Hello, I have 2 SSL's already setup correctly. I'm using 1 static IP. I have enabled SNI in System > Server Config > Web > SSL Settings. I have issues with setting up 3rd SSL. I'm getting mismatch errors on name. All certificates are from Comodo and their customer support said everything is fine on their side. Would anyone be able to provide some info how to troubleshoot this SSL issue? ls -la /var/www/clients/client1/web2 total 3604 drwxr-xr-x 19 root root 4096 Dec 6 00:28 . drwxr-xr-x 6 root root 4096 Dec 5 23:45 .. drwxr-xr-x 2 web2 client1 4096 Sep 4 22:19 backup -rwxr-xr-x 1 web2 client1 254 Dec 15 23:21 .bash_history drwxr-xr-x 2 root root 4096 Dec 6 00:28 bin drwxr-xr-x 2 web2 client1 4096 Mar 2 2013 cgi-bin drwxr-xr-x 3 root root 4096 Apr 3 2014 clients drwxr-xr-x 2 root root 4096 Dec 12 09:03 dev drwxr-xr-x 6 root root 4096 Dec 6 00:28 etc drwxr-xr-x 4 root root 4096 Dec 6 00:28 lib drwxr-xr-x 2 root root 4096 Dec 6 00:28 lib64 drwxr-xr-x 9 root root 4096 Jan 5 23:22 log drwx--x--- 2 web2 client1 4096 Dec 14 00:21 private drwx------ 2 web2 client1 4096 Dec 5 23:49 .ssh drwxr-xr-x 2 root root 4096 Jan 5 23:29 ssl drwxrwxrwx 4 web2 client1 3608576 Jan 5 23:47 tmp drwxr-xr-x 6 root root 4096 Dec 6 00:28 usr drwxr-xr-x 3 root root 4096 Dec 6 00:28 var drwx--x--- 27 web2 client1 4096 Dec 29 23:24 web drwxrwx--- 3 web2 client1 4096 Jul 17 11:19 webdav var/www/clients/client1/web2/ssl# ls -la /var/www/clients/client1/web2/ssl total 92 drwxr-xr-x 2 root root 4096 Jan 5 23:29 . drwxr-xr-x 19 root root 4096 Dec 6 00:28 .. -rw-r--r-- 1 root root 4170 Jan 5 23:20 mydomain.com.bundle -rw-r--r-- 1 root root 4170 Jan 5 23:20 mydomain.com.bundle.err -rw-r--r-- 1 root root 1899 Jan 5 23:20 mydomain.com.crt -rw-r--r-- 1 root root 1330 Jan 5 19:20 mydomain.com.crt.bak -rw-r--r-- 1 root root 1959 Jan 5 23:20 mydomain.com.crt.err -rw-r--r-- 1 root root 1119 Jan 5 23:20 mydomain.com.csr -rw-r--r-- 1 root root 1119 Jan 5 19:20 mydomain.com.csr.bak -rw-r--r-- 1 root root 1138 Jan 5 23:20 mydomain.com.csr.err -r-------- 1 root root 1679 Jan 5 23:20 mydomain.com.key -r-------- 1 root root 1679 Jan 5 23:20 mydomain.com.key~ -r-------- 1 root root 1679 Jan 5 19:20 mydomain.com.key.bak -r-------- 1 root root 1706 Jan 5 23:20 mydomain.com.key.err -r-------- 1 root root 1743 Jan 5 23:20 mydomain.com.key.org -r-------- 1 root root 1751 Jan 5 19:20 mydomain.com.key.org.bak -r-------- 1 root root 1743 Jan 5 23:20 mydomain.com.key.org.err -rw-r--r-- 1 root root 1342 Dec 6 01:05 drive.mydomain.com.crt -rw-r--r-- 1 root root 1123 Dec 6 01:05 drive.mydomain.com.csr -r-------- 1 root root 1675 Dec 6 01:05 drive.mydomain.com.key -r-------- 1 root root 1743 Dec 6 01:05 drive.mydomain.com.key.org
1) Did you use a browser that supports sni to access the website? (there is a list of compatible browsers when you search for sni at wikipedia) 2) Do you see the correct content (the one of the site that you expect) when you accept the ssl error, or do you see the content of a wrong website?
Till, Thanks for your reply! 1) Yes. I've used both browsers that support SNI: Chrome & Firefox 2) If I accept SSL error I see content of site 2 instead of site 1.
Ok. Then check that all sites of the server use either * or all sites use the IP. you may not mix * and IP on a server as this will cause all traffic to be redirected to the website that has the IP assigned.
Yes SSL checkbox is active. I have SSL checked on other 2 sites where SSL is working as expected. Is there a way to manually wipe out any SSL related things (files, folders, etc) from the site with issues and try to add SSL certificate from scratch?
