Wrong SSL certificate returning for FQDN.

Discussion in 'General' started by Wade John Beckett, May 5, 2022.

  1. Hi there,
    I trust you are well.

    I have ISPConfig 3 installed at https://subdomain.mydomain.com, which is accessed through port 8080.

    I am trying to set the PayPal IPN, which requires access to https://subdomain.mydomain.com/some/direcory/ however, the site returns an SSL error when accessing https://subdomain.mydomain.com via SSL port (works fine at http://subdomain.mydomain.com, which displays the apache default page).

    The error displayed is that the SSL certificate is the wrong name. It seems that the SSL certificate of the FIRST website added inside of ISPConfig.

    I want to create an SSL certificate for https://subdomain.mydomain.com

    I need to serve subdomain.mydomain.com via port 80, port 443 and also 8080 (ISConfig admin) it seems.

    *Update, I have tried creating an IPN proxy to no avail.
    Last edited: May 5, 2022
  2. 30uke

    30uke Active Member HowtoForge Supporter

    Did you open ports 80/TCP + 443/TCP and did you tick the option "Let's Encrypt SSL"? Or did you add a certificate yourself?
    Wade John Beckett likes this.
  3. This isn't a site added from the GUI, it's the domain on which ISPConfig is installed.
  4. 30uke

    30uke Active Member HowtoForge Supporter

    I think that the easiest way is to add the site via ISPConfig.
    I use eg s1.gigabitjes.nl for ISPConfig's interface (port 8080) and as a landing page (port 80+443). I did notice some issues as I have/had a certificate for ISPConfig and for the landing page (same sub domain). It might not be best practice but I did resolve it by replacing the certificates of ISPConfig's interface with the once created for the landing page (these are Let's encrypt certificates).
    The following example is for vps2.oke-it-services.nl (please see the following post - adjust as required):
    Hope this helps.
    Wade John Beckett likes this.
  5. ahrasis

    ahrasis Well-Known Member

    The LE certs for for the server hostname FQDN is only for port 8080 and not immediately / automatically usable as a website at port 443.

    It is correct to suggest creating a website for it but whether you are using acme.sh or certbot, the only option is to symlink the LE certs to ISPConfig web ssl folder.

    However if you are not careful that may break automatic ispserver.pem creation and renewal which very crucial for ISPConfig server, so do research on the right implementation of this.

    I already suggested way to fix this at other thread but that is up to the ISPConfig developers to decide.
    Wade John Beckett likes this.
  6. Thank you for your reply, this has helped me wrap my head around the problem.

    For now, I simply created an IPN proxy from the FQDN over port 80, to the IPN callback accessible through port 8080. This seems to have worked.

    It does not however solve the problem of the landing page displayed at the FQDN over port 80, or 443.

    Another problem I noticed is that ALL new sites will display the SSL certificate / web page of the FIRST created website, if there is no SSL installed.

    Do you know if this is because of the SNI?
    Do you know if there is a fix for this?
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the way Apache and Nginx servers work. If there is no matching domain + IP (or wildcard) combination in the config, then the webserver will show the first site it finds on the same IP. There is no solution for that, the only thing that you can do is to define which site gets shown by creating a 'dummy' website that is first in the alphabet to avoid someone landing on the wrong site of one of your customers.
    Wade John Beckett likes this.
  8. 30uke

    30uke Active Member HowtoForge Supporter

    I did create "000default.tld" some time ago to work around this. I also have a domain called "altweb.nl" and it is being shown when I eg enter the IPv4 address of the server. It looks like the domain starting with "A" prevails. So, probably I had to add "aaa000default.aaa" or something like that instead of "000default.tld".
    Another thing is that seems to help is to have a SSL certificate for every domain and to not select/fill out anything at IPv4 (it has to show an asterisk) and to not select or enter something at IPv6 (has to be empty). For auto subdomain I just keep "www".
    The above works for me to have everything working fine.
    Wade John Beckett likes this.
  9. I've been using Plesk and cPanel for years and to be honest this is the first I'm seeing this issue. There must be a way around it.

    Moving a client over is proving to be a difficult task now as I cannot access the frontend of the site as it keeps being redirected to https, which serves the wrong page (before switching dns).

    Normally you'd just select "accept risk and continue" in browser where an SSL certificate is absent. Not sure how to get around this.
  10. ahrasis

    ahrasis Well-Known Member

    You can either have all sites with no ssl or all sites with ssl to resolve that issue. The latter is today's norm.

    For domains that have no sites, use redirect to a landing page.
    Wade John Beckett likes this.
  11. Okay hear me out. What if one created a default site, something like 0default.tld, and then had the landing page contain a script that redirected to the requested URL, rewritten to use http?
  12. ahrasis

    ahrasis Well-Known Member

    You mean while your web server have both ssl and non ssl web sites? That will work the same as your current problem, not solving it.

    For moving a site to an ISPConfig web server, simply copy the site to it, change its A record to its IP and get LE ssl for it after that has been properly propagated.

    You could temporarily use self-signed certs for it, if you want, but you should delete them properly before requesting for LE ssl certs later on.
  13. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    As far as I know, plesk just ships with a generic landing page on a default site already setup. With ispconfig you would have to create the default site yourself, and fancy up the landing page to suit you.
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    This is not related to the default ost issue, you can access a site upfront of DNS delegation like this: https://www.faqforge.com/linux/serv...ess-a-namebased-website-without-a-dns-record/
  15. andyhelid

    andyhelid New Member

    Is anyone else having the same issue still?
  16. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Which issue?

Share This Page