Replacing SSL Cert

Discussion in 'General' started by jonwatson, Feb 20, 2008.

  1. jonwatson

    jonwatson New Member

    Hi All,

    Been messing around with this for a while this morning and have given up. I am attempting to install a chained SSL cert from GoDaddy into an ISPConfig installation but am failing. The ISPConfig apache fails to launch, yet try as I might I cannot find a single log entry anywhere telling me why. I know it's SSL related, but without logs I'm pretty much in the dark.

    I have:

    A CSR file in /root/ispconfig/httpd/conf/ssl.csr
    A CRT file in /root/ispconfig/httpd/conf/ssl.crt
    A ca-bundle.crt file in /root/ispconfig/httpd/conf/ssl.crt

    I have entries in /root/ispconfig/httpd/httpd.conf that point to all of these files, but no go. When I run /etc/init.d/ispconfig restart it happily tells me that it wasn't started, then tells me it is started, but it is not (at least port 81 apache is not up).

    I see that this has been discussed before on the forums, but I'm obviously missing something. Can someone please, for the love of god, point me to the logs that the port 81 apache is supposed to be writing so I can see what's wrong?

    Or, alternatively, is there some definitive guide somewhere on how to install a chained cert into ISPConfig? Seems to me that this is fairly poorly understood by a lot of people.


  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The log files are in /root/ispconfig/httpd/logs/

    As far as I know, you will have to put the ca bundle in a separate file and not in the ssl.crt file together with the certificate. The bundle file is loded into the apache configuration with:

    SSLCACertificateFile /path/to/the/bundle/cert/file/ca.txt
  3. jonwatson

    jonwatson New Member

    HI Till,

    I seem to have everything in the right place, but the ISPConfig apache just won't start. It doesn't log anything either. Very frustrating.

    I'm going to play around a little more and maybe just move to a better cert that doesn't have a bundle.


  4. tensor

    tensor New Member

    Check these config directives:
    SSLCertificateFile - should point to bare certificate
    SSLCertificateKeyFile - should point to bare key (possibly protected with a password)
    SSLCertificateChainFile - should point to bundle (contatenation) of certificates of all intermediate and root CAs, the Root CA cert should be at the bottom of the file, the closest intermediate CA to you cert at the top of the file.

    That way it works for me for self generated certs. And yes, we do have inhouse intermediate CAs.
  5. jonwatson

    jonwatson New Member


    Yes, all that was set up correctly, yet ISPConfig would not start it's own port 81 apache and would not log the problem.

    I've since moved to a direct cert from RapidSSL and all is good.


Share This Page