSL

    however it also gives the option for Apache2......i figured im using apache2...but im also using openssl with the ispconfig install right?...so i chose apache + openssl for the crt type....is that right?....also...should i put the server.crt or the ca.crt in there?

    Thanks...im not to educated on ssl.....

    So i want this ssl cert to be the one for https://www.domain.com:81 and https://www.domain.com:81/roundcubemail etc... everything https....does the /etc/postfix/ssl cert have nothing to do with this?


    Thanks,

    kextra1
     
    Last edited: Mar 28, 2009
  2. falko

    falko Super Moderator

    Did you specify the correct details when you created the certificate?

    If this is for the ISPconfig control panel on port 81, it's Apache + SSL.

    No, the Postfix certificate has nothing to do with it.
     
  3. kextra1

    kextra1 ISPConfig Developer

    Help on the extra fields please

    Okay,

    Well I bought it as Apache + apacheSSL...but they give directions for that...and apache mod ssl to....i have 7 days to cancel and rechange it....

    Also when i bought the ssl cert they sent me confirmation saying i bought a cert for:

    https://myssldomain.com

    That's right isnt it? ...that should cover the port 81 too? hehe, im an ssl dummie

    Only thing I do with SSL is clear the slate everyday in every browser.... heh..

    Also, I installed ispconfig under the .org site, and want the cert for a .net, i only have ssl checked on the dot net

    On the SSL tab do i include BEGIN SSL CERT, and -----BEGIN SSL CERT REQUEST--- stuff before hand on the ISPConfig SSL tab?

    Thanks
     
  4. falko

    falko Super Moderator

    Yes.

    Yes, you must include that line.
     
  5. kextra1

    kextra1 ISPConfig Developer

    SSL handshake errors in error_log

    I was just doing some ISPConfig modifications with my cousin earlier and happened to look at the error_log for ispconfig and noticed some SSL errors.

    Like for example one was from googlebot [client 66.249.73.52] is googlebot btw..

    [Sat Apr 4 05:40:28 2009] [error] [client 66.249.73.52] File does not exist: /home/admispconfig/ispconfig/web/robots.txt [Mon Apr 6 03:00:07 2009] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows)

    Then later I keep getting handshake errors like:

    [Mon Apr 6 16:15:42 2009] [error] mod_ssl: SSL handshake failed (server www.kextra1domain.org:81, client 192.168.1.1) (OpenSSL library error follows) [Mon Apr 6 16:15:42 2009] [error] OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] [Mon Apr 6 16:19:57 2009] [notice] caught SIGTERM, shutting down [Mon Apr 6 16:21:29 2009] [notice] Apache configured -- resuming normal operations [Mon Apr 6 16:21:29 2009] [notice] Accept mutex: sysvsem (Default: sysvsem) [Mon Apr 6 18:00:55 2009] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) [Mon Apr 6 18:00:55 2009] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] [Mon Apr 6 20:21:16 2009] [error] [client 66.249.73.52] File does not exist: /home/admispconfig/ispconfig/web/robots.txt [Mon Apr 6 23:12:47 2009] [error] [client 66.249.73.52] File does not exist: /home/admispconfig/ispconfig/web/robots.txt [Wed Apr 8 19:50:09 2009] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) [Wed Apr 8 19:50:09 2009] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS

    I only have one IP address so I made sure SSL was disabled or not checked in any of the ISPConfig webs.

    The only SSL Cert I want to be valid is the port 81 stuff like the admin panel.

    Also, i have a router in front of the machine which is 192.168.1.1 ....maybe i have to confrigure the router because it shows that address as the client?

    And where it says CN does not match CA, I'm guessing that means when i installed ispconfig server1.domain.com doesnt match the cert www.domain.com right? Can I adjust those settings without hurting ISPConfig?


    Thanks guys,

    kextra1
     
    Last edited: Apr 11, 2009
  6. falko

    falko Super Moderator

    It seems as if you used http instrad of https to access ISPConfig.
     
  7. khayjake

    khayjake New Member

    Log Dates

    Hey k,

    Those logs are from the days when your server was messed up from the upgrade downgrade thing. I did the same thing and have similar logs.

    Probably still getting handshake errors?

    I bought a 2nd new cert but am waiting for a new ip im getting here soon...
     
  8. kextra1

    kextra1 ISPConfig Developer

    RapidSSL with ISPConfig Panel

    I've got the new IP khayjake, and i got the other old one refunded and am configuring this new one.

    Falko,

    Here are my choices.

    Apache2
    Apache+ApacheSSL
    Apache+OpenSSL
    Apache+MOD SSL
    Apache+Raven
    Apache+SSLeay

    Which should I choose? I cant change it once it's submitted.

    I thought if I was using it for the admin panel at https://myispconfigserver.com:81 i would use "Apache2" for ispconfig. If I am incorrect please let me know as soon as possible.

    From what I've read the Apache+MOD SSL would be used if I was to want the certificate on a site that has the "SSL" box checked through the ISPConfig panel...but I want it for the https://www.myispconfigserver.com:81 panel and mail and whatnot.

    I simply dont know if i should choose Apache2, Apache+OpenSSL or Apache+ApacheSSL for it to work properly once issued.

    Thanks for your help
     
  9. falko

    falko Super Moderator

    If you need the certificate for the ISPConfig control panel, you must choose Apache+MOD SSL (because ISPConfig 2 comes with its own Apache, version 1.3.x + mod_ssl).

    If you need the certificate for one of your web sites, it's probably Apache2 (because all modern distros come with Apache2).
     
  10. kextra1

    kextra1 ISPConfig Developer

    yeah

    yeah that had me confused, they had apache2+mod_ssl, apache2+openssl, hehe...but it was really just needing "apache2"

    Plus they require the intermediate.crt and all sorts of stuff that was pretty easy to find on google thanks to you guys.

    I posted a detailed tut of my notes all consolidated here:

    http://howtoforge.com/forums/showthread.php?p=258943#post258943

    Hope it helps somebody

    Thanks for your help
     
  11. Umair

    Umair New Member

    It seems as if you used http instrad of https to access ISPConfig.:p:cool::)
     

Share This Page