Where does ISPConfig expect to see server and private kys

Discussion in 'Installation/Configuration' started by chancer, Oct 13, 2007.

  1. chancer

    chancer New Member

    Hi, Folks,

    This has probably been done before, but I can't do a search because the adverts are totally blocking the search function (FF on Deb Etch <edit>sorry, it's on Ubuntu current version, it's my server which is on Etch</edit>).

    Would someone please tell me where ISPConfig would expect to find the server and private keys, respectively, on an SSL enabled domain on an Etch server? Then I can set up the VHosts configuration properly.

    Many thanks, in anticipation.
    Last edited: Oct 13, 2007
  2. chuckl

    chuckl New Member

    If you want to enable SSL on a particular website, tick the SSL checkbox for the website and save. This enables an SSL config tab for the site.

    I believe they are stored in the /webXX/ssl folder.
  3. chancer

    chancer New Member

    Thanks, chukl. Now, I've got a cert from CAcert - should I put that in /webxx/ssl first, or how do I tell ISPConfig where it is now (which is in the wrong place ;) )
  4. chuckl

    chuckl New Member

    While I'm a Cacert assurer as well, it's a while since I've done this, as I use a homebrew multidomain on 1 IP setup.
    The ISPConfig technique, is that you take the Certificate and paste it into the text box provided for the site under the SSL tab that appears when you enable SSL.
    I just have a nasty suspicion that you should use a CSR generated in the same place (the SSL tab) for the certificate generation. i.e. generate the signing request there, and cut and paste that into the CaCert form.
    ISPConfig then parks the certificate in the correct place for the site, and sets up the paths etc for the secure connection in the Vhosts file.
    Thinking about that, that probably takes care of the key, as the ISPConfig key is used to generate the CSR.
    You may need to grab the CaCert certificate chain file as well and put it in the ssl folder.
  5. chancer

    chancer New Member

    Thanks, once again chuckl. I've never done a ssl cert before. I'm trying to help a few people get into business online so would like to learn my way around alll this and become a CAcert assurer myself.

    Perhaps I should go back into the CAcert site and cancel the one I generated, then redo the request via ISPConfig?
  6. chuckl

    chuckl New Member

    I would definitely suggest that, yes. Generate a CSR in ISPConfig for that site, and cut and paste into an editor. Head for Cacert, cancel the existing one and reissue with the ISPConfig generated CSR, then when the cert arrives, paste into the site SSL tab field.
  7. chancer

    chancer New Member

    chuckl, you're a star. Always here to help, too. Do you ever sleep? :)
  8. chancer

    chancer New Member

    I'm annoying myself now, chuckl, so if you're finding my questions tedious I don't blame you.

    The ISPConfig SSL tab has three open text boxes which are SSL Request:, SSL Certificate: and Action: - Action is actually a three-choice select list.

    Do I put the command openssl req -nodes -new -keyout private.key -out server.csr into the first option or select Create certificate from the third?

    One thing I must do when this is all over is to contribute the lessons to the wiki. :rolleyes:
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    To create a SSL cert in ISPConfig, enter the details for the SSL cert in the fields on the ssl tab and leave the fields ssl-request and ssl-cert empty. Then select "Create" as acrion in the action box and click on the save button. Now wait abaout a minute and you have a working SSL setup with fresh self signed certificates created by ISPconfig.
  10. chancer

    chancer New Member

    Thanks, till, but I don't want a self-signed certificate. I want a CAcert signed certificate. What I need to generate at this time is the request.

    Many thanks.
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    What I described above is the procedure to create the request ;)

    You take the request that has been created by ISPConfig, sign it at cacert and put the certificate that you got from cacert into the certificate field. Then select "save" as action and click on the save button.
  12. chancer

    chancer New Member

    Excellent. Thanks for the help, till - and for your patience. Both very much appreciated. :)
  13. chancer

    chancer New Member

    So, SSL Cert added, all looks to be in the right place. However, now getting a strange error message when trying to bring up the site or the admin section (it's not called admin any more) with https:// on a site with Zen Cart as its only content. I need to know whether the peoblem is generated by ISPConfig, Zen Cart, the CAcert or some combination. The error message is:

    www.celectronics.co.uk has sent an incorrect or unexpected error code: -12263

    and an error not found when trying either with http://
  14. chuckl

    chuckl New Member

    Playing with Zen Cart as well ! thats definitely compounding the felony.

    When you say 'bringing it up with https, do you mean simply using https in the url rather than http, or that you are going to the user login/signup page or admin login, where it should automatically switch to https?

    It should work either way, but it can get tricky on some setups. The -12263 is a nasty as well. Means - I'm not happy with the data I'm getting.

    Could I suggest copy and back up your caCert stuff, then use the ISPConfig ssl page to generate a self signed certificate from the CSR, as Till described earlier in the thread, and test with that?
    It'll give the usual bloodthirsty warnings, but it's fine for testing to see if it gives a similar error.
  15. chancer

    chancer New Member

    Both, in the URL. Trying to go to the admin login or the site itself via the address bar gives the same result.

    OK, I'll try that and report back. Thanks.
  16. chancer

    chancer New Member

    Same result. Also, ISPConfig is reluctant to generate anything. A couple of times now I've had to delete a private key only and go back in to get a certificate and a request.

    What next? Do a full Zen Cart reinstall with the (CA)cert already in place? That's several hours of installation and reconfiguration, but if it gets the thing working? I could be just as long trying to work out what's wrong here and still end up with the same conclusion, I suppose.

    Or is there something else I could try?
  17. chuckl

    chuckl New Member

    Reinstalling etc won't solve anything, just get you back to where you are.

    If your ZCart installation is operational, leave it be. I'm assuming you have edited the admin and store configure.php files and changed ENABLE_SSL_ADMIN, ENABLE_SSL_CATALOG and ENABLE_SSL to true?

    Another useful step is to head to the /www/webXX/ssl folder in a terminal window/command line, and type in

    openssl x509 -noout -text -in nameofcert.crt

    which will list out the certificate contents. (the actual cert name should obviously be inserted).

    Similarly for the CSR

    openssl req -noout -text -in nameofcertreq.csr

    And the following 3 can be used to check that the key, the CSR and the cert match

    openssl rsa -noout -modulus -in nameofprivkey.pem |openssl md5
    openssl req -noout -modulus -in nameofcertreq.csr |openssl md5
    openssl x509 -noout -modulus -in nameofcert.pem |openssl md5

    Also, bear in mind that where certificates are concerned, www.mydomain.com is NOT the same as mydomain.com.
  18. chancer

    chancer New Member

    ENABLE_SSL_CATALOG - the other two, yes, but I thought this would hide the whole catalogue behind ssl? I'll try it now and see what happens.
  19. chuckl

    chuckl New Member

    I think the original idea was that the ENABLE_SSL would only enable it for the payment modules, ENABLE_SSL_CATALOG does it for login and any other 'sensitive' areas after login, as well as payment. I'd have to check the code to be sure.

    The other gotcha area with SSL is if you have Suexec or SuPHP enabled, they can play havoc with things if all is not perfect.
  20. chancer

    chancer New Member

    Nothing happened. It's the same. So running the commands as suggested - no .pem in sight.

    I've got .crt .csr .key and .key.org in the ssl directory. Could that be the root of the problem?

Share This Page