SSL for website isnt working

Discussion in 'Installation/Configuration' started by czdavid, May 13, 2012.

  1. czdavid

    czdavid Member

    Hello,

    on my ispconfig3 server isnt working SSL for website (hosted).
    Everytime I got this browser error - net::ERR_SSL_PROTOCOL_ERROR

    I tried just create seft-signed certificate...

    It look like ispconfig havent created directives in apache vhost or I dont know...
    Can anyone help me?
     
  2. falko

    falko Super Moderator Howtoforge Staff

    What's the output of
    Code:
    ls -la
    in the web site's ssl/ directory?

    What values did you fill in on the web site's SSL tab in ISPConfig?
     
  3. czdavid

    czdavid Member

    Output ls -la of SSL website folder:

    root@myserver:/var/www/intranet.domain.cz/ssl# dir
    intranet.domain.cz.crt intranet.domain.cz.key
    intranet.domain.cz.csr intranet.domain.cz.key.org

    [​IMG]

    VHOST
    [​IMG]

    I cant find apache directivities for port 443. Is it ok?

    And I havent added any IP address in ispconfig - I used "*" option for websites.
    But my server have set one public IP address and websites are working fine on port 80 (http).
     
    Last edited: May 14, 2012
  4. FutileFreedom

    FutileFreedom New Member

    @above:
    Make sure in the first tab you have SSL is checked. Also, the Port 443 directives are down below the port 80 virtual host in the file.

    [​IMG]

    Then, when I used cat *d3d* | grep VirtualHost it returned this which shows the port 80 vhost above the port 443.
    [​IMG]

    Not sure if I'm understanding this right so correct me if I'm wrong.
     
    Last edited: May 14, 2012
  5. czdavid

    czdavid Member

    Thank you very much.
    I havent checked SSL in website settings (like on your screen).

    Now is SSL working.

    Is possible some way to migrate SSL Cert. with CSR from another server (not ispconfig)?
    What happend if some customer activate SSL from his website on same server (same public IP)?
     
    Last edited: May 14, 2012
  6. falko

    falko Super Moderator Howtoforge Staff

    Yes, make backups of the SSL files generated by ISPConfig in the ssl folder, and then place your cert, csr and key in the ssl folder and rename them to the files names of the original SSL files generated by ISPConfig. Restart Apache afterwards.
    You can enable SNI under Sstem > Server Config on the Web tab. If you use SNI, you can run multiple SSL web sites on one IP (but be aware that not all browsers support this, for example, IE on WinXP has no SNI support; all other browsers are fine).

    If you don't use SNI, you must have one IP per SSL web site.
     
  7. czdavid

    czdavid Member

    Thank you ... you are saver.

    I have enabled SNI, but SSL Cert. is set for domain1.tld and if I tried https://domain2.tld and that domain use SSL Cerf. from domain1.tld.

    I tried Chrome and Opera.

    On server is set only one SSL Cert. Is it ok or SNI isnt working?
     
  8. falko

    falko Super Moderator Howtoforge Staff

    You must enable SSL for both domains (and both domains must have an SSL cert).
     
  9. czdavid

    czdavid Member

    I tried like you described - for both domains is SSL enabled and both have SSL Cert.

    Problem is second domain which using SSL cert from first domain - isnt working like you described. Is possible check if is SNI working?
    Is necessary select for domains IP address from roll menu or I can use option "*" (I´m using option "*" for all of my websites). I mean for SNI and SSL working right.
     
    Last edited: May 16, 2012
  10. falko

    falko Super Moderator Howtoforge Staff

    Can you check in the ssl folder of both websites that they use their own certificates, and that both APache vhost files reference these certs?
     
  11. czdavid

    czdavid Member

    Already checked - both sites have in ssl directory own certificates and both have set these certificate in vhost. Do you want screens of vhosts and folders?
     
  12. falko

    falko Super Moderator Howtoforge Staff

    Yes, that would be great (BTW: you don't have to create screnshots - you can simply copy&paste from PuTTY).
     
  13. czdavid

    czdavid Member

    Domain 1 SSL folder:
    Code:
    root@server:/var/www/domain1.cz/ssl# dir
    domain1.crt  domain1.cz.key      domain1.key.org
    domain1.csr  domain1.cz.key.bak  domain1.cz.key.org.bak
    
    Domain 2 SSL folder:
    Code:
    root@server:/var/www/domain2.cz/ssl# dir
    domain2.crt  domain2.csr  domain2.key  domain2.key.org
    
    If i try https://domain2 -> I get SSL cert. from domain1
    For domain1 works SSL cerft. from domain1 (right)
     
  14. falko

    falko Super Moderator Howtoforge Staff

    Can you post both vhost configurations?
     
