Chained / intermediate SSL certificates

Discussion in 'Installation/Configuration' started by max, Dec 7, 2005.

  1. max

    max New Member


    ispconfig is great, well done to all those involved. Though i did have a bit of trouble with the "perfect" install, mainly due to the fact i have a x86_64 processor, all the answers i need were in this forum, i ended up using sendmail and vsftp with no difficulties.

    I am trying to install a CA signed ssl certificate. However as part of the process i need to install an intermediate certificate.
    Instructions are as follows:


    Installing Your Web Server Certificate and the Intermediate Certificate:
    - Copy your issued certificate, intermediate certificate and key file (generated when you created the Certificate Signing Request (CSR)) into the directory that you will be using to hold your certificates.
    - Open the Apache ssl.conf file and add the following directives:

    SSLCertificateFile /path to certificate file/your issued certificate
    SSLCertificateKeyFile /path to key file/your key file
    SSLCertificateChainFile /path to intermediate certificate/sf_issuing.crt

    - Save your ssl.conf file and restart Apache.


    Now, ISPconfig seems to store ssl info in /etc/httpd/conf/vhosts/Vhosts_ispconfig.conf
    so the changes i make in /etc/httpd/conf.d/ssl.conf do not seem to do anything.

    If i copy the certificate issued by godaddy using the ispconfig web interface it stops the server and apache refuses to start until i re-create the self-signed certificate using a ispconfig.

    I am not sure what files i need to update. If someone knows what i need to do, or even where i should start looking, your help would be appreciated.


  2. max

    max New Member

    if i use a self-signed certificate SSL works fine, but if i use the cert sent to me iapache refuses to start and i get the following messages in the logs:

    [Wed Dec 07 16:18:08 2005] [error] Init: Unable to read server certificate from file /home/www/web7/ssl/
    [Wed Dec 07 16:18:08 2005] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Wed Dec 07 16:18:08 2005] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

    the file /home/www/web7/ssl/ exists and is readable, and seems to contain the right info.


  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Maybe you installed an SSL Certificate that was not created for apache mod_ssl?
  4. max

    max New Member

    ok ... finally got it sorted. Turns out CA sent me the wrong instructions AND newlines were not cutting and pasting properly (i think they were mangled by email client) when pasting the cert into ispconfig field. Using vi to add the new lines in the cert manually allow apache to start.

    How do i get changes i make to the

    /etc/httpd/conf/vhosts/Vhosts_ispconfig.conf file to be permanent, this file seems to be recreated every time a new site is added.

    i would like to add the following line to Vhosts_ispconfig.conf when ssl is used for a site:

    SSLCACertificateFile /etc/pki/tls/certs/CA-bundle.crt

    anyone know how to do this?


  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Put the line in the apache directives field of this website.
  6. max

    max New Member

    thanks till

Share This Page