SSL related problems

I did follow the Suse 10 howto to the letter to the best of my ability when I installed ISPConfig. I then set-up a virtual site once I felt it was running correctly, I used openssl to create my crt and key files using the directions provided by the supplier of my CA certificate. I then went into ISPConfig and configured the SSL using the certificates I got from the CA I am using.Then I made sure the Vhosts_ispconfig.conf file was pointing to the corrrect certificate files. I was trying to follow a solution posted on this forum.
I had trouble using an upload fuction after I created the original site and I did add the PHP configuration setting in the Vhosts_ispconfig.conf file manually. Now I know how to do it using ISPConfig so I will not have to do that in the future.
If the Vhosts_ispconfig.conf file is correct what else does apache use to provide SSL service for a web site? I am using one IP address and apparently apache can see the http side of the site (www.amg01.info) because my remote testers are using that address now. I have another Fedora site set up and SSL is working there, so I have compared things and they seem to be the same. The Fedora site was setup prior to Suse 10 release and my knowing about ISPConfig. I would like to replace the Fedora server with anothe Suse/ISPConfig setup as soon as I can figure out this problem.

 

Thanks guys for th insight inside this thread. It answeredmost all of my questions on how to use ISPConfig to work with the sertificates.

One further question. FYI, I used the perfect setup for Debian Sarge. I have heard that you can create your own CA functionality on this system. What are the pros and cons in setting up your own CA? I am completely new to CA and SSL, so bare with me.

Furthermore, can someone recommend a low $ CA that is reputible?

Thanks!

 

I don't see any advantage in being your own CA, because whenever someone visits a site with an SSL cert from your own CA, a warning will pop up in the user's browser...

I've always used InstantSSL ( www.instantssl.com ), never had problems with them. They used to be very cheap, but they've increased their prices now , but they are still among the cheapest.
Other CAs are Verisign, Thawte, Geotrust, Entrust, and RapidSSL.

 

Till, Thanks again for your help.

Well I am feeling pretty stupid because, I may have painted myself into a corner. I was trying to add the PHP specific code to the site I had, prior to looking at redoing the SSL Certificate as you indicated. Thus avoiding any manual intervention as preferred, to make a long story short I must have made a mistake, the site disappeared and now I cannot create it again because I get this error message. “The name www.amg01.info is already in use by another site or domain.” There is no other site on this system.

How can I recover from this error?
Is there any graceful way?
Should I uninstall ISPConfig and reinstall?
If uninstalling ISPConfig is recommended would the partial deinstallation be preferred if I am going to recreate this site?

Also, according to the directions from my CA, I must install an intermediate certificate prior to installing the Web Server SSL Certificate. Thus creating a chain from a trusted root CA, through an intermediate certificate and ending with a Web Server SSL Certificate issued to me. This seems to add another step which your solution did not seem to address. Since I already have the certificate, I was trying to use the solution presented to theduke on the forum “REAL SSL Cert install problems thread.” Would this have been appropriate?

 

Thanks falko!

 

Have you tried ISPConfig's search function to find a site with this name? Did you have a look into the recycle bins?

I also had to install an intermediate certificate from InstantSSL.com. This is how I did it:

I added this to my Apache configuration:

Code:

<IfModule mod_ssl.c>
SSLCACertificateFile /etc/apache/ssl.crt/ca-bundle.crt
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

and copied the intrermadiate certificate to /etc/apache/ssl.crt/ca-bundle.crt and restarted Apache.

 

Thanks again for all the help.

Apparently I did not look in all the recycle bins. I was able to recover the site from one of them. In fact the good news is I now have everything going through ISPConfig, including the PHP directives. The only manual changes I have made are those Falko recommended when using an intermediate certificate. I am using apache2 so I had to make the appropriate change to the path. The bad news is it is still not working; I cannot get to the https side of this site. Despite this problem I think I am making some headway. For sure I am beginning to see the light and think I understand things a bit more.

After I made all the suggested changes, when I restart apache I am no longer asked for my passphrase even though I am using all the same certificates. In particular the one I created with a passphrase for this site. I am not sure if ISPConfig has changed anything or not. When I was applying for the certificate I did not get the option to say no to the passphrase unlike when I was installing ISPConfig.

