Received SSL crt's

Discussion in 'Server Operation' started by Alex Hulshof, May 26, 2015.

  1. Alex Hulshof

    Alex Hulshof Member

    Received following files for my ssl setup from register.com
    1. AddTrustExternalCARoot.crt
    2. USERTrustRSACertificationAuthority.crt
    3. USERTrustRSADomainValidationSecureServerCA.crt
    4. SERVER1.example.EU.crt
    where should I put what and how?

    thanks for the support!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    1-3: ssl bundle
    4: ssl certificate
     
  3. Alex Hulshof

    Alex Hulshof Member

    in what order to create the bundle?
     
  4. Alex Hulshof

    Alex Hulshof Member

    This did not work ==> server crashed.

    according to the ssl provider:
    SERVER1.domain.crt - end user certificate. put this into: SSL certificate?

    USERTrustRSACertificationAuthority.crt - 1st intermediate
    and
    USERTrustRSADomainValidationSecureServerCA.crt - 2nd intermediate
    should I put these two into: SSL Bundle

    AddTrustExternalCARoot.crt - root certificate. Where should this go into?
     
    Last edited: May 29, 2015
  5. Alex Hulshof

    Alex Hulshof Member

     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    yes.
    yes
    It is possible that this is not required. just test it. If its required, then this goes into the bundle field as well.

    The server hangs when your ssl key and cert doe not match. Thhis hapens e.g. when you created the ssl csr and key outside of ispconfig and then forgot to exchange the key in ispconfig or when you recreate the ssl csr and key so that a different csr was used by the ssl authority then the one that is now in your ispconfig system.

    The steps to install a ssl cert are described in the manual in details incl. screenshots btw.
     
  7. Alex Hulshof

    Alex Hulshof Member

    Till, when I had my csr generated by ispconfig and checked it on symantec csr checker, the csr was rejected because of a pass-phrase in it. My ssl provider (register.com) told me to use the tool since the by ispconfig generated csr was not accepted by them.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The scr generated by ispconfig has no password. The checker you used must be faulty or you copied a wrong csr or some other kind of data to it. The csr generated by ispconfig are working with all authorites, I just installed 2 certs last week for a client and used one csr at comodo and one at thawte.

    When you create a csr outside of ispconfig, then you have to insert the new key on the ispconfig ssl tab.
     
  9. Alex Hulshof

    Alex Hulshof Member

    Ok, You know i am still a noob on this so please stay with me.
    I created in directory /etc/ssl per direction of my ssl provider www.register.com a new key and CSR by running:
    openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
    I put these in a new directory being: /etc/ssl/2015-06-01_new_ssl
    Next step for me will be to submit the this csr which i hope to be able to do today.
    Should I already now put myserver.key in the server ssl field: SSL Key
    and server.csr in the SSL server field: SSL Request?
     
  10. Alex Hulshof

    Alex Hulshof Member

    I received all new package.


    The only field emty in ispconfig is the SSL request field. Should that remain empty? Or should i put the CSR in this field?

    How can I check whether the SSL package is properly installed?
     
    Last edited: Jun 1, 2015
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats ok, it can remain empty. the csr is only needed to get a new ssl cert.

    Open the website with https in the browser. if you dont get a ssl cert error, then the certificate is properly installed.
     
  12. Alex Hulshof

    Alex Hulshof Member

    This is the message I received:
    Secure Connection Failed

    An error occurred during a connection to www.example.eu. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

    Any idea how to resolve it?

    BTW the provider of the ssl package says following with regards to installation:
    How to Install a Certificate Using Apache With Mod_ssl and OpenSSL:
    1. Copy the certificate and CA bundle file to your server, into a directory where you plan to keep your certificates. This is commonly /etc/ssl/.
    2. You will now need to edit the Apache configuration file. The location of this file can vary depending on your distribution (Windows, Debian/CentOS/Fedora/etc. Linux) and the version of Apache you are using. Locate the file and open it in your preferred editor.
    3. Locate the VirtualHost section for the ssl-enabled site you are installing the certificate for. This will commonly begin <VirtualHost 127.0.0.1:443>.
    4. Add the following lines into the VirtualHost section, making sure to change the paths of the files to correspond to the locations of the files on your server.
    Apache 2.x:
    SSLEngine on
    SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
    SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName.crt
    SSLCertificateChainFile /etc/ssl/ssl.crt/yourDomainName.ca-bundle

    Save the changes to the file. Now you will need to restart Apache. It is sometimes required to stop then start Apache, instead of issuing the restart command for the changes to take effect.
    until the password is entered.
    The configuration file is often called httpd.conf or apache.conf, although sometimes the SSL-specific section is placed in a separate file called ssl.conf and linked from the main configuration by an Include command. Sometimes, the VirtualHost section will be in a specific file for that site, in a sub-directory often labelled sites-enabled/.

    What should I do now to get https working?
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Dont use the instructions from your ssl provider. They are not compatible with servers that use a hosting controklpanel like ispconfig, cpanel, directadmin or any other one.
    2) The installation of a ssl cert is really easy, see ispconfig manual that explains the steps incl. screenshots. all you have to do is to enable the ssl checkbox in the website settings, then copy the key into the key field, the cert into the cert field, the chain certificates into the ssl bundle field, select "save certificate" as action and press save.
     
  14. Alex Hulshof

    Alex Hulshof Member

    Ok I did it exactly as you said. However where should I put AddTrustExternalCARoot.crt - root certificate?
    I put it at the top of the ssl bundle, in the middle and in the end, and I also did not put in the bundle at all.
    I think the AddTrustExternalCARoot.crt - root certificate should be placed somewhere but where?
    by the way the bundle has no empty lines in it. Is that correct?
    It is build as follows:
    -----begin----
    shsjsjkslsssshj
    ssdgggdhhdh
    ----end----
    ----begin-----
    ddhjfjfkkff
    ddjjdkdkld
    ----end----
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    Like I explained in the other posts, this cert is most likely not needed at all. In any case, it hs nothing to do with your current ssl error.

    Yes, thats correct.
     
  16. Alex Hulshof

    Alex Hulshof Member

    Well, I cannot get it to work. What can you recommend me to get SSL working?
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    Ask someone with server admin experience to install the certs for you. I use the seps from the ispconfig manual that I explained above several times a month and they always work, so not sure whats wrong with your system or the ssl cert that your ssl provider send you.
     
  18. Alex Hulshof

    Alex Hulshof Member

    Thanks.
    And I thought that you got all needed server admin experience to install the certs :).
    I will try it once more by first deleting all ssl fields in ispconfig manually and then safe it.
    Next I will have ispconfig create the
    SSL key, SSL request, SSL cerificate and SSL bundle.
    Could this work?
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    Off course I know how to install ssl certs. If I shall install the certs, contact the ISPConfig business support.

    That should work. Before you sign the ssl csr you should check if the self signed cert actually works.
     
  20. Alex Hulshof

    Alex Hulshof Member

    How to check if the self signed cert actually works? After using https://www.example.eu and accepting for the self signed certs I was able to connect
    All ssl fields are filled in except the SSL bundle. Is this correct?
    How to continue now?
     
    Last edited: Jun 3, 2015

Share This Page