SSL On Dedicated IP

Discussion in 'Installation/Configuration' started by Hawker, Mar 3, 2007.

  1. Hawker

    Hawker New Member

    I'm not sure what's happening here. I have 4 IP addresses on my system. 1 Shared IP and 3 dedicated IPs.

    I have a site set on a dedicated IP with no other sites committed to that IP. I've placed that site's SSL Certificate (pasted into ISPConfig), the key file and the CA certificate in /var/www/ directory.

    I put these apache mod in the site's ISPConfig...
    SSLCACertificateFile /var/www/
    SSLCertificateKeyFile /var/www/
    SSLCertificateFile /var/www/

    Any attempts to access the https address result in the Fedora test page coming up with the ssl cert for localhost.

    Any ideas?
  2. Hawker

    Hawker New Member

    OK, here's what I've done/found so far...

    I remove these apache mods in the site's ISPConfig they aren't needed...
    SSLCACertificateFile /var/www/
    SSLCertificateKeyFile /var/www/
    SSLCertificateFile /var/www/

    Now, I do have the SSL working properly but it took a while to get it to work.

    I generated a CSR. Which in turn generated a KEY.

    When I restarted HTTPD, it would not come back up. So, I rebooted the system. During boot at HTTPD Start the system asked me for a Private Key password. Well, this is unusual since when I installed ISPConfig I did NOT encrypt the key files. However when installing FC3 per the perfect setup instructions I DID encrypt those keys. Is this the problem? And if so, can I regenerate those keys?

    Now, I did however get the SSL to work since this is a simple transfer of web sites and I had an existing SSL/Key set. I simply pasted the SSL Cert into ISPConfig and saved it. Then deleted the key generated by ISPConfig and replaced it with the existing key for the SSL cert.

    It still bothers me that I'd be asked for a password on boot. Especially since I'll need to generate a new CSR for that site in about 2 weeks.
  3. falko

    falko Super Moderator ISPConfig Developer

    Are you referring to your main Apache or ISPConfig's Apache?
    If it's ISPConfig's Apache, take a look here:

  4. Hawker

    Hawker New Member

    The ISPConfig Apache. I did NOT encrypt the key. I can reboot all day long and not be asked for a key password.

    What happened is when I created a certificate request in ISPConfig a key was generated. When HTTPD tried to restart it failed. So, I rebooted and when HTTPD tried to start it asked for a key password. The first HTTPD start not the ISPConfig start.

    The only SSL key that is encrypted is the Postfix SSL. But it never asks for a password on boot.
    Last edited: Mar 4, 2007
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Plesea dont mix up the ISPConfig apache and your main apache webserver. You can not create a SSL key or certificate for the ISPConfig apache webserver that is running on port 81.

    To create a new unencrypted SSL cert for the ISPConfig apache webserver, please follow the steps described here:
  6. Hawker

    Hawker New Member

    I think we're getting a little mixed up here. It might be my fault with the way I worded things.

    I can currently re-boot without ever being asked for a key password. ISPconfig was compiled with a NON-encrypted key.

    Here's where the problem came in...
    I created a new website on a free IP address.
    In ISPconfig I created a CSR for the new website which also created a key for that CSR
    HTTPD would not restart from within ISPConfig <---
    I rebooted the machine <---
    At HTTPD start I was asked for a key password?? <---

    To get past this....
    I had to do a manual start and not start httpd or ispconfig.
    I removed the new key that was created in /var/web/webXX/ssl <---
    I rebooted the machine without a problem. <---
  7. falko

    falko Super Moderator ISPConfig Developer

    Which distribution do you use?
    Did you install your main Apache from your distribution's packages, or did you compile it manually?
  8. Hawker

    Hawker New Member

    ISPConfig version: 2.2.10 - Setup per instructions

    On a Fedora Core 3 perfect setup.

    Somehow, this problem seems to have vanished on it's own. I'm not sure what caused it but I generated the SSL CSR again today for that web site and it didn't happen. I even re-booted after doing it to be sure. It might have been gremlins. :)

    By the way, on the CSR topic is it possible to keep the CRT and KEY files that already exist intact? That is until the new CRT is received. Fortunately I had backup copies so the site can still operate under SSL until the new CRT is received.
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Thy stay intact as long as you dont chose to create a new certificate. Dont chose create as option if you only want to update / save a existing certificate.

Share This Page