SSL Problem

Discussion in 'Installation/Configuration' started by delgado2061, Sep 29, 2009.

  1. delgado2061

    delgado2061 New Member

    I went to update my ssl on godaddy they tell me that my ispconfig control panel needs to make ssl 2600 4696 or some like that. so my questions is there an update that fix this problems I need to renew that ssl before the oct 4 so please I need help. they say that this is new and everybody that sales ssl have to change to. they upgrade their ssl software I guess. my ispconfig version is 2.2.30

    this what their message say: The CSR key length must be greater then 2048 and less then 4096


    I just upgrade my ispconfig to 2.2.33 today 09-29-2009
     
    Last edited: Sep 29, 2009
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig uses 1024 bit, which is the default for SSL certificates. I'am not user if we can just change it as ssl certs may work then with godaddy but not with other SSl authorities anymore. I've added this to the bugtracker.
     
  3. delgado2061

    delgado2061 New Member

    1024 bit don't work with godaddy anymore they upgrade their system. I going to ask for a refund. is no reason why paid for some that i can't used. they never give me any notice or anything I just found out because the still sending me warning notice even after I pay. But they never notified me and tell me that they where changing anything. I just found out out of the blue.
     
    Last edited: Sep 29, 2009
  4. Turbanator

    Turbanator Member HowtoForge Supporter

    I'm watching this thread as I too am affected. I wouldn't be too worried but I have prepaid certs at godaddy which are now useless with isp2 and I can't get a refund. Does ispconfig 3 handle 2048+?
     
  5. ctql

    ctql New Member HowtoForge Supporter

    Problem solved

    Guys,
    This is easy to fix. The file you need to edit is:
    /root/ispconfig/scripts/lib/config.lib.php

    Inside this file, search for this line (it was line 1910 on my version of ISPConfig):

    PHP:
    $mod->log->caselog("openssl genrsa -des3 -rand $rand_file -passout pass:$ssl_password -out $key_file 1024 && openssl req -new -passin pass:$ssl_password -passout pass:$ssl_password -key $key_file -out $csr_file -days $ssl_days -config $config_file && openssl req -x509 -passin pass:$ssl_password -passout pass:$ssl_password -key $key_file -in $csr_file -out $crt_file -days $ssl_days -config $config_file && openssl rsa -passin pass:$ssl_password -in $key_file -out $key_file2"$this->FILE__LINE__);
    You need to change the 1024 on that line to 2048 or 4096.

    Afterwards, regenerate the CSR via the normal methods. I think I had to delete my old one before it would generate a new but YMMV. I was impatient, it may have just taken the cron job a bit to execute.

    Edit: one more thing: I don't think there is any problem adjusting this permanently. I deal with lots of SSL providers and many of them are requiring 2048 bit now. In fact, I think the Extended Validation SSL certificates (the green bar in IE 7/8) require 2048 bit or greater.
     
    Last edited: Oct 6, 2009
  6. delgado2061

    delgado2061 New Member

    so if it's that easy it should be on the next update. I am waiting on to them, I don't like to mess with my server especial when it's run good all this time.
     
  7. Turbanator

    Turbanator Member HowtoForge Supporter

    I too would like to see a comment regarding this fix from Till or Falko. My concern is if this will affect/break anything else and I assume any upgrade will cause the code to revert until it's been made perm by development, correct?

    I need to do this very quickly so I may need to do it regardless.
     
  8. DrJohn

    DrJohn Member HowtoForge Supporter

    Changing the RSA length from 1024 to 2048 in /root/ispconfig/scripts/lib/config.lib.php worked for me using ISPConfig 2.2.33 under Ubuntu 8.04 LTS server for a hosted site (didn't try for the ISPconfig admin site on port 81).

    I regenerated the CSR, sent to GoDaddy, downloaded the zipped certificate package with gd_bundle.crt and my.domain.tld.crt files, backed up the folder then copied these into /var/www/web#/ssl, and added to the site's Apache directives:
    Code:
    SSLCertificateChainFile /var/www/web#/ssl/gd_bundle.crt
    (# stands for the web number of this site: it was 12 in this case)
    as also described in this thread: http://www.howtoforge.com/forums/showthread.php?t=27606

    Worked like a charm! No side effects as far as I can tell.
     
  9. delgado2061

    delgado2061 New Member

    Ssl

    Did the SSL problem is fix on the new update? the reason I ask is because it not listed on my e-mail that I receive about the new update so I like to know please.
     
  10. falko

    falko Super Moderator ISPConfig Developer

    This is already fixed - the key length is now 4096.
     
  11. rockstar9840

    rockstar9840 New Member

    Hey ctql, congratulation, you made the problem solved. :)

    Thanks for sharing with us.
     

Share This Page