Virtual Hosts SSL 443

Discussion in 'Installation/Configuration' started by DaddyFix, Jun 12, 2006.

  1. DaddyFix

    DaddyFix New Member

    First, Im sorry for asking about Virtual Hosts SSL help. I see many people have been having similar issues setting this up, but I can' seem to find the imformation I need. Could you please direct me to offer some advice to this issue?

    Originally I used to put my Client SSL information into the VHosts.conf file. All client share the same Certificate Key. Her is a simplified example...
    Code:
    NameVirtualHost 192.168.1.100:80
    NameVirtualHost 192.168.1.100:443
    <VirtualHost 192.168.1.100:80>
            Servername somedomain.ca
            Redirect permanent / http://www.somedomain.ca
    </VirtualHost>
    <VirtualHost 192.168.1.100:443>
            Servername somedomain.ca
            Redirect permanent / http://www.somedomain.ca
            SSLEngine on
            SSLCertificateFile \
                /usr/local/ssl/install/openssl/certs/http://www.example.com.cert
            SSLCertificateKeyFile \
                /usr/loca/ssl/install/openssl/certs/http://www.example.com.key
    </VirtualHost>
    But now I see that Vhosts_ispconfig.conf only uses 'NameVirtualHost 192.168.1.100:80'. Hmmm. How do I enable a client to use the same SSL certificate for all the sites I host?

    I tried to use the SSL option in the client setup of ISPConfig but I get the error ' Already a Cettificate for this IP '. Which I understand why this happens.

    when I try to use https://mydomain.ca I get the request for the SSL and I get an answer from Apache v2.53 that tells me there is no virtual host entry on 443 for this client.
    Code:
    You don't have permission to access / on this server.
    Am I doing something wrong here?

    PS. I love ISPConfig..
     
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    ISPConfig only supports one SSL website per IP, this is is an apache limit and not an limit of ISPConfig.

    To create an SSL website, check the SSL checkbox in the website settings of the site and then create an SSL certificate on the SSL TAB. ISPConfig rewrites the vhost configuration for you to enable SSL for this website.

    If you need an other setup that does not use SSL virtual hosts, you can not use ISPConfig to configure it.
     
  3. Sheridan

    Sheridan New Member

    Are you sure?
    I always thought that one certificate for multiple vhosts shouldn't be a problem.
    I know that it's not possible to have multiple ssl cerificates for one ip but the ssl part is just over when apache has to get the right vhost.

    greets
    Sheridan
     
    Last edited: Jun 12, 2006
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    A wildcard certificate is no problem, but you cannot use multiple certs on one IP address.
     
  5. Sheridan

    Sheridan New Member

    Yep. I know, but ispconfig doesn't create a VirtualHost entry for the ssl part of the Vhostconfig file for the other domains on my server.
    If i try to enable ssl for the other domain he tells me that an ssl certificate still exists for this ip. That's ok, but i simply want to use the existing one for this domain too.

    greets & thanks
    Sheridan
     
  6. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    That's not possible with ISPConfig. You can try to tweak the main Apache configuration file as it's not overwritten by ISPConfig.
     
  7. erk

    erk New Member HowtoForge Supporter

    There can be only one SSL enabled site per ip, but that is already clear as I understand from your last post.
    The thing with SSL is that there is no hostname, just ip-number. The hostname is not visible to apache. Therefore if
    www.domainone.com and
    www.domaintwo point to the same ip number and you have enabled SSL on domainone.com a request to https://www.domainone.com and https://www.domaintwo.com should go to the same site whereas http requests will go to the two different sites.

    In SSL only ip number counts.

    //Erk
     
  8. Sheridan

    Sheridan New Member

    Yep. That's the behaviour because of the missing VirtualHost entry for the second domain in the vhosts conf for <ip-address>:443.

    Nope. Apache can resolve different domains when using ssl. I tried it manually on another machine without ispconfig to be sure.

    @falko:
    I think you can take this as a feature request from my side. ;-)

    Maybe the ssl option could change it's behaviour (and name) when a certificate exists on this ip and so when enabling it, it would be nice if ispconfig can create the entry in the vhosts config file.

    greets
    Sheridan
     
  9. erk

    erk New Member HowtoForge Supporter

    If that is the case I would be very happy if you could post that configuration here. That would be real news for me and possibly for the apache crew as well.

    From http://httpd.apache.org/docs/2.0/vhosts/name-based.html :
    I don't mind being proven wrong in this case but I would be surprised. :D

    //Erk
     
  10. Sheridan

    Sheridan New Member


    Ok. To get sure i've checked the configs of our plesk server at work. For each domain i've enabled ssl i have a <VirtualHost <ip>:443> with a different "Servername <domain>:443" param. The ip is always the same and so is the path to the ssl cert file.

    So it seems that you should trust this board and not the apache docu. :D :rolleyes:

    I would like to see support for this in ispconfig anyway. ;-)


    greets
    Sheridan
     
  11. Sheridan

    Sheridan New Member

    Finally. I have created a file in /etc/apache2/conf.d/ with the content similiar to this ispconfig creates ssl VirtualHost entry of the main domain for this ip.
    Now i'm able to use the same ssl certificate for the other domain managed by my apache.

    I think that in that case it would be better to not save the ssl certificates in th webX directory of the main domain for the ip. It would be a much better idea to place it somewhere outside and handle it on a per ip base as they are bound to a ip address.

    Maybe saving the cert's under a directory structur like the following one would be a good idea.

