SSL and mulitple websites

Discussion in 'ISPConfig 3 Priority Support' started by dgeho1, Apr 13, 2014.

Thread Status:
Not open for further replies.
  1. dgeho1

    dgeho1 Member

    running Debian 2.6.32-48squeeze4 and Ispconfig 3.0.5.3 two server master/slave

    I have one for sure, maybe more website that I want to use ssl certs for.

    According to the ISP Config documentaion, I can only have one website on this server using ssl?

    Or could I do multiple sites on this server if I could get multiple public addresses from my ISP and then somehow have multiple private IP addresses (on the same subnet)? I currently have one public IP and use the DSL modem/router to forward to the server's Private IP Address.

    Can this be done with one Network card, or would I need to add a network card for each Private IP address I want?

    or is this a possible solution http://www.howtoforge.com/hosting-m...dress-with-apache-2.2-and-gnutls-debian-lenny
     
    Last edited: Apr 13, 2014
  2. srijan

    srijan New Member HowtoForge Supporter

    Hi

    Yes, you can use the above guide for Multiple SSL Web Sites.

    Br//
    Srijan
     
  3. dgeho1

    dgeho1 Member

    I tired using Till's procedure located in http://www.howtoforge.com/forums/showthread.php?t=16183&page=2

    and now not only do i get the following in a browser:

    This Connection is Untrusted

    You have asked Firefox to connect securely to poplessmusic.com, but we can't confirm that your connection is secure.

    Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
    What Should I Do?

    If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.

    poplessmusic.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. (Error code: sec_error_untrusted_issuer)

    but I also am getting emails;

    WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web13/ssl/poplessm.com.key~
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Just a guess, did you symlink /var/www to another location? Symlinks are not supported in paths to websites / ssl certificates. The system sees this as an attack and stops processing for the site. Use a bind mount instead of a symlink, if you want to relocate the site directory.
     
  5. dgeho1

    dgeho1 Member

    I dont remember doing anything that could cause a symlink..
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Check each segment of the path with ls -la, to see if it contains a symlink.
     
  7. dgeho1

    dgeho1 Member

    there do not appear to be any symlinks
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, then the warning can be ignored, ita affects only the backup copy of the key and not the key itself.

    I checked the ssl cert, it is a slef signed certm, and not one thatw as bought from a ssl authority. So the ssl cert is ok and it shows the correct site. If you want to browse the site without that error, then you will have to buy a valid ssl cert for the site or get a free one from startssl. Copy the csr from the ispconfig ssl tab, let it sign from a official ssl authotity. copy the key that you get from them to the ssl cert field, select save as action and click on the save button.
     
  9. dgeho1

    dgeho1 Member

    I've gone thru the csr generation process and using it to generate a key from comodo,

    Do I maybe need to delete the keys via the ispconfig interface and manually delete the files from the ssl dir?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    It is better to create the new ssl key and csr in ispconfig. If you do it manually, then you will have to replace the ssl key manually in ispconfig and in the files.

    And your csr and key were already fine and working, so there was no reason to recreate it manually. All you had to do was: login to ipconfig, copy the csr that is shown on the ssl page, let it sign from instantssl, ocpy the ssl cert that you get into the ssl cert field, select save as action and click on the save butoon. What you did now is much more complicated and error prone, as you will have to take care to manage the ssl cert and key manually now.
     
  11. dgeho1

    dgeho1 Member

    so could I merely copy the CSR info out of ISPconfig, go to my SSl provider, get a new key.

    Use the action menu to delete the existing key in Ispconfig, and the copy the newly issued key back into ISPConfig and save?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, thats the way a ssl cert is ordered when you use ispconfig.

    this will work as well, when you created the ssl cert and key outside of ispconfig.
     
  13. dgeho1

    dgeho1 Member

    Still having issues

    I deleted the old key, generated a new CSR, placed that with my cert provider, and pasted the new cert into ISP Config.

    I've gone thru the cert generation process, using a CSR generated by ISPconfig.


    I still get a symlink warning, and the cert shows as invalid when trying to access the site.
     

    Attached Files:

  14. till

    till Super Moderator Staff Member ISPConfig Developer

    thats ok.

    check that the cert and key in the files in the ssl folder are the same that you entered in ispconfig. and it might be nescssary that you add some intermediate ssl certs, check the mail that you got from instantssl and insert the necessary certs in the ssl bundle field
     
  15. dgeho1

    dgeho1 Member

    Still not working

    I got a bundle from my provider, inserted into isp and then apache gave me a warning saying it could not restart with that config, and restarted with the last known working config, and renamed the offending files .err

    can I delete the keys via the ISP portal, then delete all of the files in the SSL dirs manually, and go thru the entire CSR and key issuing process from a fresh start?
     
    Last edited: Apr 18, 2014
Thread Status:
Not open for further replies.

Share This Page