SSL Certificate install trouble

Discussion in 'Installation/Configuration' started by BitSprocket, Nov 4, 2012.

  1. BitSprocket

    BitSprocket New Member

    All,

    I have install per your Perfect Ubuntu 12.10 server howto and am having an issue with getting my certificate to work properly.

    I've entered the ip address and am not using a wildcard and I have verifed that the certs are in-fact in the /var/www/sitename/ssl directory. SSL is checked on the proper page but when browsing to https://mysite.com I get a 701 error and the apache2 error log reads :

    Code:
    client denied by server configuration: /var/www/
    I can get to the non https site just fine but can't get the server configured to pull files from the proper location.

    I've tried deleting the domain and re-creating it with no luck. It also seems that the virtual host file in /var/www/apache2/sites-enabled makes no mention of port 443 or ssl.

    Thanks for your help!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Please remove the ssl cert that you copied to the ssl folder manually and then create a nwe ssl cert in ispconfig on the ssl tab of the website, wait a few minutes and test again. If the site works with the self signed ssl cert, replace the ssl cert and key file in the ssl folder with the cert and key of your other ssl cert and restart apache.
     
  3. BitSprocket

    BitSprocket New Member

    Thanks till. Late last night (before your post) I found a solution that works but I wanted to get your opinion. It's very different than the one you mentioned. I added a clause to the mysite.com.vhost file in /etc/apache2/sites-available and it looks like this:

    Code:
    <Directory /var/www/mysite.com>
        AllowOverride None
        Order Deny,Allow
        Deny from all
    </Directory>
    
    <VirtualHost *:80>
          DocumentRoot /var/www/mysite/web
      
        ServerName mysite.com
        ServerAlias www.mysite.com
        ServerAdmin [email protected]
    
        ErrorLog /var/log/ispconfig/httpd/mysite.com/error.log
    
        Alias /error/ "/var/www/mysite.com/web/error/"
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 502 /error/502.html
        ErrorDocument 503 /error/503.html
    
        <IfModule mod_ssl.c>
        </IfModule>
    
        <Directory /var/www/mysite.com/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
        <Directory /var/www/clients/client0/web1/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
    
    
        # suexec enabled
        <IfModule mod_suexec.c>
          SuexecUserGroup web1 client0
        </IfModule>
        # Clear PHP settings of this website
        <FilesMatch "\.ph(p3?|tml)$">
            SetHandler None
        </FilesMatch>
        # php as fast-cgi enabled
    	# For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
        <IfModule mod_fcgid.c>
            IdleTimeout 300
            ProcessLifeTime 3600
            # MaxProcessCount 1000
            DefaultMinClassProcessCount 0
            DefaultMaxClassProcessCount 100
            IPCConnectTimeout 3
            IPCCommTimeout 360
            BusyTimeout 300
        </IfModule>
        <Directory /var/www/mysite.com/web>
            AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
        <Directory /var/www/clients/client0/web1/web>
            AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
    
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId web1 client0
        </IfModule>
    
        <IfModule mod_dav_fs.c>
    	  # Do not execute PHP files in webdav directory
          <Directory /var/www/clients/client0/web1/webdav>
    	    <FilesMatch "\.ph(p3?|tml)$">
              SetHandler None
            </FilesMatch>
          </Directory>
          DavLockDB /var/www/clients/client0/web1/tmp/DavLock
          # DO NOT REMOVE THE COMMENTS!
          # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
          # WEBDAV BEGIN
          # WEBDAV END
        </IfModule>
    
    
    </VirtualHost>
    <VirtualHost *:443>
          DocumentRoot /var/www/mysite.com/web
      
        ServerName mysite.com
        ServerAlias www.mysite.com
        ServerAdmin [email protected]
    
        ErrorLog /var/log/ispconfig/httpd/mysite.com/error.log
    
        Alias /error/ "/var/www/mysite.com/web/error/"
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 502 /error/502.html
        ErrorDocument 503 /error/503.html
    
        <IfModule mod_ssl.c>
        </IfModule>
    
        <Directory /var/www/mysite.com/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
        <Directory /var/www/clients/client0/web1/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
    
    
        # suexec enabled
        <IfModule mod_suexec.c>
          SuexecUserGroup web1 client0
        </IfModule>
        # Clear PHP settings of this website
        <FilesMatch "\.ph(p3?|tml)$">
            SetHandler None
        </FilesMatch>
        # php as fast-cgi enabled
    	# For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
        <IfModule mod_fcgid.c>
            IdleTimeout 300
            ProcessLifeTime 3600
            # MaxProcessCount 1000
            DefaultMinClassProcessCount 0
            DefaultMaxClassProcessCount 100
            IPCConnectTimeout 3
            IPCCommTimeout 360
            BusyTimeout 300
        </IfModule>
        <Directory /var/www/mysite.com/web>
            AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
        <Directory /var/www/clients/client0/web1/web>
            AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
    
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId web1 client0
        </IfModule>
    
        <IfModule mod_dav_fs.c>
    	  # Do not execute PHP files in webdav directory
          <Directory /var/www/clients/client0/web1/webdav>
    	    <FilesMatch "\.ph(p3?|tml)$">
              SetHandler None
            </FilesMatch>
          </Directory>
          DavLockDB /var/www/clients/client0/web1/tmp/DavLock
          # DO NOT REMOVE THE COMMENTS!
          # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
          # WEBDAV BEGIN
          # WEBDAV END
        </IfModule>
    SSLEngine on
    SSLCertificateFile /var/www/clients/client0/web1/ssl/mysite.com.crt
    SSLCertificateKeyFile /var/www/clients/client0/web1/ssl/mysite.com.key
    SSLCACertificateFile /var/www/clients/client0/web1/ssl/mysite.com.bundle
    
    </VirtualHost>
    Paying particular attention to the section starting <VirtualHost *:443> I know wildcards are less than ideal as it seems to apply to all my sites now (producing the browser warning of course) but it works properly for the site I need. The other sites don't use ssl anyway so I'm not concerned.

    Thoughts?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Never edit a vhost file manually as all manual settings that you do in that file will get removed automatically anyway.

    If you use * or the Ip depends on your apache version, the IP works always, * works only on latest apache versions and enables ssl for sni only which is not understood by older internet explorer versions.

    Please do what I described above, ispconfig will then create the ssl vhost automatically, it has not created it before because either one of your manually copied ssl certs were wrong or had a wrong name, so apache was not able to strat with the ssl certs you provided and ispconfig had to do a rollback and remove the ssl vhost again.
     
  5. BitSprocket

    BitSprocket New Member

    Thanks for the advice till. And for the quick reply!
     
: 701, ssl

Share This Page