Thanks Till! After I selected delete certificate after 5 minutes when I go back to SSL tab I still see information in following fields: State, Locality, Org, Org Unit, Country, SSL Domain as well as SSL Key & SSL Bundle. SSL Request & SSL Certificate fields are blank, just want to make sure this is how it should be, I was expecting all the fields to be blank...please advise. Do I need to choose Create Certificate to get new SSL Request? Also, will I need get re-issued SSL certificate from Comodo since there is new SSL Request generated by ISPConfig?
Thats ok, the option just deletes the ssl details on the harddisk, not the ones in the database. Yes. After you created a new self signed cert wait 1-2 minutes and test if it works then before you let it sign. yes
Thank You Till! I followed all of the steps above, got re-issued certificate. It did not work, if i ignore the ssl warning, under https for site 1 i see site 2. Any other suggestions how to troubleshoot?
Did you test it after you created the self signed cert and before you reissued the cert like I suggested. the result of this test is important for debugging the issue.
Thank You! I have tested it before post #11, and I tested again just to be sure. Still same issue, if i ignore the ssl warning, under https for site 1 i see site 2.
Ok, so you tested the self signed cert, not the officially signed? We have to find out if the issue is already there with the self signed cert or if it appears later when you insert the officially signed one as that makes a big difference. The problem on your server is most likely that ssl could not be anebled for the vhost, this happens when apache refuses to start with the new ssl cert. you can e.g. use these debug instructions to find out more about the issue: http://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/ enable debugging, disable the server.sh cronjob, disable ssl for the website and then enable it again and run the server.sh cronjob manually on the shell to get the debug output.
Thank You Till! I see 2 warnings for apache it's not saving configuration change. Any idea where else to look, what else to check. This is my Debug output: Code: /usr/local/ispconfig/server/server.sh 08.01.2015-17:01 - DEBUG - Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock 08.01.2015-17:01 - DEBUG - Found 4 changes, starting update process. 08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'. 08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'. 08.01.2015-17:01 - DEBUG - Network configuration disabled in server settings. 08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'. 08.01.2015-17:01 - DEBUG - Processed datalog_id 3899 08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'. 08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'. 08.01.2015-17:01 - DEBUG - Network configuration disabled in server settings. 08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'. 08.01.2015-17:01 - DEBUG - Processed datalog_id 3901 08.01.2015-17:01 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 08.01.2015-17:01 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web2/.php-fcgi-starter 08.01.2015-17:01 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/mydomain.com.vhost 08.01.2015-17:01 - DEBUG - Apache status is: running 08.01.2015-17:01 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 08.01.2015-17:01 - DEBUG - Restarting httpd: /etc/init.d/apache2 restart 08.01.2015-17:01 - DEBUG - Apache restart return value is: 0 08.01.2015-17:01 - DEBUG - Apache online status after restart is: running 08.01.2015-17:01 - DEBUG - Processed datalog_id 3903 08.01.2015-17:01 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 08.01.2015-17:01 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 08.01.2015-17:01 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web2/.php-fcgi-starter 08.01.2015-17:01 - DEBUG - Enable SSL for: mydomain.com 08.01.2015-17:01 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/mydomain.com.vhost 08.01.2015-17:01 - DEBUG - Apache status is: running 08.01.2015-17:01 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 08.01.2015-17:01 - DEBUG - Restarting httpd: /etc/init.d/apache2 restart 08.01.2015-17:01 - DEBUG - Apache restart return value is: 1 08.01.2015-17:01 - DEBUG - Apache online status after restart is: down 08.01.2015-17:01 - WARNING - Apache did not restart after the configuration change for website mydomain.com. Reverting the configuration. Saved non-working config as /etc/apache2/sites-available/mydomain.com.vhost.err 08.01.2015-17:01 - WARNING - Reason for Apache restart failure: Restarting web server: apache2 ... waiting Action 'start' failed. The Apache error log may have more information. failed! 