The following are the directions from Starfield Technologies the company I purchase the SSL certificates from.
=================
INSTALLATION INSTRUCTIONS - APACHE 2.X
Installing Your Web Server Certificate and the Intermediate Certificate:
- Copy your issued certificate, intermediate certificate and key file (generated when you created the Certificate Signing Request (CSR)) into the directory that you will be using to hold your certificates.
- Open the Apache ssl.conf file and add the following directives:

SSLCertificateFile /path to certificate file/your issued certificate
SSLCertificateKeyFile /path to key file/your key file
SSLCertificateChainFile/path to intermediate certificate/sf_issuing.crt

- Save your ssl.conf file and restart Apache.
========================
I am assuming the ssl.conf directory is my httpd.conf directory.

Since I cannot make this work with the certificate and key files I have. Maybe I should start all over again. I can reissue the certificates, but I am not sure how to do this using ISPConfig. Since this is a reissue, will the steps outlined on page 62-63 of the manual work. And where or when do I make use of the intermediate certificate and change the httpd.conf file as indicated by Falko. I am also assuming that Falko meant to cp the sf_config.crt file (intermediate file returned by Starfield) to the file ca-bundle.crt.

I guess the other option is to continue trying to make the existing certificates work, anymore suggestions?

 

I just went through the process of adding SSL support to my site, using a cert I bought from godaddy. Everything works fine with ISPConfig in this respect, but I ran into trouble using the SSLChainFile supplied by godaddy. ISPConfig does not support ChainFiles directly, but you can easily add support on a site by site basis by adding a reference to it in the Apache Directives textarea within the ISPConfig control panel.

First, upload the Chain file to the ssl folder of your website. Next, add a reference to it in the Apache Directives field. In my case, this was:

SSLCertificateChainFile /home/www/web1/ssl/sf_issuing.crt

 

After following all the directions, I believe I have the SSL certificate installed properly. I cannot access the site via https://www.amg01.info/, but I can access the site via https://192.168.6.179/ which is the internal IP address. It goes into secure mode and the security alert window indicates it is a good certificate and the date is good, but the name is not correct which is what you would expect. I think this means I have the certificate loaded OK through ISPConfig. Unfortunately since I still cannot access the site via the name, I am at a lost as to how to proceed. Any advice?

Also somehow in trying to "fix" the SSL problem I now have ISPConfig displaying four additional security alert screens. I can still get in OK and it seems to work, except all the pop help icons pop up a new log in screen for ISPConfig and it is a bit of a pain clicking on four additional security alert screens. How can I fix this problem?

 

Is there anything about this in ISPConfig Apache's logs in /root/ispconfig/httpd/logs?

Also, any warnings/errors in the normal Apache logs?

 

I am not sure I am interpreting the logs properly. In some cases it looks like it is seeing a problem, but provides no more information than I already know, namely it cannot find the site.
I am thinking that maybe my configuration problems is not in the SSL set-up, but I am not sure?

 

Can you post related log entries here?

 

