ispCP - Board - Support
[Solved]SSL Certificate for Vitual Hosts - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: System Setup & Installation (/forum-32.html)
+--- Thread: [Solved]SSL Certificate for Vitual Hosts (/thread-10429.html)

[Solved]SSL Certificate for Vitual Hosts - Macsloverd - 04-17-2010 07:44 AM

ISPCP 1.0.5 is running and with a SSL enabled for the Control Panel (admin), to be specific:
Code:
Server domain: http://abc.com
control panel access: https://admin.abc.com (with a purchased certificate)

Today, when I try to enable a SSL for a virtual host i.e. 123.com (https://123.com), it shows the certificate of the admin.abc.com instead of its own certificate.

to enable the SSL for control panel, I modified 00_master.conf based on the howtos in documentation area; and I modified the ispcp.conf for the virtual host to enable the SSL.

Apache2 restart with no warnings and I double checked the location for certificate file.

I am quite confusing about the reason that the virtual host is not using the right certificate.

Is there anyone who can help me with this?

Thanks in advance.

ANSWERS to this problem
I have got answers from apache website: It is not possible to set SSL for more than one Name-based virtual host.

The reason is that SSL encapsulation happens before HTTP protocol so that apache can not tell which virtual host the client want to connect, so that apache provides the first that it finds, in this case, admin control panel as it is defined in the 00_master.conf (before the ispcp.conf loaded).

It is, however, possible to set IP-based virtual host together with multiple SSL connection.

People who are interesting in detailed information can find here with question: "Why can't I use SSL with name-based/non-IP-based virtual hosts?" and "Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?"

RE: [Problem]SSL Certificate for Vitual Hosts - mr.x - 04-17-2010 08:55 PM

Hi,

(04-17-2010 07:44 AM)Macsloverd Wrote:  Is there anyone who can help me with this?

Thanks in advance.
Please show us your config files
Br
Jan

RE: [Problem]SSL Certificate for Vitual Hosts - Macsloverd - 04-18-2010 03:46 AM

Sure, here are the configuration files:
Code:
server Control Panel domain is: admin.abc.com with SSL;
server domain is: abc.com;
virtual host domain is:123.com;
SSL required virtual host domain is: store.123.com.

Code:
# 00_master.conf - /etc/apache2/sites-available/

<VirtualHost 1.2.3.4:443>

    ServerAdmin     info@abc.com
    DocumentRoot    /var/www/ispcp/gui

    ServerName      admin.abc.com

    Alias /errors   /var/www/ispcp/gui/errordocs/

    ErrorDocument 401 /errors/401.html
    ErrorDocument 403 /errors/403.html
    ErrorDocument 404 /errors/404.html
    ErrorDocument 500 /errors/500.html
    ErrorDocument 503 /errors/503.html

    Alias /pma      /var/www/ispcp/gui/tools/pma/
    Alias /webmail  /var/www/ispcp/gui/tools/webmail/
    Alias /ftp      /var/www/ispcp/gui/tools/filemanager/
    
    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/admin.abc.com.crt
    SSLCertificateKeyFile /etc/ssl/certs/admin.abc.com.key
    ServerAlias admin.abc.com
  
    <IfModule suexec_module>
           SuexecUserGroup vu2000 vu2000
    </IfModule>

    <Directory /var/www/ispcp/gui>
        Options -Indexes Includes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

    <IfModule mod_fcgid.c>
        <Directory /var/www/ispcp/gui>
            FCGIWrapper /var/www/fcgi/master/php5-fcgi-starter .php
            Options +ExecCGI
        </Directory>
        <Directory "/var/www/fcgi/master">
            AllowOverride None
            Options +ExecCGI MultiViews -Indexes
            Order allow,deny
            Allow from all
        </Directory>
    </IfModule>
    <IfModule mod_fastcgi.c>
        ScriptAlias /php5/ /var/www/fcgi/master/
        <Directory "/var/www/fcgi/master">
            AllowOverride None
            Options +ExecCGI MultiViews -Indexes
            Order allow,deny
            Allow from all
        </Directory>
    </IfModule>

