webdomain ssl problem

Discussion in 'Installation/Configuration' started by snowch, Dec 1, 2009.

  1. snowch

    snowch New Member

    What is the process for creating a web domain ssl?

    I have tried clicking on CREATE in the SSL page. This creates ssl files in the ssl folder, but the REQUEST and CERTIFICATE are empty.

    Also, I was expecting the site's .vhost file to have SSL directives, but there aren't any.

    Many thanks in advance,

    Chris
     
  2. salami

    salami New Member

    Do you have the "SSL" option checked? After that the update script should create a certificate and the proper vhost directives for you.
     
  3. snowch

    snowch New Member

    yes it is ticked.

    many thanks,

    chris
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Enter the details for the cert on the ssl tab and then select create as action and click on save. About 2 minutes later when you access the site details again, you will have the ssl cert and csr in the fields.
     
  5. snowch

    snowch New Member

    I tried again. This time the ssl was created, but still no SSL directives were put into the domain's vhost file.

    When I try to access https://mysite, I get the following error:

    SSL received a record that exceeded the maximum permissible length.

    (Error code: ssl_error_rx_record_too_long)

    Many thanks in advance,

    Chris
     
  6. snowch

    snowch New Member

    I did two different test cases, one worked, one failed:

    1) new site
    2) domain www.example.com
    3) tick ssl
    4) save
    5) select domain
    6) enter ssl
    7) select create
    8) save

    vhost with SSL was created

    1) new site
    2) domain example.com
    3) tick ssl
    4) save
    5) select
    6) enter ssl, domain www.example.com
    7) select create
    8) save

    vhost with SSL was not created

    There is also an error in /var/log/ispconfig/cron.log:
    ...
    chroot: cannot run command `userdel': No such file or directory
    128032 semi-random bytes loaded
    Generating RSA private key, 1024 bit long modulus
    ...
     
  7. snowch

    snowch New Member

    The problem occured when the site domain was "mydomain.com", with auto-subdomain was "www.*" and the ssl was for "www.mydomain.com".

    When I changed the site domain to be www.mydomain.com, with auto-subdomain to be "None", the vhost was created with SSL.

    Should this be registered as a bug?

    Many thanks,

    Chris
     
  8. using ispconfig 3.0.6

    I might have the same issue.
    I too have a site domain "domain.com" with Auto-Subdomain www.

    In my case I already have de crt, key and ca files..

    Enabling SSL for this site domain and copying the content of these files in the SSL tab and saving , does not result in any SSL directive in the site domain config of apache.

    ps. ( not sure where to copy the content of the key file)

    In the ispconfig.log I also see,

    10.12.2009-22:50 - DEBUG - Disable SSL for: domain.com
     
  9. following the suggestion of snowch:

    "When I changed the site domain to be www.mydomain.com, with auto-subdomain to be "None", the vhost was created with SSL."

    does not result in a vhost with SSL for me.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Make sure that you enable the ssl checkbox, enter the ssl certificate details and select create certificate. Pasting just a existing cert will not work as the key file is missing then and ispconfig will not create the ssl vhost for security reasons as apache wont start without this key file anyway.
     
  11. Ok , I discovered that too..
    You meed to 'create' to actually get the vhosts changes done.

    But how am I supposed to get an officially signed certificate installed in to an ISPconfig controlled website?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Create the cert in ispconfig.
    2) Take the csr that is shown on the ssl tab afterwards and let it sign from your ssl cert company.
    3) copy the signed cert that you get back from them into the ssl cert field and select save as action.
     
  13. ok, thanks, that looks great for future ssl requests.

    - But what to do with existing ssl certificates?
    - what about wildcard certificates (*.domain.com), don't see an option to overwrite the common name?
    - what about the original problem report, http://www.howtoforge.com/forums/showpost.php?p=212522&postcount=7 ?

    Thanks for your help so far.

    Justin
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Al autorities I know have an option to reissue a cert and all that I have seen so far do this for free.

    ISPConfig will offer an option for wildcard certs in the future.

    This has been changed already and will be part of ispconfig 3.0.2
     
  15. SamTzu

    SamTzu Member HowtoForge Supporter

    Godaddy and 2048bit CSR

    I was trying to create a webshop cert for our shop but failed.

    Looks like Godaddy demands a minimum of 2048bit Certification request.
    Any idea how to make one?

    If ISPConfig3 can not do this what other high performance system can you recommend for our webshop that might be good?

    I'm thinking of moving the shop to KVM from OpenVZ anyway so I have to redo the whole VM stuff anyway. (To get Joomla Cache optimised and to be able to mount directories over iscsi.)
     
  16. ctroyp

    ctroyp New Member HowtoForge Supporter

    I am in trouble on this one as well. And it looks like my current sites using a GoDaddy SSL will be revoked soon which means that all my SSL sites hosted with ISPConfig will need to be moved if I cannot figure out how to support 2048 within ISPConfig.

    Any help falko or till? ...please? ;)

    FYI, I tried changing 1024 to 2048 in /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php when generating a new request and when I saved the cert with the bundle, apache will not start stating, "(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80" which doesn't sound right anyways (i.e. port 80 and not complaining about 443)?
     
    Last edited: Dec 31, 2009
  17. ctroyp

    ctroyp New Member HowtoForge Supporter

    Figured out how to run with 2048.
    Some steps may be overkill, but it worked cleanly for me:

    1. If you have already created a cert, delete it from the SSL tab for your site.

    2. Disable SSL for your website from the Website tab.

    3. Open /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php and change 1024 (second instance, not the default setting - although it may still work changing both) to 2048.

    4. Save the file and restart apache2 (i.e. /etc/init.d/apache2 restart) for good measure.
    Note: If you experience an error restarting apache2 (e.g. "(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80") then do the following:​
    1. sudo lsof -i :80​
    2. Determine the pid of the running service and...​
    3. kill <pid from step 2>​
    4. /etc/init.d/apache2 restart (it should start this time).​
    I'm not sure what may cause this, but I had experienced it many times. It may have something to do with Subversion if you have it enabled under apache.​

    5. Go back to ISPConfig and create a new certificate as you would normally.

    6. Go back to the SSL tab (may have to restart apache again if you do not see the keys in the first two fields (not sure why, but I experienced this a few times).

    7. Copy the code from the SSL request fields and provide that to GoDaddy as the request key.

    8. Once you download your certificate from GoDaddy, paste the contents of the yourdomain.com.crt file into the SSL Certificate field (replacing what is there), select Save Certificate form the pulldown and click Save. The SSL Bundle was left empty (not sure if I needed anything here or not...can anyone confirm).

    9. Restart apache2 for good measure and test it out.


    As I see it now, ISPConfig3 will support 2048 encryption with GoDaddy with the above steps.

    I hope this helps someone else.
    Cheers!
     
    Last edited: Jan 2, 2010
  18. wxman

    wxman New Member

    Just to add mu two cents worth. I just discovered this same problem for my sites as well. These instructions worked perfectly on my home made apache server and ISPCongig 3.x.
     

Share This Page