Are there any log files I missed, that you would like to see?
amgsrv1:~/ispconfig/httpd/logs # tail error_log
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: / home/admispconfig/ispconfig/web/help/bilder/globus-0.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: / home/admispconfig/ispconfig/web/help/bilder/vzzu-1.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: / home/admispconfig/ispconfig/web/help/bilder/globus.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: / home/admispconfig/ispconfig/web/help/bilder/vzauf-1.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: / home/admispconfig/ispconfig/web/help/bilder/vzzu-0.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: / home/admispconfig/ispconfig/web/help/bilder/vzauf-0.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: / home/admispconfig/ispconfig/web/help/bilder/ini.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: / home/admispconfig/ispconfig/web/help/bilder/adresse.gif
[Sun Jan 29 10:29:19 2006] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows)
[Sun Jan 29 10:29:19 2006] [error] System: Connection reset by peer (errno: 104)
========================================================
amgsrv1:~/ispconfig/httpd/logs # tail access_log
192.168.3.102 - - [29/Jan/2006:10:29:19 -0600] "GET /design/default/tab/tab_active_l.gif HTTP/1.1" 304 -
192.168.3.102 - - [29/Jan/2006:10:29:19 -0600] "GET /design/default/tab/tab_active_r.gif HTTP/1.1" 304 -
192.168.3.102 - - [29/Jan/2006:10:29:19 -0600] "GET /design/default/tab/x.gif HTTP/1.1" 304 -
192.168.3.102 - - [29/Jan/2006:10:29:41 -0600] "GET /admin/datenbank/backup.php? HTTP/1.1" 200 3351
192.168.3.102 - - [29/Jan/2006:10:29:41 -0600] "GET /design/default/nav_hg.gif HTTP/1.1" 304 -
192.168.3.102 - - [29/Jan/2006:10:30:11 -0600] "POST /admin/datenbank/backup_send.php HTTP/1.1" 200 36894
192.168.3.102 - - [29/Jan/2006:10:30:27 -0600] "GET /logoff.php? HTTP/1.1" 302 5
192.168.3.102 - - [29/Jan/2006:10:30:27 -0600] "GET /login.php?err=999 HTTP/1.1" 200 2032
192.168.3.102 - - [29/Jan/2006:10:30:27 -0600] "GET /design/default/style.css HTTP/1.1" 304 -
192.168.3.102 - - [29/Jan/2006:10:30:27 -0600] "GET /design/default/images/login_logo.png HTTP/1.1" 304 –
amgsrv1:~/ispconfig/httpd/logs # tail ssl_engine_log
[29/Jan/2006 10:30:27 18914] [info] Connection to child 1 established (server 192.168.3.170:81, client 192.168.3.102)
[29/Jan/2006 10:30:27 18914] [info] Seeding PRNG with 1160 bytes of entropy
[29/Jan/2006 10:30:27 18914] [info] Connection: Client IP: 192.168.3.102, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
[29/Jan/2006 10:30:27 18914] [info] Initial (No.1) HTTPS request received for child 1 (server 192.168.3.170:81)
[29/Jan/2006 10:30:27 18914] [info] Connection to child 1 closed with unclean shutdown (server 192.168.3.170:81, client 192.168.3.102)
[29/Jan/2006 10:30:27 02858] [info] Connection to child 0 established (server 192.168.3.170:81, client 192.168.3.102)
[29/Jan/2006 10:30:27 02858] [info] Seeding PRNG with 1160 bytes of entropy
[29/Jan/2006 10:30:27 02858] [info] Connection: Client IP: 192.168.3.102, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
[29/Jan/2006 10:30:27 02858] [info] Initial (No.1) HTTPS request received for child 0 (server 192.168.3.170:81)
[29/Jan/2006 10:30:27 02858] [info] Connection to child 0 closed with unclean shutdown (server 192.168.3.170:81, client 192.168.3.102)
amgsrv1:~/ispconfig/httpd/logs # tail ssl_request_log
[29/Jan/2006:10:29:19 -0600] 192.168.3.102 SSLv3 RC4-MD5 "GET /design/default/tab/tab_active_l.gif HTTP/1.1" -
