https://domain does not work

Discussion in 'Installation/Configuration' started by jsmo, Jun 12, 2015.

  1. jsmo

    jsmo New Member

    Greetings!

    Well... Domain.com is ok in http!

    In https://domain.com, an error message shows up (see photo). Completely nothing is sent from the server, I think there is no connection at all (I use a firefox extension to look at the headers , there is nothing at all).

    Strangely, https://domain.com:12435 (port where ISPconfig is running) IS working!

    I have setup a SSL certificate for domain.com, with the Authority certificate, etc.

    Port 443 seems to be opened normally...

    Any suggestion?
     

    Attached Files:

  2. VANKO

    VANKO New Member

    You need to "trust" self signed certificate in your OS.
     
  3. jsmo

    jsmo New Member

    It is not self-issued, but issued by StartTLS.
     
  4. Teils

    Teils New Member

    You need to combine the StartTLS certificate with the Certificate Authority certificates into a single file. If there are multiple CA certificates, you need to put them in the order of authentication, from your StartTLS cert, up to the Root.
     
  5. jsmo

    jsmo New Member

    Well sorry I do not understand anything :(
    On another box using Plesk things are very simple: I have ONE certificate for the domain, and all works!!
     
  6. Teils

    Teils New Member

    Ok, I understand what's going on here a little better now. Sorry for confusing things.
    There is no such thing as a "StartTLS" certificate. The certificate you are using in ISPConfig is a self-signed certificate. StartTLS refers to the mode of initiating an SSL connection. It is not a type of certificate.

    Plex will work with a self-signed certificate without complaint. A web browser will not. In order to avoid the error you are seeing, you have to purchase a commercial certificate, and install that certificate in ISPConfig's Apache virtualhost setup.

    Google for PositiveSSL. You can get a certificate for as little as $9.95 a year.
     
  7. jsmo

    jsmo New Member

    http://startssl.com/ (and not startTLS, my error) supplies *commercial* certificates that are signed by them, and THEIR certificate is installed in all browsers. The only difference with "positiveSSL" etc is that their commercial certificate is free.

    Once more: When DOMAINS are installed on a server running Plesk as config panel, BROWSERS (of course!!) work fine and display the website correctly. If the DOMAIN certificate is self-signed, the browser simply displays a warning BUT we can load the website. In this case with ISPconfig the connection is simply DROPPED by the server (as I can see that NO http-headers is sent from the server)!
     
  8. Teils

    Teils New Member

    Yes, that makes more sense.

    The screenshot of the error you posted is a certificate authenticity verification error. I don't know what browser you are using there, but it does not look familiar.

    In any case, you MUST install the certificate chain that corresponds to your certificate. Without it, your certificate will not verity. The StartSSL certificate chain is NOT stored in all browsers. Only the root certificate is. The intermediate certificates are not. You can verify this yourself by looking at their example Apache config. Notice the SSLCertificateChainFile directive? You HAVE to have that.

    It is likely that StartSSL sent you a Certificate Authority bundle, or a series of certificates. If not, you will have to download the right CA certificates from their web site for the certificate product you ordered.

    I don't know what the standard way of installing certificates for ISPConfig is. However, I did it the way one does it for any Apache virtual host (in Debian). I edited the /etc/apache2/sites-available/000-ispconfig.vhost file and added the correct directives, which, in your case, would look like the examples found on the StartSSL site.
     
  9. jsmo

    jsmo New Member

    Browser is firefox.
    And startSSL chain IS included in the firefox config.
    Anyway IF it would be a certificate problem, the server would return some messages. Here the server simply returns nothing and drops the connection.

    Morever I talked with StartSSL support team and they confirmed that the problem does not come from the certificate or certificate chain, but from the server config itself.
    And once more, doing *exactly* the same operations on a Plesk box running also with Centos 7, I have no problem at all.

    Oh... and using Internet Explorer, it takes about one minute to get a message " This page can’t be displayed,
    Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings"
    Settings are of course already turned ON.
     
  10. florian030

    florian030 Well-Known Member HowtoForge Supporter

    It makes no sense to hide the data if you need help.
     
  11. jsmo

    jsmo New Member

    ????? Which data? The domain name? LOL whatever the domain is XXX.COM or YYY.COM, where is the difference???
    Maybe I should write the IP, root login and password, right?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    See chapter about installing SSL Certificates in a website in the ISPConfig manual.

    The file 000-ispconfig.vhost has nothing to do with a website on port 443. The file 000-ispconfig.vhost is the ispconfig vhost (port 8080), it should never be edited manually as your changes will get removed anyway. If yu want to replace the self signed cert for the interface with a different one, then replace the cert file in the ispconfig ssl folder and dont edit the config file. If you want t add ssl for domain.com on port 443, then add a website domain.com in ispconfig, enable ssl for that site in the website settings and add the ssl cert and key on the ssl tab, choose save certificate as action and press save.
     
  13. Teils

    Teils New Member

    Yes, I see I misread the original post. I didn't realize he was talking about a created website.

    Thank you for the correction. This was not covered in the installation instructions, or in the ISPConfig 3 manual, so I went with what I knew.

    I setup ISPConfig mostly for my email users. Myself, I prefer bash to the browser. ;)
     

Share This Page