Hello to all, I've a webserver where I give shared hosting, I will give the opportunity to install SSL Cert for all websites but I have a single public IP, how can I enable this service? Server was made following the Howto's the perfect server debian 8 apache dovecot... Is there a way to have it work w/out need to manually add every single vhost?
This is called SNI and is active automatically, so no need for any additional configuration.simply create ssl certs for your sites.
Currently all major browsers support SNI, that allows the server to know the destination vhost w/o having to try all the secret keys. So you should have no problems, unless someone tries to use a very old SO / browser (for example, IIRC on XP SNI was not supported).
Hello to all, maybe I've explain it in a worst way, I'm not talking about SNI, I'm talking about ssl cert for websites, but every websites will have they own ssl cert. I've try in ISPConfig adding my public IP to configuration and then add SSL to websites using startssl cert per domain name, I have done this: Add my public static IP to ISPConfig Assign that IP to websites Create ssl cert (I'm not write every steps for startssl) Save SSL configuration per website But browser can't recognize correct SSL cert. ATM I've got only one website that works with SSL but if I add other websites in the same way all gone down with the classi warning from browser of bad certificate. Am I doing something wrong? I do not assign public IP and use wildcard (*) on every websites?
You are talking about SNI. SNI is the technology that is used when several websites share the same IP address under SSL. You can use your private IP in apache or *. The public IP in routed networks is only used in dns, never in apache as the router translates between public and private IP, not the web server.
Ok so I use * for every websites and I create for every websites ssl cert from startssl and I'm done?
Yep. As long as the client supports SNI. If the client doesn't support it, it gets the first site and probably a "certificate mismatch".
No, it doesn't work I got the correct website but with cert of the first one and so users get warning and it's not a client issue because I've check it with https://www.sslshopper.com and all is ok exept for the cert that is the one of the first website. [EDIT] if I use EDGE on WIN10 I got also the first website. [/EDIT]
Are you sure you pasted the correct PEM data under 'SSL' tab for that site? What if you try LetsEncrypt?
I have done this steps Go to Websites, choose the one I need to add SSL Cert, open SSL Tab in ISPConfig Fill info with the same I have use on startssl's website, choose SSL Domain, generate SSL Key Copy SSL Key and paste it on startssl's website, generated Certificate Request getting website SSL Cert and root cert (to use into SSL Bundle) copy and paste SSL Certificate into SSL Certicate box copy and paste SSL root cert (SSL Bundle) into SSL Bundle box those are the same steps I had done with the other website that work like a charm (checked also it with sslshopper and I get no issue). Let'sencrypt. I have think about it and in my new infrastructure I'll integrate it with ISPConfig 3.1.1 (or whatever release it will have the day I'll do that) but ATM I'm not in the mood to install & configure it, if there are no *easy* way to have this working, I'll wait till next month when I'll build up the new ones.
Maybe a silly question but... did you enable SSL from the first tab after saving the cert? Another possible issue is the order of the certs in the chain: I've always had to wreste with it a bit... I never remember if the first must be the first or the second intermediate (IIRC root must not be included). That's one of the reasons that made me migrate to LE For other possible problems it's better to check all error.log files (at least the one in /var/log/apache2 and the one for the vhost). For my checks I usually use ssllabs.com that gives many hints. BTW, no need to reinstall, just upgrade ispc with ispconfig_update.sh : 3.1 is stable. No need for the SSL tab completely, just select "Let's Encrypt SSL" from the "Domain" tab. Couldn't be easier than that PS: IIRC, startssl always included the 2nd level domain in the cert, so you can have troubles if you have both c.b.a and e.b.a domains because both certs would be valid for *.b.a .
Sure I did! I've check that twice and after that I've re-check it twice again, I can be quiet sure to have out them in the right place. Check but I've not see anythings wrong (I mean under warnings and/or errors). I've try it now and he have find the cert files of the first website (the one that works great). I'm scared on what could be happen if something went wrong! It's not my case, I have differents domain name and 2nd levels, I'm not trying to add SSL cert i.e. to domain.com and mail.domain.com I'm trying to have : domain.com - www.domain.com for the first one and seconddomain.com www.seconddomain.com
The only other thing I can think of (even if ISPC usually takes care of keeping 'em updated!) is looking at the content of the files under /var/www/seconddomain.com/ssl/ and check they match what you entered in ISPC and then check that /etc/apache2/sites-available/seconddomain.com.vhost references the correct files. If all this is OK, I don't know what else to check...
Nothing, I've check all the things and all are correct. The last thing I want to try is to change the chain cert, I'm thinking the problem is there because is the only thing that seems to be "in common" with the other website, but ATM I can't do that because I do not have access to startssl with this PC on that credentials, Tomorrow I'll get the PC that have that cert file and I'll try to change chain cert.
You can save the certificates as single files (brom BEGIN CERTIFICATE to END CERTIFICATE) and verify their content with openssl: openssl x509 -noout -text -in file.pemStart dumping the server's one and look at the issuer data. Then dump the first cert of the chain and check that the subject matches the issuer data in the server's cert, then verify its issuer matches the subject of the next cert in the chain & so on. You can speed up the process a bit if you change the files directly and manually restart Apache, w/o having to wait for ISPC's cron. Then, once the chain is verified, you copy it in ISPC to keep the db in sync with the files.
No way Still having certificate name mismatch. I've checked both path in vhost and cert in /ssl folder and are both ok but I still have not trusted certificate because it load the one of the first website.
Sure sounds like you've mixed '*' and the ip address in one of your website settings, you might double-check that (again). Maybe check `apachectl -S` output to see what apache is using for all your vhosts.
Done again right now and I have no website using IP, all of them are using '*' plus ATM I have only 1 website on https and 1 that I'm trying to be https so I have with apachectl -S *:443 defualt server myfirstwebsite.com and mysecondwebsite.com other websites are all on *80