[29/Jan/2006:10:29:19 -0600] 192.168.3.102 SSLv3 RC4-MD5 "GET /design/default/tab/tab_active_r.gif HTTP/1.1" -
[29/Jan/2006:10:29:19 -0600] 192.168.3.102 SSLv3 RC4-MD5 "GET /design/default/tab/x.gif HTTP/1.1" -
[29/Jan/2006:10:29:41 -0600] 192.168.3.102 SSLv3 RC4-MD5 "GET /admin/datenbank/backup.php? HTTP/1.1" 3351
[29/Jan/2006:10:29:41 -0600] 192.168.3.102 SSLv3 RC4-MD5 "GET /design/default/nav_hg.gif HTTP/1.1" -
[29/Jan/2006:10:30:11 -0600] 192.168.3.102 SSLv3 RC4-MD5 "POST /admin/datenbank/backup_send.php HTTP/1.1" 36894
[29/Jan/2006:10:30:27 -0600] 192.168.3.102 SSLv3 RC4-MD5 "GET /logoff.php? HTTP/1.1" 5
[29/Jan/2006:10:30:27 -0600] 192.168.3.102 SSLv3 RC4-MD5 "GET /login.php?err=999 HTTP/1.1" 2032
[29/Jan/2006:10:30:27 -0600] 192.168.3.102 SSLv3 RC4-MD5 "GET /design/default/style.css HTTP/1.1" -
[29/Jan/2006:10:30:27 -0600] 192.168.3.102 SSLv3 RC4-MD5 "GET /design/default/images/login_logo.png HTTP/1.1" –
amgsrv1:/var/log/apache2 # tail access_log
192.168.3.1 - - [30/Jan/2006:07:45:42 -0600] "GET /stylesheets/anthmgrp.css HTTP/1.0" 304 - "http://www.amg01.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET C LR 1.0.3705; .NET CLR 1.1.4322)"
192.168.3.1 - - [30/Jan/2006:07:45:42 -0600] "GET /stylesheets/book-test.css HTTP/1.0" 304 - "http://www.amg01.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
192.168.3.1 - - [30/Jan/2006:07:45:42 -0600] "GET /images/systemimages/wine01-1.gif HTTP/1 .0" 304 - "http://www.amg01.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1 ; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
192.168.3.1 - - [30/Jan/2006:07:51:02 -0600] "GET / HTTP/1.0" 200 4113 "-" "Mozilla/4.0 (c ompatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
192.168.3.1 - - [30/Jan/2006:07:51:02 -0600] "GET /main/javascript/amg_js_fns-1.js HTTP/1. 0" 304 - "http://www.amg01.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
192.168.3.1 - - [30/Jan/2006:07:51:02 -0600] "GET /stylesheets/book-test.css HTTP/1.0" 304 - "http://www.amg01.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
192.168.3.1 - - [30/Jan/2006:07:51:02 -0600] "GET /stylesheets/anthmgrp.css HTTP/1.0" 304 - "http://www.amg01.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET C LR 1.0.3705; .NET CLR 1.1.4322)"
192.168.3.1 - - [30/Jan/2006:07:51:02 -0600] "GET /images/systemimages/wine01-1.gif HTTP/1 .0" 304 - "http://www.amg01.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1 ; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
192.168.3.1 - - [30/Jan/2006:07:51:02 -0600] "GET /stylesheets/scroll-4.css HTTP/1.0" 304 - "http://www.amg01.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET C LR 1.0.3705; .NET CLR 1.1.4322)"
192.168.3.1 - - [30/Jan/2006:07:51:02 -0600] "GET /images/systemimages/b&blogo.gif HTTP/1. 0" 304 - "http://www.amg01.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
amgsrv1:/var/log/apache2 # tail error_log
[Mon Jan 30 07:45:28 2006] [error] an unknown filter was not added: PHP
[Mon Jan 30 07:45:28 2006] [error] an unknown filter was not added: PHP
[Mon Jan 30 07:45:31 2006] [error] an unknown filter was not added: PHP
[Mon Jan 30 07:45:31 2006] [error] an unknown filter was not added: PHP
[Mon Jan 30 07:45:39 2006] [error] an unknown filter was not added: PHP
[Mon Jan 30 07:45:39 2006] [error] an unknown filter was not added: PHP
[Mon Jan 30 07:45:42 2006] [error] an unknown filter was not added: PHP
[Mon Jan 30 07:45:42 2006] [error] an unknown filter was not added: PHP
[Mon Jan 30 07:51:02 2006] [error] an unknown filter was not added: PHP
[Mon Jan 30 07:51:02 2006] [error] an unknown filter was not added: PHP

