If you want to get Commercial SSL Certificate for 2048bit or stronger encryption (Godaddy etc.) you need to change ISPConfig3 core settings. Follow this Quick guide to do it. If you just want to get your own non-commercial Certificate to work skip this ISPConfig3 hack and proceed to the Normal SSL configuration. ISPConfig3 hack SSL guide. If you have already created a cert, delete it from the SSL tab for your site. Disable SSL for your website from the Website tab. Open /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php and change 1024 (second instance, not the default setting - although it may still work changing both) to 2048 or 4096. Save the file and restart apache2 (i.e. /etc/init.d/apache2 restart) for good measure. Note: If you experience an error restarting apache2 (e.g. "(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80") then do the following: sudo lsof -i :80 Determine the pid of the running service and... kill <pid from step 2> /etc/init.d/apache2 restart It should start this time. I'm not sure what may cause this, but I had experienced it many times. It may have something to do with Subversion if you have it enabled under apache. Go back to ISPConfig and create a new certificate as you would normally. Go back to the SSL tab (may have to restart apache again if you do not see the keys in the first two fields (not sure why, but I experienced this a few times). Copy the code from the SSL request fields and provide that to GoDaddy as the request key. Once you download your certificate from GoDaddy, paste the contents of the yourdomain.com.crt file into the SSL Certificate field (replacing what is there), select Save Certificate form the pulldown and click Save. The SSL Bundle was left empty (not sure if I needed anything here or not...can anyone confirm). Restart apache2 for good measure and test it out. Normal SSL configuration. Make sure that your (Linux) server has 1 IP address for each site that needs a Cert (and one for the server.) Make sure that those IP addresses are configured in 'ISPConfig3 | System | Edit Server IP' list. Make sure that the 'new' Certificate site does not have * as it's address in 'Sites | Website | IP-Address' field. Make sure that SSL is enabled in that same page Make sure that the DNS address points to that IP-Address that was defined for the website and not the old address (*) that you probably had to change when starting this process. On 'Sites | Website | SSL' enter your Certificate settings. (Your locale and Company info.) On the same page in 'SSL Action' 'Create Certificate' and Save. Wait a moment. Refresh SSL settings page. You should see the new Certificate code now. You can now use the https://yourdomain.com
I've tried three times but get the following error ... [Thu Feb 04 08:25:44 2010] [error] Unable to configure RSA server private key [Thu Feb 04 08:25:44 2010] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
I agree it looks like that, but I used what was in the csr box. I also wonder if the key was right. With Step 6 - Go back to ISPConfig and create a new certificate as you would normally. - Would that be normally as in the normal way you documented it below? Also, I assume we should re-activate SSL for the site once the cert is in. I did notice some strangeness with boxes being populated (as you mentioned). I wonder is it possible / better (for now) to create a certificate the old fashioned way and then save it in place of the .csr .key and .crt that ISPConfig spits out?
heres what i did: goto ispconfig uncheck ssl and delete the certificates... click save.. now wait a few minutes or just run the cron urself. now edit ispconfig settings: Code: # vi /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php goto line 140 and change 1024 to 2048 or 4096. run the cron again, u should see ispconfig generate new keys. at this step i reloaded apache.. go back into ispconfig, click create certificate and enable ssl. run the cron, u should see ispconfig creating the keys now... reload apache, relogin in ispconfig.. your certs should be there now. now u can use your ssl request file and let it sign from whereever u get your certificate.. replace the certificate created by ispconfig with your signed one. at this step it worked for me.. also i followed another tutorial so i added 2 more files and pasted the following lines into the options / apache directives form. Code: SSLCertificateChainFile /var/www/domain.tld/ssl/sub.class1.server.ca.pem SSLCACertificateFile /var/www/domain.tld/ssl/ca.pem
The SSL encryption has been set to 2048 in SVN, so this part will be fixed with the next ispconfig release (3.0.2).
As far as I know, yes it's required. It can be found here: https://certs.godaddy.com/anonymous/repository.seam as gd_bundle.crt
the more simple procedure (example base on certificate class 1 in startssl.com) is: - create certificate in ispconfig - take the field SSL Request content and do the certificate with this in startssl site - take the content of certificate create and copy in "SSL Certificate" and take content of sub.class1.server.ca.pem and ca.pem and copy in "SSL Bundle" on ispconfig and select save option Finish and work, sorry if i not explain good^^''
I tried following your instructions it didn't work for me. I originally generated a 1024 bit one until I realized godaddy required 2048 or 4096. I followed your instructions but it never generates the key for me. Even after gong back to the 1024 setting, it still won't generate a key. Any ideas on where to look or what to do? I've looked for errors and I can't find any, and I can restart apache without problems. Thanks
I'm running 3.0.1.6 Any suggestions on how to get this going? I would assume there has to be some way of doing it.
vi /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php goto line 140 and change 1024 to 2048 or 4096...on command for certificare create (take from this post, i'm not sure is correct number line for your version) delete certificate create in ispc before and create another
That's what I did. When you say to delete the certificate in ISPC, do you mean in the web interface, ie the action is to delete, or do you mean manually delete it somewhere via command line? In the web interface there isnt anything to delete, the action always goes back to none after a minute or two.
you have select delete in "SSL Action" and click to sava button? (after wait the cron execution for effective delete)
ok yes that is exactly what I was doing. I couldn't find the cron job to run, how/where do i run that cron job manually? I was waiting a few minutes which I assume would do the same thing.
if commercial ssl cert is using 2048, why not just change 2048 for everyone? Why still need to use 1024? Can't self generated script work for 2048? Also, is it possible to add an option during the ssl generation for user to choose 1024, 2048 or 4096 bit type of SSL? If I remember correctly most control panels have this option.
I'm running latest ISPconfig so it is already 2048 bits. But how do I display the 'csr' output when I first installed the server? Thanks
try http://www.google.com/search?q=apac...&rls=org.mozilla:de:official&client=firefox-a first link: openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr have fun!
