need some help with SNI and startssl

Discussion in 'Installation/Configuration' started by Ovidiu, Feb 24, 2013.

  1. Ovidiu

    Ovidiu Active Member

    Hi there,

    I'm running ISPCFG 3.0.5RC2 and am having some trouble understanding SNI:

    Under System => Server Config => server => Web => SSL Settings I have checked the boy next to "Enable SNI" but what exactly goes into: "CA Path" and "CA passphrase"?

    Now if I am going to configure a vhost with SSL via Sites => select vhost => check "SSL" then go to the SSL tab and fill in the fields I am struggling finding out what to put into "SSL Bundle"

    I have signed up with startssl.com and can generate certificates there so I have all the info but not sure where/what to fill in. Yes I have found the howto that deals with startssl.com but it doesn't help so please don't just point me there.

    Is this scenario I have in mind doable:
    - check SNI, then create a class2 certificate via startssl for each vhost that needs it, class2 because I'll generate a certificate that is valid for *.domain.tld

    Yes, I know SNI is not fully supported everywhere but where I rent my root server from I can only get 2 IPs.

    ###additional question###
    Lets assume the above scenario works, what/which SSL certificate do I then use for securing emails and FTP? Can I additionally create a wildcard/multi-domain certificate from startssl that covers all hosted domains so it can be shared for this purpose?
     
  2. falko

    falko Super Moderator ISPConfig Developer

    The fields are all described in the manual.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    These fields are not related to sni. They are for companys that run their own ssl CA.
     
  4. Ovidiu

    Ovidiu Active Member

    Awesome guys, I only bought the manual for ISPCFG 3.0.3 and was experimenting with 3.0.5RC1/RC2 but now that the final version is out I saw the manual is available too so I'll go buy that.

    So apart from those fields, would you mind having a look at the other questions in this thread please?
     
  5. falko

    falko Super Moderator ISPConfig Developer

    The CA (StartSSL, Comodo, GeoTrust, etc.) doesn't matter.
    If you want to use a multi-domain (SAN) certificate, make sure to use the same key for all those websites.
     
  6. midcarolina

    midcarolina New Member

    SNI Disabled

    The best method to avoid this SSL error is to disable the SNI feature completely. Prior to the SNI option set in ISPConfig, I ran my servers as such:

    WAN IP for main DNS (Public static), then

    LAN IP I only use one: e.g 192.168.11.XX

    I have 5 shared boxes running this set-up (no extra LAN ips) and all browsers resolve them just fine without this feature.

    Some may or may not know - Android OS, iOS, Blackberry, etc. smartphones, tablets and such tend to give SSL's a harder time.

    I haven't had a single issue as long as I validated them with a CA Authority.

    Best solution as of today - $5.99 Godaddy cert. Works fine running:

    Static WAN IP >> LAN IP (in ISPConfig) without SNI. One box has perhaps 15 or so SSLs on the exact same LAN IP (192.168.11.XX) with no issues in browsers or tablets, smartphones, mobile web, mobile apps, etc....

    Best...

    P.S. This is using Apache 2.2, not nginx (have no knowledge of nginx), so please restart apache server after reconfiguration.
     
    Last edited: Mar 31, 2013
  7. mbsouth

    mbsouth New Member

    @midcarolina

    Hi, it sounds interesting!
    I doesn´t use ISPConfig, therfore I don´t exactly know how your vhost config (e.g. shared box) file looks like.
    Is it possible to post a vhost config?


    mbsouth
     

Share This Page