 

Can you try again with another browser than Internet Explorer, e.g. Firefox?
Internet Explorer has some difficulties with SSL, so you'd have to put special directives into your Apache configuration to get it to work with IE.

 

I am also testing with firefox on a Suse10 Linux platform. The error message from firefox indicates it is timing out. Since most of the potential users of the web site I am trying to host will be using IE. I guess I need to look into the changes you mentioned.

After trying to access it from both IE and firefox some of the log files had changed so I am pasting the last 20 lines of each.

amgsrv1:/var/log/apache2 # tail -n 20 error_log
[Mon Jan 30 18:11:08 2006] [error] an unknown filter was not added: PHP
[Mon Jan 30 22:55:33 2006] [error] [client 202.173.188.150] File does not exist: /var/www/sharedip/awstats
[Mon Jan 30 22:55:36 2006] [error] [client 202.173.188.150] script not found or unable to stat: /srv/www/cgi-bin/awstats.pl
[Mon Jan 30 22:55:39 2006] [error] [client 202.173.188.150] script not found or unable to stat: /srv/www/cgi-bin/awstats
[Mon Jan 30 22:55:43 2006] [error] [client 202.173.188.150] File does not exist: /var/www/sharedip/xmlrpc.php
[Mon Jan 30 22:55:46 2006] [error] [client 202.173.188.150] File does not exist: /var/www/sharedip/blog
[Mon Jan 30 22:55:47 2006] [error] [client 202.173.188.150] File does not exist: /var/www/sharedip/blog
[Mon Jan 30 22:55:49 2006] [error] [client 202.173.188.150] File does not exist: /var/www/sharedip/blogs
[Mon Jan 30 22:55:51 2006] [error] [client 202.173.188.150] File does not exist: /var/www/sharedip/drupal
[Mon Jan 30 22:55:52 2006] [error] [client 202.173.188.150] File does not exist: /var/www/sharedip/phpgroupware
[Mon Jan 30 22:55:54 2006] [error] [client 202.173.188.150] File does not exist: /var/www/sharedip/wordpress
[Mon Jan 30 22:55:56 2006] [error] [client 202.173.188.150] File does not exist: /var/www/sharedip/xmlrpc.php
[Mon Jan 30 22:55:57 2006] [error] [client 202.173.188.150] File does not exist: /var/www/sharedip/xmlrpc
[Mon Jan 30 22:55:59 2006] [error] [client 202.173.188.150] File does not exist: /var/www/sharedip/xmlsrv
[Tue Jan 31 07:14:08 2006] [error] an unknown filter was not added: PHP
[Tue Jan 31 07:14:08 2006] [error] an unknown filter was not added: PHP
[Tue Jan 31 07:19:32 2006] [error] an unknown filter was not added: PHP
[Tue Jan 31 07:19:32 2006] [error] an unknown filter was not added: PHP
[Tue Jan 31 07:19:38 2006] [error] an unknown filter was not added: PHP
[Tue Jan 31 07:19:38 2006] [error] an unknown filter was not added: PHP
amgsrv1:/var/log/apache2 # tail -n 20 access_log
202.173.188.150 - - [30/Jan/2006:22:55:58 -0600] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 400 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"
193.109.122.16 - - [31/Jan/2006:05:54:19 -0600] "CONNECT 193.109.122.67:6668 HTTP/1.0" 405 953 "-" "pxyscand/2.1"
192.168.3.1 - - [31/Jan/2006:07:14:08 -0600] "GET / HTTP/1.0" 200 4113 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:14:08 -0600] "GET /main/javascript/amg_js_fns-1.js HTTP/1.0" 200 4517 "http://amg01.info/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:14:08 -0600] "GET /stylesheets/anthmgrp.css HTTP/1.0" 200 1279 "http://amg01.info/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:14:08 -0600] "GET /stylesheets/book-test.css HTTP/1.0" 200 2059 "http://amg01.info/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:14:08 -0600] "GET /stylesheets/scroll-4.css HTTP/1.0" 200 919 "http://amg01.info/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:14:08 -0600] "GET /images/systemimages/b&blogo.gif HTTP/1.0" 200 19444 "http://amg01.info/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:14:08 -0600] "GET /images/systemimages/wine01-1.gif HTTP/1.0" 200 57173 "http://amg01.info/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:14:08 -0600] "GET /favicon.ico HTTP/1.0" 404 1181 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:19:32 -0600] "GET / HTTP/1.0" 200 4113 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:19:32 -0600] "GET /favicon.ico HTTP/1.0" 404 1181 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:19:38 -0600] "GET / HTTP/1.0" 200 4113 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:19:39 -0600] "GET /main/javascript/amg_js_fns-1.js HTTP/1.0" 200 4517 "http://www.amg01.info/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:19:39 -0600] "GET /stylesheets/anthmgrp.css HTTP/1.0" 200 1279 "http://www.amg01.info/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:19:39 -0600] "GET /stylesheets/book-test.css HTTP/1.0" 200 2059 "http://www.amg01.info/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:19:39 -0600] "GET /stylesheets/scroll-4.css HTTP/1.0" 200 919 "http://www.amg01.info/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:19:39 -0600] "GET /images/systemimages/b&blogo.gif HTTP/1.0" 200 19444 "http://www.amg01.info/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:19:39 -0600] "GET /images/systemimages/wine01-1.gif HTTP/1.0" 200 57173 "http://www.amg01.info/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"
192.168.3.1 - - [31/Jan/2006:07:19:39 -0600] "GET /favicon.ico HTTP/1.0" 404 1181 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 Firefox/1.0.7 SUSE/1.0.7-0.1"

 

More log files:

