Importing existing ssl key/cert into ISPConfig site

Discussion in 'Installation/Configuration' started by zetnsh, Jan 17, 2008.

Thread Status:
Not open for further replies.
  1. zetnsh

    zetnsh New Member

    Hi there,

    I have created an SSL Site within ISPConfig, but I don't want to create an SSL Certificate - I am migrating a site in from another ISP, and I already have the X509 Key/Cert pair. Whilst I can paste in a CSR (for what it's worth!), and the key, I can't immediately see a way to input the existing private key.

    Can anyone give me a clue as to how I might do this with ISPConfig? I can't imagine I'm the first to ask!

    Thanks in advance,

    Neil
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Create a new "dummy" SSL cert in ISPConfig.
    2) Replace the key, cert and csr files in the ssl directory of the website with the existing ones from the old server.
    3) Replace the ssl cert and csr in the ispconfig interface with your existing csr and cert.
     
  3. zetnsh

    zetnsh New Member

    That worked great. I think it would be good to build that into ISPConfig though - it should be easy enough to do, I've actually done it myself with a server admin system I wrote a few years ago (which now belongs to my former employer!).

    Thanks for the help!
     
  4. ahsamuel

    ahsamuel New Member

    Hi,

    i've done that, but i'm not getting it to work.

    i filled the fields about the ssl (Country etc), and chose "create certificate" and then pressed save.
    then i went back into it and clicked save certificate and save.
    then i replaced the .key, .csr and .crt files in the ssl directory
    then i copy&pasted the contents of the .csr into the first, and of the .crt into the second field and clicked save certificate.

    when i now open my site with https://, i get a wrong cert. , based on the fields i filled with "dummy" stuff.

    what i have:
    - a .key, a .cert and a self-made .csr (made with the .key)
    - got the certificate with my hosting at ovh (they gave me the .key and a dedicated IP, i have a root server there)

    i run ispconfig, everything else works fine.

    any ideas or more details on how to do this?
     
  5. zetnsh

    zetnsh New Member

    Difficult to say on this one. I'm not an ISPConfig expert (I've only been using it since August last year), but I wonder if it's the lack of a CSR that could be causing the problem.

    Now you don't actually need the CSR in order for the web server to start - that just reads the key and the cert (from separate files such as /var/www/web1/ssl/www.mysite.com.key etc), but I just wonder if perhaps this is causing problems with ISPConfig rather than apache.

    What you could do is put the correct .key and .cert files in the relevant directory manually again, don't touch ISPConfig, and restart apache (eg. apachectl restart or /etc/init.d/httpd restart etc).

    In fact, if you do apachectl configtest first, that should tell you if the key/cert is valid. You can then test the site again in a browser (close it and re-open just to be sure) to see if it's the right cert. If it is, then you can test again putting the CSR and the Cert into the site's SSL tab in ISPConfig. I've done this successfully, but then again I did have the original CSR used to generate the certificate. I would have thought you might struggle without that.

    With this sort of problem, you usually find the solution by careful step-by-step analysis of what's actually going on, and careful reasoning. (aka trial and error!)

    Hope you get it sorted. Feel free to post back - not sure I could be any more help though...

    Thanks,

    Neil
     
  6. ahsamuel

    ahsamuel New Member

    Thank you for your answer, i don't know why, but it somehow fixed itself overnight.

    It still brings an error, but i cannot read what the problem is.

    maybe someone could check: https://www.hotelvaladon.fr

    Thankyou!
     
  7. zetnsh

    zetnsh New Member

    Last edited: Feb 5, 2008
  8. ahsamuel

    ahsamuel New Member

    it works with my IE7, but not with FF.

    :p
     
  9. zetnsh

    zetnsh New Member

    I have tried it with Firefox, and I see your point.

    It's definately nothing to do with ISPConfig though. It's to do with the Certification Authority who provided the SSL Certificate. I think it's basically because Firefox doesn't have the root certificates for OVH Secure Certification Authority, whoever they are.

