Problem installing SSL for WebSite

Discussion in 'Installation/Configuration' started by jtheed, Aug 8, 2007.

  1. jtheed

    jtheed Member HowtoForge Supporter

    I needed to get an actual SSL Cert for one of the 3 websites I am running under ISPCONFIG. I put in the information and chose create certificate and saved. Then I copied the SSL Request and put it into my application for a key. Got the key and pasted it into the SSL Certificate box in ISPCONFIG for the website I need the key for, saved it and restarted ispconfig_server. All restarted but I can not get to the website. I am using Fedora Core 7 setup using the how to for FC7 and asked for a mod ssl type key. Does everything have to be the same as far as company information that was entered during the how to for openssl, even the department? I setup ISPCONFIG using my company name etc.. but the department I used was web. I am using www for the website. Just so I am clear, IPCONFIG is setup as web.mydomainname.com and my website is www.mydomainname.com. Also does the number of days play a factor as I plan to buy a 3 year cert?

    httpd does not start and the error I am getting in the error log of the website is:
    Unable to configure RSA server private key
    SSL Library error: 185073780 error:0B080074:x509 certificate routines:x509_check_private_key:key values mismatch

    Do I need to regen my keys on the server using the same code as in the how to for FC7 or just the x509 ones?

    Trying to figure it all out but don't want to do anything that is going to cause me to start over...


    John
     
    Last edited: Aug 8, 2007
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    No.

    You must copy the certificate that you received back to the certificate box and not the key of the SSL certificate and then select save and not create as action.
     
  3. jtheed

    jtheed Member HowtoForge Supporter

    I may be using the word KEY in the wrong context because that's what I did. I entered the information at the top of the SSL form in ISPCONFIG and chose create to make the SSL Request, then I chose save, after that I copied the request into the CA's form and when I got the files from the CA, I took the one that ended in .crt and pasted it into SSL Certificate and chose save as the option and then clicked on save. When I restarted ISPCONFIG, httpd failed to restart with the error.

    I also recieved a file called my_domain_name.ca-bundle. Was I supposed to do anything with this?

    Thanks

    John
     
  4. jtheed

    jtheed Member HowtoForge Supporter

    Could part of my problem be that I am calling the ISP Server web.mydomainname.com and then I have setup a website called www.mydomainname.com?

    Can I change the name of the ISP server or will I have to re-install ISPCONFIG in order to change the name, if it's causing me a problem.

    Hoping to get this resolved soon. I am trying to go live with this by this weekend. :eek:

    Thanks

    John
     
  5. falko

    falko Super Moderator ISPConfig Developer

  6. jtheed

    jtheed Member HowtoForge Supporter

    I think I have it worked out.

    While viewing the cert created by ISPCONFIG for the ISP Server, I realized that when I installed ISPCONFIG, I always used MY email address and setup the oranganization as web. SO, this time, I logged in as admin, deleted the existing cert that was created by ISPCONFIG, logged out, logged back in as myself, created a request using web as the organization and submitted it. Now, there are no errors bring ISPCONFIG and httpd back up and the cert shows my CA's name.

    I am running this at home this week while I am off (some vacation), so it still shows as can't be trusted, but that has to be because it's not sitting at the IP it is supposed to be at, yes?

    Thanks for the replies guys and the fantastic work you all do in helping everyone on this site.... it's really appreciated.

    John
     
  7. falko

    falko Super Moderator ISPConfig Developer

    The IP doesn't matter, but I guess you're also using a different hostname?
     
  8. jtheed

    jtheed Member HowtoForge Supporter

    The IP address that the domain is sitting at right now is the only thing that is different. The DNS points to the IP address at work and right now, I am just running it on my home DSL Non-Static IP. I just change my host files on my workstation to match the current IP to connect to the server for testing. I'll know more tomorrow as I am taking it back to work. Hopefully, the warning stops popping up then.

