ISPConfig 3 - GNUTLS

Hi,

i created a small work-a-round to use ISPConfig with gnutls.

Install gnutls and disable SSL:

Code:

aptitude install libapache2-mod-gnutls
a2enmod gnutls
a2dismod ssl

The next step is to modify the ISPConfig Apache template /usr/local/ispconfig/server/conf/vhost.conf.master to use gnuTLS:

Change:

Code:

[...]
<tmpl_if name='ssl_enabled'>
<IfModule mod_ssl.c>
[...]

Code:

[...]
    SSLEngine on
    SSLCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.crt
    SSLCertificateKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.key
<tmpl_if name='has_bundle_cert'>
    SSLCACertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.bundle
</tmpl_if>
[...]

to:

Code:

[...]
<tmpl_if name='ssl_enabled'>
<IfModule mod_gnutls.c>
[...]

Code:

[...]
    GnuTLSEnable on
    GnuTLSPriorities NORMAL
    GnuTLSCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.crt
    GnuTLSKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='domain'>.key
[...]

I don't use the ssl bundles, so i hide the form field. Edit /usr/local/ispconfig/interface/web/sites/form/web_domain.tform.php and change it to an hidden field:

Code:

'ssl_bundle' => array (
			'datatype'	=> 'TEXT',
			'formtype'	=> 'HIDDEN',
			'default'	=> '',
			'value'		=> '',
			'cols'		=> '30',
			'rows'		=> '10'
		),

and modify the template /usr/local/ispconfig/interface/web/sites/templates/web_domain_ssl.htm:

Code:

<div class="ctrlHolder" style="display:none;">
        <label for="ssl_bundle">{tmpl_var name='ssl_bundle_txt'}</label>
        <textarea name="ssl_bundle" id="ssl_bundle" rows='10' cols='30'>{tmpl_var name='ssl_bundle'}</textarea>
</div>

GnuTLS requires an ip address in the virtual host definition. So i had to disable the "*". First add the IP of the server into the isp config admin interface. Now disable the "*" in the file /usr/local/ispconfig/interface/web/sites/web_domain_edit.php by removing all $ip_select = "<option value='*'>*</option>"; entries.

 

Amazing code, very useful, thanks

 

I must edit file /etc/apache2/ports.conf yet to following:

Code:

NameVirtualHost your server ip:80
Listen your server ip:80

<IfModule mod_gnutls.c>
    NameVirtualHost your server ip:443
    Listen your server ip:443
</IfModule>

But I have ever problem with certificates, like with SSL..I turn on SLL on domain.sk and on domain.cz If I go to https://domain.sk server use certificate for domain.cz......I hoped that gnuTLS is solution, but.......Can everybody help me?? Thanks

 

help with setting up

i have tried implementing this into my debian Lenny system and cant seem to get it to work, all my sites use the same certificate instead of there own any got any pointers as to where to start fixing this

 

hello johnboy4809

with gnutls you can have more virtual hosts on ONE IP with ssl but you must have one cert for all domains.

with default ssl mod you can have only one virtualhost with ssl on one IP.

and How create cert for all domains??

you must edit this file /etc/ssl/openssl.cnf

and look on this lines

Code:

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Internet Widgits Pty Ltd

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

you easyli add more common names

0.commonName = domain.com
1.commonName = domain2.com
2.commonName = domain3.com



then you must recreate certificate, you can sign this certificate for example with cacert.org

 

hi tio289

thanks for getting back to me i think i miss understood gnutls, i thought it would allow me to have multiple SSL secure sites on a single IP or is this openssl cert separate to the virtual hosts cert, sorry if i sound dumb but learning as i go. the reason i was wanting this is i have my own server at home running lenny and ISPConfig 3, it hosts 3 sites 2 of which id now like to have SSL, My domains are all sent to my server via dyndns as i dont have a static ip. I dont know whether i am trying to achieve the impossible with this

thanks

 

SSLMOD - ONE IP = ONE SSL based host

GNUTLS - ONE IP (static or dynamic) = MANY SSL based hosts with ONE jointed certificate.

In certificate doesnt any information abou IP. Important in certificate is CommonName, which is for example *.domain.com. Cert them will valid for anything.domain.com. When you want use gnuTLS and MANY SSL based host on one IP you must create certificate with MANY commonNames.

For this must edit /etc/ssl/openssl.cnf file and add to it commonNames.
For example. If you have 3 domains domainA.com, domainB.com and domainC.com. You must add all domains to openssl.cnf file.

Code:

[ req_distinguished_name ]
0.commonName = Common Name (eg, YOUR name)
0.commonName_default = *.domainA.com
0.commonName_max = 64
1.commonName = Common Name (eg, YOUR name)
1.commonName_default = *.domainB.com
1.commonName_max =64
2.commonName = Common Name (eg, YOUR name)
2.commonName_default = shop.domainC.com (only an example of subdomain added to ssl cert)
2.commonName_max = 64
3.commonName = Common Name (eg, YOUR name)
3.commonName_default = My Secure Internet Services (example)
3.commonName_max = 64 

how?? look this http://www.sambarserver.info/viewtopic.php?t=740


And when you want thank me use buttom for it

 

I have to correct you, it is possible to use multiple cert files with gnutls. I just followed the instructions on this page and I created the ssl file in the webinterface. Works all!

