Issues securing Webmail with SSL Certificate

Discussion in 'Installation/Configuration' started by Robeast, Jan 25, 2008.

  1. Robeast

    Robeast New Member

    My webmail client (squirrelMail) is working perfect, but I would like to run it over https. The url for the web mail client is webmail.domain.com. I had a SSL certificate built by a Certificate Authority (godaddy) for this URL. In ISPConfig, I enabled SSL for this site. I also copied the certificate into the SSL Certificate box and saved the certificate. I opened port 443 on my firewall. But when I go the website httpS://webmail.domain.com, the browser hits me with a pop saying, "webmail.domain.com has sent an incorrect or unexpected message."

    I did a little research and I found I have to copy the certificate, intermediate certificate and key file onto the server and edit the ssl.conf file to point the SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile variables to the correct path. I looked in the /root/ispconfig/httpd/conf directory and didn't find a ssl.conf file. I did a search for ssl.conf and found two (/etc/apache2/mods-available/ssl.conf, /etc/apache2/mods-enabled/ssl.conf). In both of these files there is no sections for any of these variables. Should I create a ssl.conf and put in the /root/ispconfig/httpd/conf or edit one or both of the existing ssl.conf? Or is there a way this can be handled through the ISPConfig control panel? Thanks in advance for any help.
     
  2. Hans

    Hans Moderator Moderator HowtoForge Supporter ISPConfig Developer

  3. Robeast

    Robeast New Member

    Thanks but I did that as described. That is how it is currently set up. I took a look at this post.

    http://www.howtoforge.com/forums/showthread.php?t=16183&page=3

    I took a look at my vhosts_ispconfig.conf file and noticed I don't have a NameVirtualHost XXX.XXX.XXX.XXX:443 or VirtualHost XXX.XXX.XXX.XXX:443 even though I have the SSL box checked in the ISP Site Control Panel. I have restarted the web-server service since I checked this box. I tried to edit this file and add the appropriate information, but when I restart the service the changes are erased.

    Thanks again for any help.
     
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Is mod_ssl enabled? Please run
    Code:
    a2enmod ssl
    and restart Apache.
    Are there any errors in Apache's error log? What's the output of
    Code:
    ls -la /etc/apache2/vhosts
    ?
     
  5. Robeast

    Robeast New Member

    Thanks for the reply. When I ran the "a2enmod ssl" it replied back with "This module is already enable!". Here is what the "ls -la /etc/apache2/vhosts" output looks like:

    user@server:~$ sudo ls -la /etc/apache2/vhosts
    total 20
    drwxr-xr-x 2 root root 4096 2008-01-28 09:13 .
    drwxr-xr-x 8 root root 4096 2008-01-08 11:02 ..
    -rw-r--r-- 1 root root 2559 2008-01-29 15:22 Vhosts_ispconfig.conf
    -rw-r--r-- 1 root root 2559 2008-01-29 15:22 Vhosts_ispconfig.conf~
    -rw-r--r-- 1 root root 2559 2008-01-28 09:13 Vhosts_ispconfig.conf.backup

    Thanks again for the help.
     
  6. daveb

    daveb Member

    You could just upload the SSLCertificateChainFile gd_intermediate_bundle.cer from godaddy to your ssl folder.


    Then add this to your apache directives within ispconfig control panel for site.
    Code:
    SSLCertificateChainFile /var/www/web?/ssl/gd_intermediate_bundle.cer
    You might have to restart apache afterwards.
     
  7. Robeast

    Robeast New Member

    Thanks for the reply. I copied the gd_intermediate_bundle.crt file into the /var/www/webXX/ssl directory. I then copied the other cert into the SSL Certificate textbox and selected the save certificate. I then add "SLCertificateChainFile /var/www/webXX/ssl/gd_intermediate_bundle.crt" line to the Apache Directives
    (Optional): I saved these settings and restarted the web-server and I still get the same error when I go to the https site.

    Thanks again.
     
  8. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    What are the outputs of
    Code:
    netstat -tap
    and
    Code:
    httpd -t
    ? What's in your Vhosts_ispconfig.conf?
     
