digital certificate woes

Discussion in 'Installation/Configuration' started by max, Dec 14, 2005.

  1. max

    max New Member

    Hi again,

    SSL works great when i use the self signed certs genetrated by ISPconfg. Unfortunately, when i try to install a signed (by a CA) certificate apache refuses to start. There is NOTHING in the logs (var/log/httpd/error_log) to indicate what the problem might be.

    It did work briefly, until i tried to add another ssl cert for a different domain. The domains are on different IP addresses.

    I am using fedora core 4 x86_64, if anyone wants to see config files / logs, let me know which ones and i will post them.

    I am paying for advertising of my site and really need to get this working so i don't have to use a self signed cert.

    Thanks,

    Max
     
  2. falko

    falko Super Moderator Howtoforge Staff

    Is there anything in the SSL errror log? Normally that's another file than /var/log/httpd/error_log.

    Did you paste the certificates into the correct field in ISPConfig?
     
  3. max

    max New Member

    Hi Falko,

    The /var/log/ssl_error_log contains the following line:

    [Wed Dec 14 10:53:12 2005] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?

    and yes i am definitely pasting the certificate into the correct field. I am not pasting anything into the csr field, since this is automatically generated. Am i assuming correctly?

    Are there any other logs i should be looking at?

    Thanks for your help,

    Max
     
  4. max

    max New Member

    just a addition to my last post ....

    the time of the error mentioned in the error log does not coincide with the times httpd failed to restart.

    thanks,

    Max
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Have a look in the ssl direcory for this website, open the certificate files and check if ISPConfig has installed them correctly.

    If you use an Certificate Authority like instantssl (comdo), you will have to install some additional root certificates.
     
  6. max

    max New Member

    the certificate i pasted in the field in ispconfig matches the one in the site's ssl directory, so it seems ispconfig has created them properly.

    I have copied the appropriate CA-bundle.crt and added:

    SSLCACertificateFile /path to file/CA-bundle.crt

    to the Apache directives field.

    out of curiosity, at what stage does ispconfig create private keys?

    thanks,

    Max
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The private keys where generated when you tell ISPConfig to create the csr together with the self signed certificate.
     
  8. falko

    falko Super Moderator Howtoforge Staff

    Does
    Code:
    httpd -t
    show any errors?
     
  9. max

    max New Member

    I get:

    [Wed Dec 14 22:49:55 2005] [warn] NameVirtualHost 202.164.207.171:80 has no VirtualHosts
    Syntax OK

    when i type httpd -t

    That error is a minor issue that always seems to have been there, i have been waiting until till i get my ssl problems fixed before i attempt to fix that one.

    Thanks
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Have a look in the directory /etc/apache/vhosts (or a similar directory where your apache config is stored). Are there copies of the Vhost_ispconfig.conf file with a date appended?
     
  11. max

    max New Member

    yes,

    there are a few of them, plus a couple of backups i have made.

    thanks,

    Max
     
  12. max

    max New Member

    OK ... finally sorted it out!!

    I must have chosen "create certificate" again (by mistake), instead of choosing save certificate, and a new private key was generated. I don't remember doing it but it's the only explanation.

    Creating a new cert and private key, then getting my CA to "re-key" my csr/cert fixed the problem, then installing the new cert using the ispconfig gui (choosing save certificate) worked like a charm.

    Vielen dank Till and Falko ... isp config is great.

    Regards,

    Max
     

Share This Page