New SSL Cert

Discussion in 'Installation/Configuration' started by PoleCat, Jul 1, 2007.

  1. PoleCat

    PoleCat New Member

    I have a client that bought a new SSL CERT for his site. I have tried to install it for him, but for some weird reason its not accepting. I can paste the cert in under the SSL tab, I select SAVE cert and click SAVE. But then the old cert is still active for the site. I tried to delete the cert and then HTTPS wont work. Then just dumping in the new CERT, but still doesnt work.

    How the heck do i get rid of the self signed freekin cert and replace it with the real thing in ISPC?
     
  2. PoleCat

    PoleCat New Member

    OK, this is a bug then.

    I found the problem. It seems like ISPC _does_ save the file into the new www.sitename.com.crt file under /ssl/, though it does not restart apache.

    I manually had to HUP apache and it refreshed it's certificates and loaded the new cert, then it worked fine.

    I am running ISPC 2.2.12

    Or is this fixed in the new version?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Creating a SSL cert works for me in 2.2.14 and the code has not changed since 2.2.12, so I guess its a problem on your server and not a bug. Please check your ispconfig.log file for errors.
     
  4. PoleCat

    PoleCat New Member

    Heya,

    Creating a self signed is no problem. That restarts apache and installs the cert. Though after you have a self signed certificate and you bought a proper ssl cert, then paste in your bought ssl certificate then hit the "save certificate" tab, and click save, then it does save the new cert in the file, though it does not restart apache.
     
  5. falko

    falko Super Moderator ISPConfig Developer

    Which distribution do you use?
    Any errors in Apache's error log?
     
  6. the_spy

    the_spy New Member

    I also confirm that when I installed a real ssl certificate for a website, I needed to reboot myself apache to have the right SSL certificate online
    It was on 2.2.12 or 2.2.13 when I installed it, on Debian etch + Apache 2
     
  7. PoleCat

    PoleCat New Member

    Debian 3.1 AMD64
    Nope, no errors.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    We will check this, I added this to the bugtracker.
     
  9. PoleCat

    PoleCat New Member

    Cool,

    Can I request a feature while we're on this topic.

    The certificate was from godaddy, and it worked fine with IE7 and Safari. It however gave CA errors on IE6 and all versions of Firefox.

    I ended up installing the intermediate CA certificate, which I had to manually upload and add a directive for apache under ISPC to load the CA.

    Is it possible to have another option under the SSL tab to insert a intermediate certificate for this purpose. I see quite a few people on the forum has had this problem before, enabling the option under the SSL tab for a intermediate certificate will simplify administrating other virtual sites as well.

    Cheers. ;)
     
  10. Ben

    Ben ISPConfig Developer ISPConfig Developer

    Well I use 2.2.14 and just got an ssl cerit.
    Unfortunately i did not create the csr with ispconfig but I think that should not be a problem?
    Anyway I went to the web to ssl, pastet the code of both, the csr and the cert to the page and hit save.
    The ispconfig.log show no error, but also nothing about restarting any serice,
    e.g. it's rehashing the postfix virtusertable but not restarting it, it's copying the apache conf but not restarting apache. or isn't this shown anymore in the logs?

    besides this neither apache2 ist listenning on port 443 nor the Vhosts_ispconfig.conf contains anything about ssl.
    Did I forget to enable anything else?
    In the ssl folder of the web's dir, there is only the file <hostname>.crt but I guess that's fine?

    Edit: After some tests I found, that there's sometime the warning of not beeing able to write the crt file, e.g. i deleted the crt, then pasted only the crt code and clicked on save cert... then the follwing warning appears:

    Even if it created the file...
     
    Last edited: Jul 3, 2007
  11. PoleCat

    PoleCat New Member

    Yeah thats a major problem.
    You have to use the vhost's server KEY to generate the proper cert request. Only the proper Certificate will talk properly to the KEY cert it was created with.

    You will have to ask your certificate provider to RE-KEY your cert with the correct Cert request.

    Unless, you have the key that you generated the certificate from, and you can replace it with the vhost's key.
     
  12. Ben

    Ben ISPConfig Developer ISPConfig Developer

    Ok then... just filled out the fields in the ispconfig's form and clicked to generate certificate....
    while the csr is going to my CA, I would expect the apache to listen to https anyway, cause there is already a selfsigned certificate. But it does not. Also if I click to save cert after creating it.
    Y?
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Rekeying is not nescessary. Just create a new self signed cert in ISPConfig and then replace the cert, csr and key in the files which are in the ssl directory of the website with your existing cert. Afterwards replace the cert and csr in the ISPConfig interface with your existing cert too.
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    It may take up to a few minutes until the self signed cert is generated. If the cert does not get generated, have a look at the ispconfig.log for errors.
     
  15. Ben

    Ben ISPConfig Developer ISPConfig Developer

    Hmm to early ;) Anyway thx. But what should I have done with the key.org?
    Cause if I compare the way ispconfig is generating the csr and I did is quite different, I did it with: openssl req -new -nodes -keyout dateiname.key -out dateiname.csr

    Regarding the not listening to 443, beside that I had mod-ssl not in the apache2's mods-enabled folder but even this did not help, fater a restart (without errors) there was no change.
    Here's the output of ispconfig.log
     
    Last edited: Jul 4, 2007
  16. Ben

    Ben ISPConfig Developer ISPConfig Developer

    Ok it works now....

    In the ports.conf the line
    "Listen 443" was msising in the ports.conf file.

    Replacing the keys etc. worked fine as well. Big thx.
     

Share This Page