    /var/www/certificates/<ip>/

    At the end i would say that this is really a recommended feature for a future ispconfig version as this is an allday usecase.

    Just my two cents. ;-)


    greets
    Sheridan
     
    Last edited: Jun 14, 2006
  12. erk

    erk New Member HowtoForge Supporter

    Right adding multiple virtual hosts like:
    Code:
    <VirtualHost 192.168.1.10:443>
    DocumentRoot "/home/www/securesite/"
    ServerName www.mydomain.com:443
    </VirtualHost>
    
    <VirtualHost 192.168.1.10:443>
    DocumentRoot "/home/www/securesite/"
    ServerName www.yourdomain.com:443
    </VirtualHost>
    
    is quite possible. But if you try setting different document roots you will find that both https://www.mydomain.com and https://www.yourdomain.com will end up with the samt document root. So, the above, while possible, is quite pointless.

    If you want a secure site for multiple domains to use for a webmail install or something similar I would simply create a new website in ISPC and enable SSL. Then I just add a DNS record for webmail.mydomain.com and webmail.yourdomain.com that points to the ip number of the secure site.

    I think I still trust the apache team since my own experience with SSL and apache conforms with their view and that tells me I'm right ;-)
    Check your plesk config again to see if the different virtual hosts have different document roots. If not then they are not really different sites, are they? If they indeed have different document roots have you checked that apache really honor the different document roots for the same ip?

    However, what is possible is to make a secure site and install something like Drupal which supports multiple domains.
    The ServerName is not visible to apache but it is visible to a PHP script.

    //Erk
     
  13. Sheridan

    Sheridan New Member

    Nope. I definitely do have different DocumentRoot settings. Otherwise my two different typo3 installations wouldn't work.

    Trust me. ;-)

    greets
    Sheridan
     
  14. erk

    erk New Member HowtoForge Supporter


    I wish I could ;)

    Typo3 support multiple domains using a single database and as I said previously it is possible with a CMS such as Drupal or Typo3 to host multiple domains in one document root and the CMS system will be able to distinguish between the domains since the hostname is visible to PHP but not to apache.
    If the two Typo3 installations use the same database it is likely that you cannot tell which document root your request end up in since Typo3 will fix it.

    The apache developers says it can't be done. I've tested to make sure and cannot make it work. I have seen this issue debated and never seen anyone else claim they can get apache to do namebased virtual hosting with SSL and different document roots. The Plesk documentation even states that:
    If you are able to create two domains on the same ip with SSL in Plesk and access two differnt plain html files from the two document roots I will be impressed and very curious as to how Plesk does that. It is not possible with a plain apache server serving html.
    So far you keep telling me "it can be done", but with little hard evidence. I would really like to know how to do it if it can be done but so far the only thing I get is your word against the world so to speak ;)


    //Erk
     
  15. russellsantos

    russellsantos New Member

    Interesting article

    An interesting article about this topic:

    http://www.onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html

    One workaround it suggests is to use a different port for the SSL connections. Apparently, SSL binds to IP adresses AND ports. Of course, you would need a link on your site that points to that particular port for it to work, and it would look a little silly for the users of your site. But then, that is better than the warning the user gets when the SSL certificate does not match the host name.
     
  16. swan

    swan New Member

    anyone got the ServerNameIndication TLS to work on ubuntu (gutsy)?

    http://www.how2forge.org/enable-multiple-https-sites-on-one-ip-using-tls-extensions-on-debian-etch

    i tried pbuilding from apt-get source on ubuntu, stable and unstable etch, and any version of apache i could find a diff for the httpd sni patch, i tried keeping to the version and other versions in the same batch of 2.2.x

    but i think the problem (guessing by apache logs warn, init) that openssl was the cause - just doesnt load even tho i _might_ have actually compiled it in both (ie. a-patched apache, but unable to hook onto the version of openssl - that either had tlsext or not). it prolly needed svn version or something that had properly setup in Configure (as i dont think enable-tlsext was enough, or ./config enable-tlsext or even editing Configure manually adding -DOPENSSL_TLSEXT and removing -DOPENSSL_NO_TLSEXT) well all in my case anyway 0.9.8e-g etch-stable/unstable,ubuntu.

    i guess everyone will still have to wait for it to become seamlessly stock standard and keep holding off using mod_gnutls, imho, wtf not yet i wonder. i know this isnt really an ISPC issue, but it relates to the thread above and its something to watch out for. ie. wait for seamlessness, or support mod_gnutls in ISPC? *shrug* im for waiting personally..

    also for above, its upto you how you look at using the ip:port ratio, you can smear it all around, but for any n00b reading, yeh trust the docs, and imho you can trust the ISPCrew ;)

    question tho, ive removed the ssl 1 per host limit in ISPC (as in the link above), waiting for tlsext but also because you can abuse ratio if you want. so seeing the 1 host make sense (until apache+openssl+tlsext becomes stock) i could see the main profile being sub.domain.xxx, but sadly u cant have domain.xxx, yeh you can have blank/wildcards in other domains under the same profile, but the main profile cant? i know its no problem in the big picture, but its annoying for SSL even if you only kept to the 1 ip limit and wanted to be conventional using https://domain.xxx instead of https://sub.domain.xxx

    theres a place holder in the gui for other fields in the ssl cert gen, any chance of adding an option to override the auto default for ssl CN? otherwise i guess ill have to keep manually doing it for now?
     
  17. keen

    keen New Member

    Yup. It worked for me. Thanks :)
     

Share This Page