    Unless I've missed something here, I think the only resolution is to obtain an SSL Certificate from a reputable provider such as Thawte or Verisign (yes, I know Verisign own Thawte now! ;-) Thawte do a reasonably priced budget certificate called SSL-123. But that's still paying twice, unless you can get a refund.

    If you go for a less well known SSL provider, unfortunately you run the risk of the CA not being recognised by some of the browsers. In this case, it seems to work with IE7 and Safari, but not in Firefox or Opera.

    Thanks,

    Neil
     
  10. ahsamuel

    ahsamuel New Member

    Thank you a lot, I'll try and contact them. Will keep you (all) updated.
     
  11. zetnsh

    zetnsh New Member

  12. till

    till Super Moderator Staff Member ISPConfig Developer

    It might be that your SSL authority requires a chained root certificate. If they provided you with such a master certificate, save it to a file in the sll directory of your site and the add a line like this in the apache directives field of the site:

    SSLCACertificateFile /var/www/www.yourdomain.com/ssl/ca.txt
     
  13. ahsamuel

    ahsamuel New Member

    Thank you Till, I tried this, since they gave me a .chain file too.

    I added the Line in my ispconfig:
    SSLCACertificateFile /var/www/web55/ssl/www.hotelvaladon.fr.chain

    but there is one file i didn't put there:
    ls -lah /var/www/web55/ssl/
    -rw-r--r-- 1 root root 5.0K 2008-02-05 11:30 www.hotelvaladon.fr.chain
    -rw-r--r-- 1 root root 2.0K 2008-02-04 18:17 www.hotelvaladon.fr.crt
    -rw-r--r-- 1 root root 997 2008-02-04 18:10 www.hotelvaladon.fr.csr
    -r-------- 1 root root 1.7K 2008-02-04 18:15 www.hotelvaladon.fr.key
    -rw-r--r-- 1 root root 951 2008-02-04 18:10 www.hotelvaladon.fr.key.org

    the .key.org is not from me, must be from ispconfig!?

    any suggestion?
     
  14. falko

    falko Super Moderator Howtoforge Staff

    Yes, that's right.
     
  15. ahsamuel

    ahsamuel New Member

    i don't know how (i didn't change anything since my trouble ticket @ovh), but it works now with IE & FF.

    thanks all for your support!

    Samuel

    (loving ispconfig btw)
     
  16. Zador

    Zador New Member

    Hi.
    I can not get to install certificate on ispconfig from COMODO, payed SSL.
    I tryed copy paste crt, csr and key in text field on ispconfig web > ssl.
    I tryed like you wrote, create certificate, then replace files and input fields, but apache give error:
    AH00019: Configuration Failed
    SIGTERM handler "exitall"not defined.
    Please do you know how install Payed certificate *wildcard COMODO on ispconfig web SSL?
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    You posted here in a thread about ISPConfig 2 software. Are you really sure you use ISPConfig 2 which is not available for at least 8 years anymore andnnot ISPConfig 3?
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    In ISPConfig 3, you just copy the SSL key, cert and SSL bundle in the fields on the SSL tab of the website, select 'save certificate' as action in the action field and press save. I use several comodo certs on my servers, works perfectly. and you must have SSL enabled for the website in the website settings of course.
     
  19. Zador

    Zador New Member

    Thank you for your answer. I am use last version of ispconfig on ubuntu 18.04. I do like you wrote, but still error. Is clean recent instalation of ubuntu and ispconfig, withouts any errors after install. I use this post, becouse is only one about this problem. I cannot apply comodo ssl. nightmare.. :(
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    But ISPConfig 2 is not related to ISPConfig 3 except the name, it's a completely different software so nothing in this thread applies to the software that you use on your server. Double-check that you copied the ssl certs correctly incl the begin and end lines that surround the ssl cert.
     
Thread Status:
Not open for further replies.

Share This Page