  15. czdavid

    czdavid Member

    Domain 1

    Code:
    <Directory /var/www/domain1.cz>
        AllowOverride None
        Order Deny,Allow
        Deny from all
    </Directory>
    
    <VirtualHost *:80>
          DocumentRoot /var/www/domain1.cz/web
    
        ServerName domain1.cz
        ServerAlias www.domain1.cz
        ServerAdmin [email protected]
    
        ErrorLog /var/log/ispconfig/httpd/domain1.cz/error.log
    
        Alias /error/ "/var/www/domain1.cz/web/error/"
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 502 /error/502.html
        ErrorDocument 503 /error/503.html
    
        <IfModule mod_ssl.c>
        </IfModule>
    
        <Directory /var/www/domain1.cz/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
        <Directory /var/www/clients/client3/web82/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
    
    
        # Clear PHP settings of this website
        <FilesMatch "\.ph(p3?|tml)$">
            SetHandler None
        </FilesMatch>
        # mod_php enabled
        AddType application/x-httpd-php .php .php3 .php4 .php5
        php_admin_value sendmail_path "/usr/sbin/sendmail -t -i [email protected]"
        php_admin_value upload_tmp_dir /var/www/clients/client3/web82/tmp
        php_admin_value session.save_path /var/www/clients/client3/web82/tmp
            # PHPIniDir /var/www/conf/web82
        php_admin_value open_basedir /var/www/clients/client3/web82/web:/var/www/clients/client3/web82/tmp:/var/www/domain1.cz/web:/srv/www/domain1.cz/web:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyad$
    
    
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId web82 client3
      </IfModule>
    
        <IfModule mod_dav_fs.c>
              # Do not execute PHP files in webdav directory
          <Directory /var/www/clients/client3/web82/webdav>
                <FilesMatch "\.ph(p3?|tml)$">
              SetHandler None
            </FilesMatch>
          </Directory>
          DavLockDB /var/www/clients/client3/web82/tmp/DavLock
          # DO NOT REMOVE THE COMMENTS!
          # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
          # WEBDAV BEGIN
          # WEBDAV END
        </IfModule>
    
    
    </VirtualHost>
    <VirtualHost *:443>
          DocumentRoot /var/www/domain1.cz/web
    
        ServerName domain1.cz
        ServerAlias www.domain1.cz
        ServerAdmin [email protected]
    
        ErrorLog /var/log/ispconfig/httpd/domain1.cz/error.log
    
        Alias /error/ "/var/www/domain1.cz/web/error/"
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 502 /error/502.html
        ErrorDocument 503 /error/503.html
    
        <IfModule mod_ssl.c>
            SSLEngine on
        SSLCertificateFile /var/www/clients/client3/web82/ssl/domain1.cz.crt
        SSLCertificateKeyFile /var/www/clients/client3/web82/ssl/domain1.cz.key
        </IfModule>
    
        <Directory /var/www/domain1.cz/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
        <Directory /var/www/clients/client3/web82/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
    
    
        # Clear PHP settings of this website
        <FilesMatch "\.ph(p3?|tml)$">
          SetHandler None
        </FilesMatch>
        # mod_php enabled
        AddType application/x-httpd-php .php .php3 .php4 .php5
        php_admin_value sendmail_path "/usr/sbin/sendmail -t -i [email protected]"
        php_admin_value upload_tmp_dir /var/www/clients/client3/web82/tmp
        php_admin_value session.save_path /var/www/clients/client3/web82/tmp
            # PHPIniDir /var/www/conf/web82
        php_admin_value open_basedir /var/www/clients/client3/web82/web:/var/www/clients/client3/web82/tmp:/var/www/domain1.cz/web:/srv/www/domain1.cz/web:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyad$
    
    
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId web82 client3
        </IfModule>
    
        <IfModule mod_dav_fs.c>
              # Do not execute PHP files in webdav directory
          <Directory /var/www/clients/client3/web82/webdav>
                <FilesMatch "\.ph(p3?|tml)$">
              SetHandler None
            </FilesMatch>
          </Directory>
          DavLockDB /var/www/clients/client3/web82/tmp/DavLock
          # DO NOT REMOVE THE COMMENTS!
          # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
          # WEBDAV BEGIN
          # WEBDAV END
        </IfModule>
    
    
    
    </VirtualHost>
    
    
    
    Domain2

    Code:
    <Directory /var/www/domain2.cz>
        AllowOverride None
        Order Deny,Allow
        Deny from all
    </Directory>
    
    <VirtualHost *:80>
          DocumentRoot /var/www/domain2.cz/web
    
        ServerName domain2.cz
        ServerAlias www.domain2.cz
        ServerAlias webmail.domain2.cz
        ServerAlias www.aliasfordomain.cz aliasfordomain.cz
        ServerAlias posta.domain2.cz
        ServerAlias phpmyadmin.domain2.cz
        ServerAlias mysql.domain2.cz
        ServerAlias admin.domain2.cz
        ServerAdmin [email protected]
    