amgsrv1:~/ispconfig/httpd/logs # tail -n 20 access_log
192.168.3.105 - - [31/Jan/2006:07:17:40 -0600] "GET /design/default/nav_hg.gif HTTP/1.1" 200 241
192.168.3.105 - - [31/Jan/2006:07:17:40 -0600] "GET /favicon.ico HTTP/1.1" 404 287
192.168.3.105 - - [31/Jan/2006:07:17:40 -0600] "GET /design/default/icons/zwzu-0.gif HTTP/1.1" 200 76
192.168.3.105 - - [31/Jan/2006:07:17:40 -0600] "GET /design/default/icons/stamm-0.gif HTTP/1.1" 200 64
192.168.3.105 - - [31/Jan/2006:07:17:40 -0600] "GET /design/default/icons/vzzu-0.gif HTTP/1.1" 200 625
192.168.3.105 - - [31/Jan/2006:07:17:40 -0600] "GET /design/default/icons/zwe0.gif HTTP/1.1" 200 64
192.168.3.105 - - [31/Jan/2006:07:17:40 -0600] "GET /design/default/icons/papierkorb.gif HTTP/1.1" 200 663
192.168.3.105 - - [31/Jan/2006:07:17:41 -0600] "GET /favicon.ico HTTP/1.1" 404 287
192.168.3.105 - - [31/Jan/2006:07:17:44 -0600] "GET /design/default/icons/zwzu-e0.gif HTTP/1.1" 200 75
192.168.3.105 - - [31/Jan/2006:07:17:44 -0600] "GET /design/default/icons/leer.gif HTTP/1.1" 200 56
192.168.3.105 - - [31/Jan/2006:07:17:44 -0600] "GET /favicon.ico HTTP/1.1" 404 287
192.168.3.105 - - [31/Jan/2006:07:17:54 -0600] "GET /design/default/icons/vzauf-0.gif HTTP/1.1" 200 633
192.168.3.105 - - [31/Jan/2006:07:17:54 -0600] "GET /design/default/icons/globus.gif HTTP/1.1" 200 664
192.168.3.105 - - [31/Jan/2006:07:17:54 -0600] "GET /favicon.ico HTTP/1.1" 404 287
192.168.3.105 - - [31/Jan/2006:07:17:59 -0600] "GET /multidoc/edit/edit.php?tree_id=10& HTTP/1.1" 200 29648
192.168.3.105 - - [31/Jan/2006:07:17:59 -0600] "GET /design/default/icons/help14.gif HTTP/1.1" 200 357
192.168.3.105 - - [31/Jan/2006:07:18:00 -0600] "GET /favicon.ico HTTP/1.1" 404 287
192.168.3.105 - - [31/Jan/2006:07:19:11 -0600] "GET /logoff.php? HTTP/1.1" 302 5
192.168.3.105 - - [31/Jan/2006:07:19:11 -0600] "GET /login.php?err=999 HTTP/1.1" 200


amgsrv1:~/ispconfig/httpd/logs # tail -n 20 error_log
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: /home/admispconfig/ispconfig/web/help/bilder/globus-0.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: /home/admispconfig/ispconfig/web/help/bilder/vzzu-1.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: /home/admispconfig/ispconfig/web/help/bilder/globus.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: /home/admispconfig/ispconfig/web/help/bilder/vzauf-1.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: /home/admispconfig/ispconfig/web/help/bilder/vzzu-0.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: /home/admispconfig/ispconfig/web/help/bilder/vzauf-0.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: /home/admispconfig/ispconfig/web/help/bilder/ini.gif
[Sun Jan 29 10:28:40 2006] [error] [client 192.168.3.102] File does not exist: /home/admispconfig/ispconfig/web/help/bilder/adresse.gif
[Sun Jan 29 10:29:19 2006] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows)
[Sun Jan 29 10:29:19 2006] [error] System: Connection reset by peer (errno: 104)
[Tue Jan 31 07:17:25 2006] [error] [client 192.168.3.105] File does not exist: /home/admispconfig/ispconfig/web/favicon.ico
[Tue Jan 31 07:17:26 2006] [error] [client 192.168.3.105] File does not exist: /home/admispconfig/ispconfig/web/favicon.ico
[Tue Jan 31 07:17:39 2006] [error] [client 192.168.3.105] File does not exist: /home/admispconfig/ispconfig/web/favicon.ico
[Tue Jan 31 07:17:40 2006] [error] [client 192.168.3.105] File does not exist: /home/admispconfig/ispconfig/web/favicon.ico
[Tue Jan 31 07:17:40 2006] [error] [client 192.168.3.105] File does not exist: /home/admispconfig/ispconfig/web/favicon.ico
[Tue Jan 31 07:17:41 2006] [error] [client 192.168.3.105] File does not exist: /home/admispconfig/ispconfig/web/favicon.ico
[Tue Jan 31 07:17:44 2006] [error] [client 192.168.3.105] File does not exist: /home/admispconfig/ispconfig/web/favicon.ico
[Tue Jan 31 07:17:54 2006] [error] [client 192.168.3.105] File does not exist: /home/admispconfig/ispconfig/web/favicon.ico
[Tue Jan 31 07:18:00 2006] [error] [client 192.168.3.105] File does not exist: /home/admispconfig/ispconfig/web/favicon.ico
[Tue Jan 31 07:19:11 2006] [error] [client 192.168.3.105] File does not exist: /home/admispconfig/ispconfig/web/favicon.ico