    John
     
  9. jtheed

    jtheed Member HowtoForge Supporter

    Update: I contacted my SSL CA and they said I was getting the not trusted warning because of no intermediate file being installed., So I added the intermediate ca file, as per their instructions, to the .conf files, both the httpd.conf and the httpd.conf.https files where they are looking for the SSLCertificateChainFile. They were commented out originally. Not sure I needed it in both conf files, but now. IE 6 or IE7 do not complain, but Firefox 2.0.0.6 still complains even though the CA is listed as an Authority. Does anyone know why this might be happening only in Firefox? It may in others, but I only have FireFox and IE6 - IE7.

    50% of the way there.... :)
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    What is the exact error message that you get in firefox?
     
  11. jtheed

    jtheed Member HowtoForge Supporter

    What I think it is , is the misconfiguration on the server of the cert. CA is now telling me to try a different file for the bundle file. I'll have to wait until tomorrow to try it.

    This is the screen that pops up in Firefox.
     

    Attached Files:

  12. jtheed

    jtheed Member HowtoForge Supporter

    Installing the new file did not solve the problem.
    Ok.. still not fixed, but it seems that I should be working on the ssl.conf file, not the httpd.conf or httpd.conf.https files.

    By installing the paths for my .crt, .key and .ca.bundle files, I can now access Squirrelmail and ISPConfig using IE6 and 7 where before I did this, I couldn't access the pages using IE, but Firfox was able to.
    Firefox still doesn't trust my Cert from the CA but IE does.
    I have installed as they requested using the ssl.conf file located in etc/httpd/conf.d./

    This is what I have in ssl.conf now

    SSLCertificateFile /the path to cert file/www.tidesmarine.com.crt
    SSLCertificateKeyFile /the path to cert file/www.tidesmarine.com.key
    SSLCertificateChainFile /the path to cert file/www.tidesmarine.com.ca-bundle.crt
    SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt


    What else can I look at?
     
    Last edited: Aug 13, 2007
  13. jtheed

    jtheed Member HowtoForge Supporter

    Update:

    Problem, I thought was finally solved. What I had to do, was add the Chain File to the Vhosts_ispconfig.conf file under the 443 section of my web site. :D


    Update: See MY post on 3rd page about adding line to httpd.conf
     
    Last edited: Aug 16, 2007
  14. jtheed

    jtheed Member HowtoForge Supporter

    Well, I THOUGHT it was solved, BUT... something rewrites the Vhosts_ispconfig.conf file. :confused:

    What would be doing this?

    It omits the chain file from the new file that gets written. It rewrote the file at 8:54 am today. What file is it basing it's information on when it rewrites this file?

    Thanks

    John
     
  15. daveb

    daveb Member

    try adding the chain file in the apache directives of the site.
    SSLCertificateChainFile /the path to cert file/www.tidesmarine.com.ca-bundle.crt
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    NEVER edit the file Vhosts_ispconfig.conf manually. It is automatically changed by ISPConfig.

    Add the SSL chain files to your httpd / apache or apache2.conf file as daveb suggested.
     
  17. jtheed

    jtheed Member HowtoForge Supporter

    I don't have an apache.conf or apache2.conf file.

    I did the Fedora Core 7 install per how to's. I have several conf files, but none that start with apache. I already have the file paths in the ssl.conf foler and it puts my .key and .crt file in the Vhost_ispconfig.conf file, just not the chain file.

    I'll keep looking but if someone has a difinitive answer as to which file the VHosts file gets written from using FC7, please let me know.

    John
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    You can put it in the ssl.conf file as well, that does not matter.

    Do not touch the Vhosts_ispconfig.conf.
     
  19. jtheed

    jtheed Member HowtoForge Supporter

    I won't touch the Vhosts_ispconfg.conf file, but what file does ISPCONFIG get it's information from to write it? I have the chain file in ssl.conf and it does not get written to the Vhosts_ispconfig.conf file. The Key and crt file paths do, but not the Chain file.
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    a) The chain file does not have to be written to the Vhosts_ispconfg.conf file, it is enough if you put it in ss.conf.
    b) There is no file where ISPConfig get sthe content for Vhosts_ispconfig.conf from, the content is generated out of the database.
     

Share This Page