How to change default SSL Certificate?

Discussion in 'ISPConfig 3 Priority Support' started by Igor Almeida, Sep 18, 2015.

  1. Igor Almeida

    Igor Almeida Member

    I'm having a issue that I can't solve. Here it is:
    I have my main domain in the ISPConfig3, maindomain.com. I installed SSL on it as on ftp, postfix, ISPConfig.
    I also have few other domains with SSL and they are working fine.
    Yesterday, I installed a new domain and a SSL for it the same way I have done before, but now, this last SSL I installed, became my main SSL certificate. Let me try to explain:

    Before, I could go to https://owncloud.maindomain.com or https://webmail.maindomain.com or (and this the most annoying one) https://anydomain.com and it would show up the SSL certificate of my maindomain.com and now it shows up the SSL Certificate of the last domain I just added. (Remember, I have installed SSLs for many other domains and this was never a problem).

    I had to change the vhost of the owncloud and webmail to specifically tell where the SSL of my maindomain.com is located but it will be a pain to change all the vhosts I have.
    The big problem is that I don't want my clients seeing someone else SSL if they try https://theirdomain.com, showing the SSL of maindomain.com is OK as they know and trust our company.

    Is there a way to solve this!?

    Thank you so much,
    Igor
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    There is no main domain, all domains are equal. I guess what you mean is the fallback domain that apache uses when there is no matching vhost. Aapache tries to find a vhost where domain and Ip matches, if none is found then apache tries to find one where domain and * are matching and if none is found then apache will show the content of the first domain in alphabetical order that exists on this server. So when the first domain in alphabet is a different one now, then apache will fall back to this new domain. therefor all sites and subdomains that you use on your server should be defined as relying on the default fallback mechanism in apache is not a good idea as this can always change.
     
  3. Igor Almeida

    Igor Almeida Member

    gotcha!
    I said main just because of the lack of a word to direct to that domain!

    Till, is there a way to stop apache of showing "the wrong SSL" when someone that doesn't have the SSL enabled tries to access https://itswebsite.com?

    Igor
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    One way would be to have one IP for sites with ssl and another one for all sites without ssl. As far as I know rewriting with a rule would not work as this takes place after the ssl connect.
     
  5. Igor Almeida

    Igor Almeida Member

    I see!
    I kinda found a way.... creating self signed SSl for all the domains that don't have a signed SSL! At least it doesn't show up someone else's domain. ;)

    Thank you Till, always helping!
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    One thing that you could try is this:

    1) Disable the "main" website in ispconfig by unticking the "active" checkbox. This will remove the symlinks in the apache sites-enabled directory.
    2) Now create a symlink manually in sites-enabled that starts with "000-" so that it is first in alphabet, this symlink has to point to the vhost file of the site in the apache sites-available folder.
    3) Reload apache and remember to not activate the site again in ispconfig as this would create the old symlink again.
     
    Igor Almeida likes this.
  7. Igor Almeida

    Igor Almeida Member

    BOOM!
    It worked Till. Thank you so much! At least I don't have to go through all my domains creating Self signed SSLs. It wouldn't be a bad idea though so I could keep all of them with at least their own SSL.
    Thank you again Sir.

    Igor
     

Share This Page