        ErrorLog /var/log/ispconfig/httpd/domain2.cz/error.log
    
        Alias /error/ "/var/www/domain2.cz/web/error/"
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 502 /error/502.html
        ErrorDocument 503 /error/503.html
    
        <IfModule mod_ssl.c>
        </IfModule>
    
        <Directory /var/www/domain2.cz/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
        <Directory /var/www/clients/client2/web2/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
    
    
        # Clear PHP settings of this website
        <FilesMatch "\.ph(p3?|tml)$">
            SetHandler None
        </FilesMatch>
        # mod_php enabled
        AddType application/x-httpd-php .php .php3 .php4 .php5
        php_admin_value sendmail_path "/usr/sbin/sendmail -t -i [email protected]"
        php_admin_value upload_tmp_dir /var/www/clients/client2/web2/tmp
        php_admin_value session.save_path /var/www/clients/client2/web2/tmp
            # PHPIniDir /var/www/conf/web2
          # PHPIniDir /var/www/conf/web2
        php_admin_value open_basedir /var/www/clients/client2/web2/web:/var/www/clients/client2/web2/tmp:/var/www/domain2.cz/web:/srv/www/domain2.cz/web:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin
    
        RewriteEngine on
        RewriteCond %{HTTP_HOST}   ^aliasfordomain.cz$ [NC]
        RewriteRule   ^/(.*)$ http://domain2.cz/$1  [R=301,L]
        RewriteCond %{HTTP_HOST}   ^www.aliasfordomain.cz$ [NC]
        RewriteRule   ^/(.*)$ http://domain2.cz/$1  [R=301,L]
        RewriteCond %{HTTP_HOST}   ^posta.domain2.cz$ [NC]
        RewriteRule   ^/(.*)$ http://mail.domain2.cz/$1  [R=301,L]
        RewriteCond %{HTTP_HOST}   ^phpmyadmin.domain2.cz$ [NC]
        RewriteRule   ^/(.*)$ http://einstein.domain2.cz:8080/phpmyadmin/$1  [R=301,L]
        RewriteCond %{HTTP_HOST}   ^mysql.domain2.cz$ [NC]
        RewriteRule   ^/(.*)$ http://einstein.domain2.cz:8080/phpmyadmin/$1  [R=301,L]
        RewriteCond %{HTTP_HOST}   ^admin.domain2.cz$ [NC]
        RewriteRule   ^/(.*)$ http://emc2.domain2.cz:8080/$1  [R=301,L]
    
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId web2 client2
        </IfModule>
    
        <IfModule mod_dav_fs.c>
              # Do not execute PHP files in webdav directory
          <Directory /var/www/clients/client2/web2/webdav>
                <FilesMatch "\.ph(p3?|tml)$">
              SetHandler None
            </FilesMatch>
          </Directory>
          DavLockDB /var/www/clients/client2/web2/tmp/DavLock
          # DO NOT REMOVE THE COMMENTS!
       # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
          # WEBDAV BEGIN
          # WEBDAV END
        </IfModule>
    
    
    </VirtualHost>
    <VirtualHost *:443>
          DocumentRoot /var/www/domain2.cz/web
    
        ServerName domain2.cz
        ServerAlias www.domain2.cz
        ServerAlias webmail.domain2.cz
        ServerAlias www.aliasfordomain.cz aliasfordomain.cz
        ServerAlias posta.domain2.cz
        ServerAlias phpmyadmin.domain2.cz
        ServerAlias mysql.domain2.cz
        ServerAlias admin.domain2.cz
        ServerAdmin [email protected]
    
        ErrorLog /var/log/ispconfig/httpd/domain2.cz/error.log
    
        Alias /error/ "/var/www/domain2.cz/web/error/"
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 502 /error/502.html
      ErrorDocument 503 /error/503.html
    
        <IfModule mod_ssl.c>
            SSLEngine on
        SSLCertificateFile /var/www/clients/client2/web2/ssl/domain2.cz.crt
        SSLCertificateKeyFile /var/www/clients/client2/web2/ssl/domain2.cz.key
        </IfModule>
    
        <Directory /var/www/domain2.cz/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
        <Directory /var/www/clients/client2/web2/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
    
    
        # Clear PHP settings of this website
        <FilesMatch "\.ph(p3?|tml)$">
            SetHandler None
        </FilesMatch>
        # mod_php enabled
        AddType application/x-httpd-php .php .php3 .php4 .php5
        php_admin_value sendmail_path "/usr/sbin/sendmail -t -i [email protected]"
      php_admin_value upload_tmp_dir /var/www/clients/client2/web2/tmp
        php_admin_value session.save_path /var/www/clients/client2/web2/tmp
            # PHPIniDir /var/www/conf/web2
        php_admin_value open_basedir /var/www/clients/client2/web2/web:/var/www/clients/client2/web2/tmp:/var/www/domain2.cz/web:/srv/www/domain2.cz/web:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin
    