amgsrv1:~/ispconfig/httpd/logs # tail -n 20 ssl_engine_log
[31/Jan/2006 07:17:40 18914] [info] Subsequent (No.24) HTTPS request received for child 1 (server 192.168.3.170:81)
[31/Jan/2006 07:17:41 02858] [info] Subsequent (No.23) HTTPS request received for child 0 (server 192.168.3.170:81)
[31/Jan/2006 07:17:44 18914] [info] Subsequent (No.25) HTTPS request received for child 1 (server 192.168.3.170:81)
[31/Jan/2006 07:17:44 02858] [info] Subsequent (No.24) HTTPS request received for child 0 (server 192.168.3.170:81)
[31/Jan/2006 07:17:44 18914] [info] Subsequent (No.26) HTTPS request received for child 1 (server 192.168.3.170:81)
[31/Jan/2006 07:17:54 18914] [info] Subsequent (No.27) HTTPS request received for child 1 (server 192.168.3.170:81)
[31/Jan/2006 07:17:54 02858] [info] Subsequent (No.25) HTTPS request received for child 0 (server 192.168.3.170:81)
[31/Jan/2006 07:17:54 02858] [info] Subsequent (No.26) HTTPS request received for child 0 (server 192.168.3.170:81)
[31/Jan/2006 07:17:59 18914] [info] Subsequent (No.28) HTTPS request received for child 1 (server 192.168.3.170:81)
[31/Jan/2006 07:17:59 02858] [info] Subsequent (No.27) HTTPS request received for child 0 (server 192.168.3.170:81)
[31/Jan/2006 07:18:00 18914] [info] Subsequent (No.29) HTTPS request received for child 1 (server 192.168.3.170:81)
[31/Jan/2006 07:18:16 02858] [info] Connection to child 0 closed with standard shutdown (server 192.168.3.170:81, client 192.168.3.105)
[31/Jan/2006 07:18:16 18914] [info] Connection to child 1 closed with standard shutdown (server 192.168.3.170:81, client 192.168.3.105)
[31/Jan/2006 07:19:11 02858] [info] Connection to child 0 established (server 192.168.3.170:81, client 192.168.3.105)
[31/Jan/2006 07:19:11 02858] [info] Seeding PRNG with 1160 bytes of entropy
[31/Jan/2006 07:19:11 02858] [info] Connection: Client IP: 192.168.3.105, Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits)
[31/Jan/2006 07:19:11 02858] [info] Initial (No.1) HTTPS request received for child 0 (server 192.168.3.170:81)
[31/Jan/2006 07:19:11 02858] [info] Subsequent (No.2) HTTPS request received for child 0 (server 192.168.3.170:81)
[31/Jan/2006 07:19:11 02858] [info] Subsequent (No.3) HTTPS request received for child 0 (server 192.168.3.170:81)
[31/Jan/2006 07:19:15 02858] [info] Connection to child 0 closed with standard shutdown (server 192.168.3.170:81, client 192.168.3.105)



amgsrv1:~/ispconfig/httpd/logs # tail -n 20 ssl_request_log
[31/Jan/2006:07:17:40 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /design/default/nav_hg.gif HTTP/1.1" 241
[31/Jan/2006:07:17:40 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /favicon.ico HTTP/1.1" 287
[31/Jan/2006:07:17:40 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /design/default/icons/zwzu-0.gif HTTP/1.1" 76
[31/Jan/2006:07:17:40 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /design/default/icons/stamm-0.gif HTTP/1.1" 64
[31/Jan/2006:07:17:40 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /design/default/icons/vzzu-0.gif HTTP/1.1" 625
[31/Jan/2006:07:17:40 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /design/default/icons/zwe0.gif HTTP/1.1" 64
[31/Jan/2006:07:17:40 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /design/default/icons/papierkorb.gif HTTP/1.1" 663
[31/Jan/2006:07:17:41 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /favicon.ico HTTP/1.1" 287
[31/Jan/2006:07:17:44 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /design/default/icons/zwzu-e0.gif HTTP/1.1" 75
[31/Jan/2006:07:17:44 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /design/default/icons/leer.gif HTTP/1.1" 56
[31/Jan/2006:07:17:44 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /favicon.ico HTTP/1.1" 287
[31/Jan/2006:07:17:54 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /design/default/icons/vzauf-0.gif HTTP/1.1" 633
[31/Jan/2006:07:17:54 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /design/default/icons/globus.gif HTTP/1.1" 664
[31/Jan/2006:07:17:54 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /favicon.ico HTTP/1.1" 287
[31/Jan/2006:07:17:59 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /multidoc/edit/edit.php?tree_id=10& HTTP/1.1" 29648
[31/Jan/2006:07:17:59 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /design/default/icons/help14.gif HTTP/1.1" 357
[31/Jan/2006:07:18:00 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /favicon.ico HTTP/1.1" 287
[31/Jan/2006:07:19:11 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /logoff.php? HTTP/1.1" 5
[31/Jan/2006:07:19:11 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /login.php?err=999 HTTP/1.1" 2032
[31/Jan/2006:07:19:11 -0600] 192.168.3.105 TLSv1 DHE-RSA-AES256-SHA "GET /favicon.ico HTTP/1.1" 287

