SNI (Server Name Indication) and ISPConfig

Discussion in 'Installation/Configuration' started by zenny, Jun 14, 2013.

  1. zenny

    zenny Member


    Trying to avail https connections to several domains with a single IP in ISPConfig in Debian Wheezy.

    The motivation is to allow users to access webmail, phpmyadmin, and ISPConfig panel using SSL.

    Enabling SSL in ISPConfig panel always lands at error message : (Error code: ssl_error_rx_record_too_long) when accessed using https, and even http gives blank page.

    Appreciate if someone could share experience how you achieved SNI. Thanks!
  2. zenny

    zenny Member

    Some additional info

    Hi with bump!

    1. According to, it simply states that:

    2. And /etc/apache2/ports.conf categorically states that:
    3. Thus, in the /etc/apache2/sites-available/default-ssl, it has been changed from:

    <VirtualHost _default_:443>

    <VirtualHost *:443>
    4. Now, how does ISPconfig3 handles SNI? Do one need to enable SSL option in domain to enable SNI in the ISPConfig3 server?

    Expecting an ISPConfig3 way of SNI for multiple domains from Falko. Thanks in advance!
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Using SNI with ispconfig does not require any additional configuration on Debian, just create the website in ispconfig, go to ssl tab and create a ssl cert for that website. In some cases it is reqzired that you select the IP adddress in the website field instead of *, so you might want to try that as well.

    The message you posted above just indicates that the ssl is not active at the moment on this site e.g. because the ssl cert is broken or you do not created a ssl cert.
  4. zenny

    zenny Member

    Thanks Till.

    But I did create a ssl certificate by getting into SSL tab of domain and also with 'create certificate' option.

    It did create everything and it didn't work, so I just made changes to the ports.conf and default-ssl.

    Earlier, I didn't make any changes to the conf files above and yet getting the same error "ssl_error_rx_record_too_long".

    Any hints?
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The message you posted above just indicates that the ssl is not active at the moment on this site e.g. because the ssl cert is broken or you do not created a ssl cert.
  6. zenny

    zenny Member

    But the IPv4 address in the website is a dropdown list which has no IP address specified. However I added one for the specific client in server config, but with the server IP selected, even http is not rendering with default 403 forbidden error message.

    Burt when I selected * for the IP address, http works at least, but https still outputs "ssl_error_rx_record_too_long" error.

    Tried even after recreating the entire domian besides ssl cert, but no go. :(
    Last edited: Jun 15, 2013
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    If you riún multiple sites on that same IP, then ensure that all sites use the IP and dont mix * and IP.

    This means that there is no ssl vhost or a broken ssl cert.You can e.g. try to recreate the ssl cert trough ispconfig, ensure that you dont use any special chars in the ssl cert detail fields as this might cause openssl to fail to create the cert.
  8. zenny

    zenny Member

    This is a completely new installation and only with two domains created to check whether SNI works by default. So all sites use the IP. Still no go.

    Recreated the cert with ISPConfig3 panel, yet no go.

    When tried to access the ssl site, Apache2 error.log shows as of below:

    And the browser reports "(Error code: ssl_error_rx_record_too_long)"

    Where did I go wrong?
  9. zenny

    zenny Member

    An update!

    This is an update of very undesired results after executing:

    #a2ensite default-ssl
    The following happened:

    1) http://<domain.tld> got "403 Forbidden" message showing in error.log:

    2) https://<domain.tld> works, but defaults to the default apache "It Works" instead of ISPConfig3 default "Welcome" index page.

    3) but both http://<domain.tld/webmail and https://<domain.tld/webmail also got rendered.

    How to overcome above situations as of 1) and 2)? Thanks in advance!
  10. zenny

    zenny Member

    Is it a bug? Else share success stories of SNI!


    From what I experienced, it could be a bug.

    Else, can someone share their experience setting up multiple ssl sites with a single public ip, using SNI feature of apache2 and nginx in ISPConfig Appreciate it! Thanks!
    Last edited: Jun 17, 2013
  11. zenny

    zenny Member

    Bump! Bump!! Bump!!! [3 bumps because the forum does not allow less than 10 chars ;-)]
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    SNI is compiled into the webserver, it does not require any additional configuration so it works by default.

    Works fine here on all servers. Just perfect server setup with no additional configuration.

    You enabled the default ssl vhost which will cause the webserver to redirect requests to a directory that should not be accessed and the correct reply is a forbiden error. The default-ssl vhost should not be enabled if you want to use sni for websites in ispconfig, thats why the perfect setup does not instruct you to enable it.

    If you wnat to use ssl in a website and get the website when you enter https in fron of the domain, then you have to enable ssl for that website in ispconfig and create a ssl cert for it in ispconfig.
  13. zenny

    zenny Member

    Only varnish is setup in front of apache listening to port 80 which I guess have nothing to do with the port 443 to which apache listens to for ssl.

    I discovered that and disabled the default-ssl, but in that case the server is back to square one as OP.

    Done exactly, but no go. And here I am to seek your help. On normal apache2 setup, it works fine, but not with ISPconfig3, that is where I am stuck.

    Have a nice Midsummer!
  14. JohnyGoerend

    JohnyGoerend New Member

    I hope I won't insult you with this proposition, but I had the same error this evening and found this thread while googling it, only that I found the "solution" on my side: I configured the certificates and IP addresses all correctly, I just forgot to enable SSL in the site's settings (in the "Domain" tab)! Nothing less.

    It's a bit confusing that it has to be enabled seperately from the SSL tab, but also makes sense somehow :)
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    The reason for separating the settings is that ispconfig is made for hosting companys. There you have administrators and client. The ssl checkbox exists so that a administrator can enable / disable the ability for the client to have a ssl cert and all these website limits are on the first tab. So when its active, the client can create and manage its ssl cert on the ssl tab.
  16. JohnyGoerend

    JohnyGoerend New Member

    I understand and I know, that's why I said that it also makes sense :) Only if you're new to ispconfig and want to setup SSL, you might easily forget this option :)
  17. zenny

    zenny Member

    In my case, I enabled SSL to all domains and created SSL certificates to each of them using the webgui, yet no go. :(

Share This Page