  9. Robeast

    Robeast New Member

    Thanks for the reply. When I enter in the command "netstat -tap" here is the output I get:

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 *:mysql *:* LISTEN 4807/mysqld
    tcp 0 0 *:www *:* LISTEN 5263/apache2
    tcp 0 0 *:81 *:* LISTEN 5219/ispconfig_http
    tcp 0 0 *:ftp *:* LISTEN 9161/proftpd: (acce
    tcp 0 0 server.domain.:domain *:* LISTEN 5408/named
    tcp 0 0 localhost.locald:domain *:* LISTEN 5408/named
    tcp 0 0 *:smtp *:* LISTEN 9213/master
    tcp 0 0 localhost.localdoma:953 *:* LISTEN 5408/named
    tcp 0 0 *:https *:* LISTEN 5263/apache2
    tcp6 0 0 *:imaps *:* LISTEN 4920/couriertcpd
    tcp6 0 0 *:pop3s *:* LISTEN 4956/couriertcpd
    tcp6 0 0 *:pop3 *:* LISTEN 4933/couriertcpd
    tcp6 0 0 *:imap2 *:* LISTEN 4900/couriertcpd
    tcp6 0 0 *:domain *:* LISTEN 5408/named
    tcp6 0 0 *:ssh *:* LISTEN 4713/sshd
    tcp6 0 0 *:smtp *:* LISTEN 9213/master
    tcp6 0 0 ip6-localhost:953 *:* LISTEN 5408/named
    tcp6 0 2160 server.domain.com:ssh ::ffff:192.168.25:54729 ESTABLISHED21652/sshd: User

    Here is the output for the "httpd -t" command:

    Syntax OK

    Here my Vhosts_ispconfig.conf file:

    ###################################
    #
    # ISPConfig vHost Configuration File
    # Version 1.0
    #
    ###################################
    #
    NameVirtualHost XXX.XXX.XXX.XXX:80
    <VirtualHost XXX.XXX.XXX.XXX:80>
    ServerName localhost
    ServerAdmin root@localhost
    DocumentRoot /var/www/sharedip
    </VirtualHost>

    #
    #
    #
    ######################################
    # Vhost: webmail.domain.com:80
    ######################################
    #
    #
    <VirtualHost XXX.XXX.XXX.XXX:80>
    SSLCertificateChainFile /var/www/web15/ssl/gd_intermediate_bundle.crt
    ServerName webmail.domain.com:80
    ServerAdmin webmaster@domain.com
    DocumentRoot /var/www/webXX/web
    DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Defa$
    ErrorLog /var/www/webXX/log/error.log
    AddType application/x-httpd-php .php .php3 .php4 .php5
    <Files *.php>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php3>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php4>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    <Files *.php5>
    SetOutputFilter PHP
    SetInputFilter PHP
    </Files>
    php_admin_flag safe_mode Off
    Alias /error/ "/var/www/webXX/web/error/"
    ErrorDocument 400 /error/invalidSyntax.html
    ErrorDocument 401 /error/authorizationRequired.html
    ErrorDocument 403 /error/forbidden.html
    ErrorDocument 404 /error/fileNotFound.html
    ErrorDocument 405 /error/methodNotAllowed.html
    ErrorDocument 500 /error/internalServerError.html
    ErrorDocument 503 /error/overloaded.html
    AliasMatch ^/~([^/]+)(/(.*))? /var/www/webXX/user/$1/web/$3
    AliasMatch ^/users/([^/]+)(/(.*))? /var/www/webXX/user/$1/web/$3
    </VirtualHost>
    #
    #
    #


    That's all that is in my Vhosts_ispconfig.conf file there is nothing in there for 443. This is with adding the SLCertificateChainFile /var/www/webXX/ssl/gd_intermediate_bundle.crt" line to the Apache Directives
    (Optional) textbox in the ISPConfig control panel. Also shouldn't there be commands "SSLEngine on
    SSLCertificateFile /var/www/webXX/ssl/www.yourdomain.com.crt
    SSLCertificateKeyFile /var/www/webXX/ssl/www.yourdomain.com.key" in there as well? Thanks again for all the help.
     
  10. daveb

    daveb Member

    just a thought,
    did you create the ssl csr or self signed crt for the site using the ispconfig control panel before you had godaddy sign the csr?
    if not you might need to create the ssl crt using the control panel so that it adds the proper lines to the Vhosts_ispconfig.conf then replace the crt and key with in the ssl dir with what godaddy built for you.
     
  11. Robeast

    Robeast New Member

    Thanks, that work like a charm! I create a self signed cert and it did add the virtual host :443 and the appropriate lines. I then placed the godaddy signed cert in the SSL Certificate textbox and selected save certificate.

    Thanks to everyone who helped out.
     

Share This Page