 

Realizing that this is my problem and having no one to talk this over with locally. I would like to briefly describe how I think things are supposed to work and see if I understand the environment. It is my belief that you must have an understanding of how the environment works to formulate an approach to debugging the problem. I would appreciate your comments. The following is my understanding:

1.) ISPConfig uses a “special” version of the apache software enabling a GUI front end for administering an ISP hosting service. The GUI is used to dynamically change the apache hosted web server configuration, making it easier to implement, track and manage the web services using apache.

2.) I am assuming that as a hosting service I can have any number of virtual hosts (depending on the server size) an each can use its own SSL certificate.

3.) SSL is part of an encryption protocol used to secure data being transmitted between the browser and a web hosting system.

4.) Without getting into all the details of the handshaking etc. required and enforced by SSL, but just describing some key elements and concepts.

a. An SSL certificate is bound to a domain name. For example, I have a domain named xxyy.com pointing to an IP address 24.10.123.30. Access to this domain name, www.xxyy.com routes the messages to my firewall. The SSL has my domain name within the certificate to verify I am who I am supposed to be. My firewall is listening on port 24.10.123.30. Once the firewall recognizes the messages it route them across my local network to IP address 193.168.25.21. This is the web server used to process requests from the external IP address 24.1.123.30.
b. Apache services running on 193.168.25.21 receives the message and determines the web site document location using the virtual host configuration. The virtual hosts can be named by an IP number (this can be a virtual IP address like 193.168.25.25 using this example) or a named host using the same external domain name xxyy.com for the named virtual host.
c. If the virtual host is defined to be listening on port 443 and has within its’ virtual host configuration, paths to the proper certification files, then the SSL modules within apache, (normally mod_ssl) are used to encrypt and decrypt the data. Prior to these functions it verifies the domain name registered within the certificate among other things. I am thinking this domain name should match the named virtual host name. If not it displays an alert message on the browser indicating one of three reasons there may be a problem using this certificate. It could be a bad CA, bad date or the domain name in the certificate does not match the domain name for the virtual host. A match allows it to proceed to the https page address requested by the browser using the path described in the configuration file for the web site documents without an alert message, just an initial message indicating you are using secure mode.
d. The domain name on the hosting web server should not have to be the same as the requested domain by the browser client. Otherwise an ISP would need a separate machine for every external domain serviced. This does not seem reasonable to me.

5.) For some reason, probably a configuration problem, apache cannot find the site by name. It gives me a time out message to the affect that it cannot find the requested page.

6.) However on the local network I can access https pages using the local network IP address. It finds the certificate and allows me to accept it even though the name does not match the IP address. It displays the normal alert indicating a valid CA with a valid date, but the wrong domain. I believe this to be correct since the IP address is not the domain name on the certificate. It them proceeds to deliver the pages. Because the internal IP address enables apache to find the SSL files from the virtual host configuration, the problem does not appear to be the installation of the SSL

7.) When you define the virtual server by name and indicate the virtual domain in the configuration file. Even if the SSL had the incorrect domain name I believe it should still be accessed and the appropriate alert should be displayed, similar to the display presented when the local IP address is used to access the site. This does not happen, instead the browser indicates it has timed out because the page is not accessible.

Can you elaborate on where I may be in error with my assumptions? Surely ISPs are not using one physical machine per client. And most allow the client to add SSL capability. I am not sure where I am going wrong. Any feed back would be appreciated.


Thank you for any advice or help you may be able to provide.