 

I see, in my case this doesnt function so I created one cert

 

thanks for your help tio289 but still seen to be doing something wrong. I decided to start with a fresh server so I rebuilt my server using the Debian Lenny Perfect setup for ISPconfig 3 from this site then as soon as everything was installed i followed oprago's setup of gnutls and also made the changes that tio289 outlined but still to no avail. My sites all still use the same cert. am at a loss now as to why it will not work

 

I had the same problem and therefore I used one cert with multiple commonNames.

 

still cant get this to work

hi guys, im still not able to get this to work using either methods on this post, do you know if there is anywhere to start with checking my server setup to find the problem, just a wild idea but could this be anything to do with using the PowerPC build of debian below is my virtualhost config file for my site. can anyone see any errors in this

thanks for you time and help folks
<Directory /var/www/thecraftykitten.co.uk>
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>

<VirtualHost 192.168.2.4:80>
DocumentRoot /var/www/thecraftykitten.co.uk/web

ServerName thecraftykitten.co.uk
ServerAlias www.thecraftykitten.co.uk
ServerAdmin [email protected]

ErrorLog /var/log/ispconfig/httpd/thecraftykitten.co.uk/error.log

ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 503 /error/503.html

<Directory /var/www/thecraftykitten.co.uk/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all

# ssi enabled
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Options +Includes
</Directory>
<Directory /var/www/clients/client2/web2/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all

# ssi enabled
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Options +Includes
</Directory>

# cgi enabled
<Directory /var/www/clients/client2/web2/cgi-bin>
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /var/www/clients/client2/web2/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
# suexec enabled
SuexecUserGroup web2 client2
# mod_php enabled
AddType application/x-httpd-php .php .php3 .php4 .php5
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i [email protected]"
php_admin_value upload_tmp_dir /var/www/clients/client2/web2/tmp
php_admin_value session.save_path /var/www/clients/client2/web2/tmp
php_admin_value open_basedir /var/www/clients/client2/web2/web:/var/www/clients/client2/web2/tmp:/usr/share/php5


</VirtualHost>



#<IfModule mod_ssl.c>
###########################################################
# SSL Vhost
###########################################################

<IfModule mod_gnutls.c>
###########################################################
# GNUTLS SSL Vhost
###########################################################


<VirtualHost 192.168.2.4:443>
DocumentRoot /var/www/thecraftykitten.co.uk/web

ServerName thecraftykitten.co.uk
ServerAlias www.thecraftykitten.co.uk
ServerAdmin [email protected]

ErrorLog /var/log/ispconfig/httpd/thecraftykitten.co.uk/error.log

ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 503 /error/503.html

# SSLEngine on
# SSLCertificateFile /var/www/clients/client2/web2/ssl/thecraftykitten.co.uk.crt
# SSLCertificateKeyFile /var/www/clients/client2/web2/ssl/thecraftykitten.co.uk.key
#
GnuTLSEnable on
GnuTLSPriorities NORMAL
GnuTLSCertificateFile /var/www/clients/client2/web2/ssl/thecraftykitten.co.uk.crt
GnuTLSKeyFile /var/www/clients/client2/web2/ssl/thecraftykitten.co.uk.key

<Directory /var/www/thecraftykitten.co.uk/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all

# ssi enabled
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Options +Includes
</Directory>
<Directory /var/www/clients/client2/web2/web>
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all

# ssi enabled
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Options +Includes
</Directory>

# cgi enabled
<Directory /var/www/clients/client2/web2/cgi-bin>
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /var/www/clients/client2/web2/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
# ssi enabled
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
# suexec enabled
SuexecUserGroup web2 client2
# mod_php enabled
AddType application/x-httpd-php .php .php3 .php4 .php5
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i [email protected]"
php_admin_value upload_tmp_dir /var/www/clients/client2/web2/tmp
php_admin_value session.save_path /var/www/clients/client2/web2/tmp
php_admin_value open_basedir /var/www/clients/client2/web2/web:/var/www/clients/client2/web2/tmp:/usr/share/php5:/tmp


</VirtualHost>
</IfModule>

 

You must specify more closely the problem. Post error log etc...

 

the problem im having is that all hosted sites still try to use the same certificate, will have a look at the error logs, but not sure which one deals with the certificates

 

Yes, I had this problem too, I solved it by using one cert for all sites, I wrote about this in previevious posts.

 

i tried your method too about adding the domains to the openssl conf file but this did not work either

 

and after adding domains to openssl.conf you must recreate certificate.......(create new key and csr for signing)

 

yep i did tht and had the certificate signed by CaCert

 

did you disable gnutls and reactivate ssl in order to get this mehod to work?

 

if you deactivate gnutls and activate ssl, them you can use only one virtual ssl based host per IP.