08.01.2015-17:01 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 08.01.2015-17:01 - DEBUG - Restarting httpd: /etc/init.d/apache2 restart 08.01.2015-17:01 - DEBUG - Processed datalog_id 3905 08.01.2015-17:01 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 08.01.2015-17:01 - DEBUG - Restarting httpd: /etc/init.d/apache2 restart 08.01.2015-17:01 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished. Apache Error Log Code: [Thu Jan 08 17:01:31 2015] [notice] caught SIGTERM, shutting down [Thu Jan 08 17:01:33 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Thu Jan 08 17:01:33 2015] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full. [Thu Jan 08 17:01:33 2015] [notice] ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/) configured. [Thu Jan 08 17:01:33 2015] [notice] ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6" [Thu Jan 08 17:01:33 2015] [notice] ModSecurity: PCRE compiled version="8.30"; loaded version="8.30 2012-02-04" [Thu Jan 08 17:01:33 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1" [Thu Jan 08 17:01:33 2015] [notice] ModSecurity: LIBXML compiled version="2.8.0" [Thu Jan 08 17:01:33 2015] [notice] Original server signature: Apache/2.2.22 [Thu Jan 08 17:01:33 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec) [Thu Jan 08 17:01:33 2015] [notice] Digest: generating secret for digest authentication ... [Thu Jan 08 17:01:33 2015] [notice] Digest: done [Thu Jan 08 17:01:34 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Thu Jan 08 17:01:34 2015] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full. [Thu Jan 08 17:01:34 2015] [notice] Apache/2.2.22 (Debian) DAV/2 mod_ssl/2.2.22 OpenSSL/1.0.1e Apache/2.2.0 (Fedora) mod_fcgid/2.3.6 PHP/5.4.36-0+deb7u1 mod_ruby/1.2.6 Ruby/1.8.7(2012- 02-08) mod_perl/2.0.7 Perl/v5.14.2 configured -- resuming normal operations [Thu Jan 08 17:01:35 2015] [notice] caught SIGTERM, shutting down [Thu Jan 08 17:01:45 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Thu Jan 08 17:01:45 2015] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full. [Thu Jan 08 17:01:45 2015] [notice] ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/) configured. [Thu Jan 08 17:01:45 2015] [notice] ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6" [Thu Jan 08 17:01:45 2015] [notice] ModSecurity: PCRE compiled version="8.30"; loaded version="8.30 2012-02-04" [Thu Jan 08 17:01:45 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1" [Thu Jan 08 17:01:45 2015] [notice] ModSecurity: LIBXML compiled version="2.8.0" [Thu Jan 08 17:01:45 2015] [notice] Original server signature: Apache/2.2.22 [Thu Jan 08 17:01:45 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec) [Thu Jan 08 17:01:45 2015] [notice] Digest: generating secret for digest authentication ... [Thu Jan 08 17:01:45 2015] [notice] Digest: done [Thu Jan 08 17:01:46 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Thu Jan 08 17:01:46 2015] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full. [Thu Jan 08 17:01:46 2015] [notice] Apache/2.2.22 (Debian) DAV/2 mod_ssl/2.2.22 OpenSSL/1.0.1e Apache/2.2.0 (Fedora) mod_fcgid/2.3.6 PHP/5.4.36-0+deb7u1 mod_ruby/1.2.6 Ruby/1.8.7(2012- 02-08) mod_perl/2.0.7 Perl/v5.14.2 configured -- resuming normal operations
For the server signature error, do you use mod_security? https://www.virtualmin.com/node/18675 To get the full error in the vhost on the screen, try this: mv /etc/apache2/sites-available/mydomain.com.vhost /etc/apache2/sites-available/mydomain.com.vhost.bak mv /etc/apache2/sites-available/mydomain.com.vhost.err /etc/apache2/sites-available/mydomain.com.vhost /etc/init.d/apache2 restart apache will most likely not start, but you will see the error, to start it again, do the renaming in reverse order: mv /etc/apache2/sites-available/mydomain.com.vhost /etc/apache2/sites-available/mydomain.com.vhost.err mv /etc/apache2/sites-available/mydomain.com.vhost.bak /etc/apache2/sites-available/mydomain.com.vhost /etc/init.d/apache2 restart
Yes. I have mod security installed on my server. I prefer to leave ServerTokens settings to Minimal I'm seeing this in the site error log: Code: [Fri Jan 09 09:04:15 2015] [error] Unable to configure RSA server private key [Fri Jan 09 09:04:15 2015] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch [Fri Jan 09 09:05:31 2015] [error] Unable to configure RSA server private key [Fri Jan 09 09:05:31 2015] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch [Fri Jan 09 09:06:07 2015] [error] Unable to configure RSA server private key [Fri Jan 09 09:06:07 2015] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch In this thread, under post #9 he: "Manually created the Key, CSR, and resubmitted CSR to trustico, generated new Cert, and copied files into /ssl directory of website". https://www.howtoforge.com/community/threads/ssl-certificate-error-apache-does-not-start.53543/ Do I have to do the same or we could fix the issue within ISPConfig?
Please do thes esteps: 1) Go to the ssl tab of the website, selecet delete certificate as action, empty the ssl certificate fields and press save. wait 2 minutes. 2) delete all files in /var/www/yourdomain.tld/ssl/ folder 3) Create a new self signed slsl cert for this website in ispconfig. IMPORTANT: Do not let it sign it yet. Test if SSL works with the self signed ssl cert.
Thank You Till. I did steps 1-2-3 and now I can see site 1 ok (used to show site 2). This is with self-signed cert under https (with SSL warning). Can I proceed with signing by providing them with new SSL Request (CSR) to get new re-issued cert?
Yes. Please make a backup of all files that are now in the ssl folder. Then take the new csr and let it sign.
