Where does ISPConfig expect to see server and private kys

Hi, Folks,

This has probably been done before, but I can't do a search because the adverts are totally blocking the search function (FF on Deb Etch <edit>sorry, it's on Ubuntu current version, it's my server which is on Etch</edit>).

Would someone please tell me where ISPConfig would expect to find the server and private keys, respectively, on an SSL enabled domain on an Etch server? Then I can set up the VHosts configuration properly.

Many thanks, in anticipation.

 

If you want to enable SSL on a particular website, tick the SSL checkbox for the website and save. This enables an SSL config tab for the site.

I believe they are stored in the /webXX/ssl folder.

 

Thanks, chukl. Now, I've got a cert from CAcert - should I put that in /webxx/ssl first, or how do I tell ISPConfig where it is now (which is in the wrong place )

 

While I'm a Cacert assurer as well, it's a while since I've done this, as I use a homebrew multidomain on 1 IP setup.
The ISPConfig technique, is that you take the Certificate and paste it into the text box provided for the site under the SSL tab that appears when you enable SSL.
I just have a nasty suspicion that you should use a CSR generated in the same place (the SSL tab) for the certificate generation. i.e. generate the signing request there, and cut and paste that into the CaCert form.
ISPConfig then parks the certificate in the correct place for the site, and sets up the paths etc for the secure connection in the Vhosts file.
Thinking about that, that probably takes care of the key, as the ISPConfig key is used to generate the CSR.
You may need to grab the CaCert certificate chain file as well and put it in the ssl folder.

 

Thanks, once again chuckl. I've never done a ssl cert before. I'm trying to help a few people get into business online so would like to learn my way around alll this and become a CAcert assurer myself.

Perhaps I should go back into the CAcert site and cancel the one I generated, then redo the request via ISPConfig?

 

I would definitely suggest that, yes. Generate a CSR in ISPConfig for that site, and cut and paste into an editor. Head for Cacert, cancel the existing one and reissue with the ISPConfig generated CSR, then when the cert arrives, paste into the site SSL tab field.

 

chuckl, you're a star. Always here to help, too. Do you ever sleep?

 

I'm annoying myself now, chuckl, so if you're finding my questions tedious I don't blame you.

The ISPConfig SSL tab has three open text boxes which are SSL Request:, SSL Certificate: and Action: - Action is actually a three-choice select list.

Do I put the command openssl req -nodes -new -keyout private.key -out server.csr into the first option or select Create certificate from the third?

One thing I must do when this is all over is to contribute the lessons to the wiki.

 

Thanks, till, but I don't want a self-signed certificate. I want a CAcert signed certificate. What I need to generate at this time is the request.

Many thanks.

 

Excellent. Thanks for the help, till - and for your patience. Both very much appreciated.

 

So, SSL Cert added, all looks to be in the right place. However, now getting a strange error message when trying to bring up the site or the admin section (it's not called admin any more) with https:// on a site with Zen Cart as its only content. I need to know whether the peoblem is generated by ISPConfig, Zen Cart, the CAcert or some combination. The error message is:

www.celectronics.co.uk has sent an incorrect or unexpected error code: -12263

and an error not found when trying either with http://

 

Playing with Zen Cart as well ! thats definitely compounding the felony.

When you say 'bringing it up with https, do you mean simply using https in the url rather than http, or that you are going to the user login/signup page or admin login, where it should automatically switch to https?

It should work either way, but it can get tricky on some setups. The -12263 is a nasty as well. Means - I'm not happy with the data I'm getting.

Could I suggest copy and back up your caCert stuff, then use the ISPConfig ssl page to generate a self signed certificate from the CSR, as Till described earlier in the thread, and test with that?
It'll give the usual bloodthirsty warnings, but it's fine for testing to see if it gives a similar error.

 

Both, in the URL. Trying to go to the admin login or the site itself via the address bar gives the same result.

OK, I'll try that and report back. Thanks.

 

Same result. Also, ISPConfig is reluctant to generate anything. A couple of times now I've had to delete a private key only and go back in to get a certificate and a request.

What next? Do a full Zen Cart reinstall with the (CA)cert already in place? That's several hours of installation and reconfiguration, but if it gets the thing working? I could be just as long trying to work out what's wrong here and still end up with the same conclusion, I suppose.

Or is there something else I could try?

 

Reinstalling etc won't solve anything, just get you back to where you are.

If your ZCart installation is operational, leave it be. I'm assuming you have edited the admin and store configure.php files and changed ENABLE_SSL_ADMIN, ENABLE_SSL_CATALOG and ENABLE_SSL to true?

Another useful step is to head to the /www/webXX/ssl folder in a terminal window/command line, and type in

openssl x509 -noout -text -in nameofcert.crt

which will list out the certificate contents. (the actual cert name should obviously be inserted).

Similarly for the CSR

openssl req -noout -text -in nameofcertreq.csr

And the following 3 can be used to check that the key, the CSR and the cert match

openssl rsa -noout -modulus -in nameofprivkey.pem |openssl md5
openssl req -noout -modulus -in nameofcertreq.csr |openssl md5
openssl x509 -noout -modulus -in nameofcert.pem |openssl md5

Also, bear in mind that where certificates are concerned, www.mydomain.com is NOT the same as mydomain.com.

 

ENABLE_SSL_CATALOG - the other two, yes, but I thought this would hide the whole catalogue behind ssl? I'll try it now and see what happens.

 

I think the original idea was that the ENABLE_SSL would only enable it for the payment modules, ENABLE_SSL_CATALOG does it for login and any other 'sensitive' areas after login, as well as payment. I'd have to check the code to be sure.

The other gotcha area with SSL is if you have Suexec or SuPHP enabled, they can play havoc with things if all is not perfect.

 

Nothing happened. It's the same. So running the commands as suggested - no .pem in sight.

I've got .crt .csr .key and .key.org in the ssl directory. Could that be the root of the problem?