SSL Certificates...

Discussion in 'Installation/Configuration' started by ctroyp, Jul 2, 2006.

  1. ctroyp

    ctroyp New Member HowtoForge Supporter

    I am not sure that I fully understand SSL on ISPConfig, but I understand that only one web can support SSL per server IP. If I am hosting 100 webs with ISPConfig, there are many that will want SSL--or at least more than 1. Someone also mentioned that this is an Apache restriction and not an ISPConfig restriction.

    I guess my question is, what options are available for redirecting https requests to more than one web? Is this really not possible with ISPConfig and Apache? Any insight or suggestions are appreciated. ...thanks!
  2. falko

    falko Super Moderator ISPConfig Developer

    No, it is not possible, but it has nothing to do with ISPConfig. You can have only one SSL web site per IP address and port.
    Either get more IP addresses, or create a catchAll SSL web site, something like https://mysecurewebsite.tld that all you customers can use for their shopping carts, checkout processes, etc...
  3. ctroyp

    ctroyp New Member HowtoForge Supporter

    Thanks falko!
  4. ctroyp

    ctroyp New Member HowtoForge Supporter

    In all the Perfect Setup... series (Fedora Core 4 in my case), there is discussion about configuring additional IP addresses for a single NIC:

    Configure Additional IP Addresses
    Let's assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfg-eth0 which looks like this:
    Now we want to create the virtual interface eth0:0 with the IP address All we have to do is to create the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which looks like this:
    Afterwards we have to restart the network:
    /etc/init.d/network restart
    Would this be what I need to do to support additional SSL sites on the same server? If so, how would I forward the https requests to the multiple IP addresses (on the same server)?
  5. falko

    falko Super Moderator ISPConfig Developer

    Yes, if these are public IP addresses. If they are private and there's only one public IP address on your router, then all SSL requests would go over this one public address again, and wouldn't work anymore.
  6. ctroyp

    ctroyp New Member HowtoForge Supporter

    If I make these IPs public, then I would need a router for each public IP, correct? For example...

    If I have 10 SSL sites hosted on one server using 1 NIC I would need 10 public IPs configured in that NIC, and 10 routers for each IP. And the connection would be as follows:
    ISP DSL line -> hub -> (10) routers -> hub -> NIC (with 10 virtual public IPs)

    Am I on the right track?

    Thanks for the info...
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, or a professional grade router that supports multiple IP addresses.

    To have multiple IP addresses, you first need a provider that offers you multiple IP addresses. I'am not sure if any DSL (normal) provider does this, normally you need something like a T1 line. But in most cases, a webhsoting server is located in a datacenter and you will get the IP addresses assigned by your datacenter provider without a router between your server and the internet. This is the secenario that is assumed by the perfect setup guides.
  8. ctroyp

    ctroyp New Member HowtoForge Supporter

    Thanks guys for the great info! Not sure what I will decide to do at this point, as I am still on the learning trail...
  9. airstrip

    airstrip New Member

    Installing RapidSSL

    Firstly thanks for a great package. I've setup a few debian sarge machines now, and they're all running perfectly.

    I have a question about installing a RapidSSL certificate.
    I used ispconfig to generate a certificate request, sent that to the CA, got my signed certificate back, and pasted it back into ispconfig and saved it. It's great! The certificate works in a web browser.

    The issue is with email clients, I installed courier-imap. When collecting mail it still gives me a default non-trusted certificate that's generated by courier.

    How do I install my certificate for courier IMAP and POP? I tried following the instructions on this CA's page:

    I created the certificate as said in the url above, and edited:


    and restarted imap, imap-ssl, pop, pop-ssl

    But the certificate remains the same default one. It feels like I'm missing a vital piece of information here, can anyone offer some advice please.

    Many thanks, Matt
    Last edited: May 13, 2007
  10. airstrip

    airstrip New Member

    rapidssl installation for imap-courier solved!

    well I've finally found the answer to my question.

    with courier-imap-ssl changing the TLS_CERTFILE value in imapd-ssl seemed to have no effect whatsoever. only by modifying the imapd.pem or pop3d.pem files was I able to install my rapidssl certificate.

    but how to create a pem file from a crt and key file?

    cat servername.key servername.crt > servername.pem
    openssl gendh >> servername.pem

    then you can replace imapd.pem, and pop3d.pem with your CA signed certificate!

    thanks to this url for tips on creating the pem file.
  11. ctroyp

    ctroyp New Member HowtoForge Supporter

    Okay, making a little progress now. I have a router that will allow me to setup the IP tables/routing as desired. My ISP supports multiple static IPs. Now, for the next part...

    Since I have multiple static WAN IPs for each SSL site, I need to direct them to my server which hosts the many sites via ISPConfig. For example:

    ISP DSL line -> router -> hub -> NIC for Server1 (with 10 virtual private IPs) -> ...

    When the https request comes in to the eth0:10 (for example) with a unique local IP how does it know to request web10?

    Will the virtual interface eth0:10 be transparent and will it just go ahead and serve up web10? Or, do I even need to setup virtual local IPs for each SSL site on the server's NIC since I already will be routing the separate public IPs to that server?
    Last edited: Jun 28, 2007
  12. falko

    falko Super Moderator ISPConfig Developer

    All your SSL web sites must run on separate IP addresses, which means there's only one SSL web site per IP address. So if you forward requests for web10 to web10's IP address, Apache will automatically show web10 as it's the only SSL web site on that IP address.
  13. ctroyp

    ctroyp New Member HowtoForge Supporter

    In the "Perfect Setup" it mentions setting up a virtual IP for the single server/NIC. So would this allow me to host more than one SSL site since it will have separate IPs?

    Within the constraints of SSL, I will need a static public IP for each SSL site from which all SSL sites will be routed from their respective public IP to their respective private IP (which is hosted on a single server/NIC via the virtual interfaces/IPs that I have created for that NIC such a eth0:10). Then, the respective SSL web will be served.

    I UNDESTAND TAT ISPConig will present a warning if I try to set more than 1 SSL site, but while not considering that for now, as far as meeting the SSL requirements, does it require only a separate public IP or will it also require a separate private IP for each SSL site as well?

    Hopefully this makes sense. I am just trying to find a way to serve more than one SSL per server. I know that larger hosting companies are doing it...
  14. falko

    falko Super Moderator ISPConfig Developer


    Both - separate public and private IP addresses.
  15. ctroyp

    ctroyp New Member HowtoForge Supporter

    Great, I will have to start working on this then. I am sure that there will a bit of work in ISPConfig to allow more than 1 SSL site, but I have not looked into it yet. Do you know of any prior progress that may have been done in this venture?
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    There is no feature missing. What falko means that you need the same number of public and peivate IP addresses as you have SSL sites and this works perfectly in ISPConfig.
  17. ctroyp

    ctroyp New Member HowtoForge Supporter

    Ok, I thought there was a restriction in ISPConfig that would warn you if you tried to set more than one SSL site. I must have mistaken.

    Thanks guys!
  18. ctroyp

    ctroyp New Member HowtoForge Supporter

    Ok, the error only states that I can only have 1 SSL site per IP. As far as having additional IPs/virtual interfaces for this one server and single ISPConfig installation, will there be anything else to do as far as trying to relate the SSL webs in ISPConfig and the respective dedicated IP for that web or will they serve up without additional configuration?
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    All you have to do is select a unique IP for every ssl enabled website.

Share This Page