        RewriteEngine on
        RewriteCond %{HTTP_HOST}   ^aliasfordomain.cz$ [NC]
        RewriteRule   ^/(.*)$ http://domain2.cz/$1  [R=301,L]
        RewriteCond %{HTTP_HOST}   ^www.aliasfordomain.cz$ [NC]
        RewriteRule   ^/(.*)$ http://domain2.cz/$1  [R=301,L]
        RewriteCond %{HTTP_HOST}   ^posta.domain2.cz$ [NC]
        RewriteRule   ^/(.*)$ http://mail.domain2.cz/$1  [R=301,L]
        RewriteCond %{HTTP_HOST}   ^phpmyadmin.domain2.cz$ [NC]
        RewriteRule   ^/(.*)$ http://einstein.domain2.cz:8080/phpmyadmin/$1  [R=301,L]
        RewriteCond %{HTTP_HOST}   ^mysql.domain2.cz$ [NC]
        RewriteRule   ^/(.*)$ http://einstein.domain2.cz:8080/phpmyadmin/$1  [R=301,L]
        RewriteCond %{HTTP_HOST}   ^admin.domain2.cz$ [NC]
        RewriteRule   ^/(.*)$ http://emc2.domain2.cz:8080/$1  [R=301,L]
    
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId web2 client2
        </IfModule>
    
        <IfModule mod_dav_fs.c>
              # Do not execute PHP files in webdav directory
          <Directory /var/www/clients/client2/web2/webdav>
                <FilesMatch "\.ph(p3?|tml)$">
              SetHandler None
            </FilesMatch>
     </Directory>
          DavLockDB /var/www/clients/client2/web2/tmp/DavLock
          # DO NOT REMOVE THE COMMENTS!
          # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
          # WEBDAV BEGIN
          # WEBDAV END
        </IfModule>
    
    
    </VirtualHost>
    
    
     
  16. falko

    falko Super Moderator Howtoforge Staff

    Can you assign a fixed IP to both vhosts instead of *?
     
  17. czdavid

    czdavid Member

    Could be the same IP address?
    In ispconfig - have I checked "HTTP NameVirtualHost" option with adding IP address?

    Will be working if I add IP to ispconfig and assign to these two vhosts - other vhosts with "*" option (using the same IP address)?
     
  18. falko

    falko Super Moderator Howtoforge Staff

    If you want to use SNI, then yes.
    That's correct.

    Yes.
     
  19. czdavid

    czdavid Member

    Thank you very much.

    I discovered this in log:
    Code:
    [Mon May 21 23:07:02 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Mon May 21 23:14:01 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Mon May 21 23:14:02 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Mon May 21 23:46:01 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Mon May 21 23:46:02 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Mon May 21 23:47:01 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Mon May 21 23:47:02 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 11:54:01 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 11:54:02 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 11:54:05 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 11:54:06 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 11:54:08 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 11:54:09 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 11:55:02 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 11:55:03 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 11:55:05 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 11:55:06 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 12:13:01 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 12:13:02 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 12:15:01 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    [Tue May 22 12:15:03 2012] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    Do you think, that add IP address help?

    And three easy more questions for you (hope last):

    1) In log:
    Code:
    May 24 04:31:44 server postfix/smtpd[20857]: warning: 127.0.0.1: address not listed for hostname localhost.localdomain
    May 24 04:32:02 server postfix/smtpd[20857]: warning: 127.0.0.1: address not listed for hostname localhost.localdomain
    I have in /etc/hosts (IP is changed and real is working :))
    Code:
    ::1 localhost.localdomain localhost
    127.0.0.1 localhost.localdomain localhost
    # Auto-generated hostname. Please do not remove this comment.
    256.256.256.256 server.mydomain.cz server
    
    
    2) That is date which is showing server after DATE command:
    Thu May 24 10:00:33 CEST 2012

    - that is ok, but ispconfig is whowing time TWO hours less than is on server time - is in ispconfig possible set timezone?

    3) CRON error report:
    Code:
    /etc/cron.daily/pve:
    parse error in '/etc/pve/datacenter.cfg' - 'keyboard': value 'en' does not have a value in the enumeration 'pt, tr, ja, es, no, is, fr-ca, fr, pt-br, da, fr-ch, sl, de-ch, en-gb, it, en-us, fr-be, hu, pl, nl, mk, fi, lt, sv, de'
    I cant find file /etc/pve/datacenter.cfg for edit value keyboard - where I cant find it?

    Thank you!!!
     
    Last edited: May 24, 2012
  20. falko

    falko Super Moderator Howtoforge Staff

    Yes, please try it.
     

Share This Page