SSL, problems with certificate creation and usage

Discussion in 'General' started by Bonzo, Feb 20, 2013.

  1. Bonzo

    Bonzo New Member

    Hi,

    I've installed 2 Systems according to this HowTo

    http://www.howtoforge.com/installin...tabase-cluster-on-debian-6.0-with-ispconfig-3

    Now I have problems creating SSL certificates, for now I use self-signed but in the future I will use official signed certificate.
    I have a domain example com.
    If I create a domain example.com with Auto-subdomain No, or www, or a domain www.example.com wit Auto-Subdomain No, I can't use https (after I checked and created the SSL-cert, ispconfig). I get this error.

    Code:
    Secure Connection Failed
    
    An error occurred during a connection to example.com.
    
    SSL received a record that exceeded the maximum permissible length.
    
    (Error code: ssl_error_rx_record_too_long) 
    If I create a domain test.example.com, with Auto-Subdomain No, create SSL if works like a charm. Why it's possible to to create test.* but not *. or www. ?

    Is it possible to create 2 certificartes, one for one Serve, one for the other?
    One (sub)domain pointing to 2 different IP's?
     
  2. till

    till Super Moderator

    SSl Cert for www subdomain works fine on my server. A ssl cert is only for one domain, so dont use wildcards. Did you delete the ssl cert before you created a new one?

    Sure. you can use as many ssl certs on your server as you want. Just create a new website for each domain or subdomain that you want to have its own ssl cert and create a new cert. Please note that you have to use SNI if you dont have a dedicated IP for each ssl enabled site.

    One domain or subdomain can only point to one IP at a time. But thats not ssl related.
     
  3. Bonzo

    Bonzo New Member

    Yes, deleted. I create the subdomain www.example.com in Website-Websites, not Subdomains for Website, is this OK?
    I didn't use wildcards.


    Is this maybe the problem, I don't know what SNI is. Is there a howto for enabling this?


    Ok, I think I have to tell you what this server is intended for, for clarification.
    It should be a sem-HA solution for the poor. Thats why I used your clustered setup.
    Now, I have the Domain example.com and A records for www (some DNS provider) somethiong like

    www A 1.2.3.4
    www A 5.6.7.8

    With this configuration (one subdomain points to different IP's) i get some round-robin LoadBalancing.
    Thats working OK. But I think I'll have a problem with SSL.
    www on both IP's should be certificated. Is this possivble. certificeate domain www.example.com for 1.2.3.4 and for 5.6.7.8

    Actually, I don't need this LoadBalancing. All I need is a solution if the first Server is not reachable switch to the second Server and switch back to the first server when reachable again. I read your clustered solution and build everything around this. And it worked OK till I needed to uses certificates.
    Maybe you have an idea how to do this better?
     
  4. till

    till Super Moderator

    Yes, thats ok. But you wont create www.example.com as website, the correct settings are:

    domain: example.com
    auto subdoman: www

    to get a website for www.example.com

    This does not matter for ssl as ssl does not depend on the IP. Just the domain name the ssl cert is issued for matters.
     
  5. Bonzo

    Bonzo New Member

    Ok, i tried some other configuration and it is probably because the only one dedicated IP i have.
    It's possible to create and use only one subdomain with one IP? Correct?

    What is SNI you mentioned, is this a server extension? Any HowTo at Howtoforge?
     
  6. till

    till Super Moderator

    You can have only one ssl certificate per IP address with traditional ssl.

    See wikipedia and various posts here in the forum.

    http://en.wikipedia.org/wiki/Server_Name_Indication

    You dont need a special configuration for sni. sni is supported by default in ispconfig. What matters are the bwowsers of your user and the openssl and apache version on your server as decsribed at wikipedia.
     

Share This Page