Can't get SSL Cert to work

Discussion in 'Installation/Configuration' started by rbartz, Apr 22, 2006.

  1. rbartz

    rbartz Member HowtoForge Supporter

    Hello again!

    I recently installed ispConfig over a Perfect Setup Fedora Core3. After a few bumps we are pretty much running ok.

    I installed a site and obtained an SSL cert based on the generated request. It is an IPSCA cert, which needs a chain certificate. I copied the chain cert to the site root and then tried to add the SSLCertificateChainFile directive to the Apache Directives in the site setup as recommended in another thread, but it came back "NOT SUPPORTED"

    So I manually added the line "SSLCertificateChainFile /home/www/web6/IPS-IPSCABUNDLE.crt" to the /etc/httpd/conf/vhosts/Vhosts_ispconfig.conf file right above the SSL Certificate lines in the virtual server conf for
    <VirtualHost>. Then I restarted http, but still get no response to the request.

    SSL doesn't seem to be working at all, and when I tried listing the compiled in modules I got this:

    [root@wvis2 web6]# /usr/sbin/httpd -l
    Compiled in modules:

    When I looked at /etc/httpd/conf/httpd.conf in loaded modules I didn't see mod_ssl.c so I am at the end of what I know to do...

    Thanks ahead for any help.

  2. falko

    falko Super Moderator Howtoforge Staff

    Was SSL running before you tried to add the cert?
    Where did you buy your cert? Is it for Apache? Does your CA have instructions on how to add this cert to Apache?
  3. rbartz

    rbartz Member HowtoForge Supporter

    Hello Falko,

    There is no SSL installed that I can see. I am not sure how I can test to see if it is running other than to install a certificate and try it. The certificates created on installation were for saslauth as I recall, done when postfix was installed. That all is running and works fine.

    The Cert is from IPSCA in Spain for apache, and needs an intermediate chain certificate. They say to add it to the httpd.conf section for the host a line before the SSLCertificateFile line as follows:

    SSLCertificateChainFile /home/www/web6/IPS-IPSCABUNDLE.crt

    If I add it manually, it is deleted the next time ispConfig creates the Vhosts_ispconfig.conf file. Till, I think, suggested to someone with a similar problem that they put the chain file directive in the Apache Directives for the site in ispConfig, but after I save the change, it comes back: # SSLCertificateChainFile /home/www/web6/IPS-IPSCABUNDLE.crt # NOT SUPPORTED! and writes that line in the virtual server for the site.

    Apache restarts fine, no errors there that I could see, the error log shows nothing.

    IspConfig does create the Virtual Server with the Certificate ok: <VirtualHost>... but I noticed that the virtual host is inside a <IfModule mod_ssl.c> statement, and I cannot see where that module is installed.

    I followed the Perfect Setup - Fedora Core 3 and it all went well. I went back today and removed and reinstalled Apache and php and all of that again to make sure, and all went in without errors. (Thanks for the wonderful work you do...!)

    This is the only cert for this server so far, but it is on a sharedip. We have more IPs coming. I know you can only install one cert on an IP... perhaps it won't work if that IP us used for virtual hosts. Is there any way to make one site NOT virtual for an IP that you use for virtual hosts?

    Thanks for all your help, you are amazing.

  4. rbartz

    rbartz Member HowtoForge Supporter

    Hello again Falko,

    Two things I wonder about now: There is no "Listen 443" anywhere in the httpd.conf or vhosts file and there seems to be no reference to mod_ssl.c or ssl_module in the LoadModule directives in the httpd.conf file. Should there be?

    mod_ssl.c does not seem to be compiled in either:
    # /usr/sbin/httpd -l
    Compiled in modules:

  5. rbartz

    rbartz Member HowtoForge Supporter

    I will go ahead and finish this:

    I solved the problem of no https simply by installing mod_ssl. I will need to get another certificate for that site because the key file and csr were erased in my messing around, but it should work now that SSL is working... I just used

    # apt-get install mod_ssl

    That installed two packages, then

    # /etc/rc.d/init.d/httpd restart

    Which restarted no problem, and now SSL works!

    Thanks for trying guys.


Share This Page