    <IfModule mod_php5.c>
        <Directory /var/www/ispcp/gui>
            php_admin_value open_basedir "/var/www/ispcp/gui/:/etc/ispcp/:/var/run/ispcp.lock:/proc/:/bin/df:/bin/mount:/var/log/rkhunter.log:/var/log/chkrootkit.log:/usr/share/php/"
            php_admin_value session.save_path "/var/www/ispcp/gui/phptmp/"
            php_admin_value upload_tmp_dir "/var/www/ispcp/gui/phptmp/"
        </Directory>
    </IfModule>

</VirtualHost>

Code:
# ispcp.conf - /etc/apache2/sites-available/
# httpd Data BEGIN.

#
# wget-hack prevention
#

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT} ^LWP::Simple
    RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L,E=nolog:1]
</IfModule>

#
# Log processing.
#

LogFormat "%B" traff
LogFormat "%v %b %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" ispcplog

CustomLog "| /var/www/ispcp/engine/ispcp-apache-logger" ispcplog
ErrorLog "| /var/www/ispcp/engine/ispcp-apache-logger -e"

#
# mod_cband configuration
#

<IfModule mod_cband.c>
    CBandScoreFlushPeriod 10
    CBandRandomPulse On
</IfModule>

#
# let the customer decide what charset he likes to use
#

AddDefaultCharset Off

#
# Header End
#

# httpd [1.2.3.4] virtual host entry BEGIN.

NameVirtualHost 1.2.3.4:80

# httpd [{DMN_GRP}] dmn group entry BEGIN.
# httpd [{DMN_GRP}] dmn group entry END.
# httpd [abc.com] dmn group entry BEGIN.

<IfModule mod_cband.c>
    <CBandUser abc.com>
        # CBandUserLimit 0Mi
        # CBandUserScoreboard /var/www/scoreboards/abc.com
        # CBandUserPeriod 4W
        # CBandUserPeriodSlice 1W
        # CBandUserExceededURL http://admin.abc.com/errors/bw_exceeded.html
    </CBandUser>
</IfModule>

# httpd [{SUB_NAME}] sub entry BEGIN.
# httpd [{SUB_NAME}] sub entry END.

# httpd [abc.com] dmn entry BEGIN.
<VirtualHost 1.2.3.4:80>

    <IfModule suexec_module>
           SuexecUserGroup vu2015 vu2015
    </IfModule>

    ServerAdmin     webmaster@abc.com
    DocumentRoot    /var/www/virtual/abc.com/htdocs

    ServerName      abc.com
    ServerAlias     www.abc.com abc.com *.abc.com vu2015.admin.abc.com

    Alias /errors   /var/www/virtual/abc.com/errors/

    RedirectMatch permanent ^/ftp[\/]?$        http://admin.abc.com/ftp/
    RedirectMatch permanent ^/pma[\/]?$        http://admin.abc.com/pma/
    RedirectMatch permanent ^/webmail[\/]?$    http://admin.abc.com/webmail/
    RedirectMatch permanent ^/ispcp[\/]?$    http://admin.abc.com/

    ErrorDocument 401 /errors/401.html
    ErrorDocument 403 /errors/403.html
    ErrorDocument 404 /errors/404.html
    ErrorDocument 500 /errors/500.html
    ErrorDocument 503 /errors/503.html

    <IfModule mod_cband.c>
        CBandUser abc.com
    </IfModule>

    # httpd awstats support BEGIN.

   ProxyRequests Off

   <Proxy *>
      Order deny,allow
      Allow from all
   </Proxy>

   ProxyPass            /stats    http://localhost/stats/abc.com
   ProxyPassReverse        /stats    http://localhost/stats/abc.com

    <Location /stats>
        <IfModule mod_rewrite.c>
            RewriteEngine on
            RewriteRule ^(.+)\?config=([^\?\&]+)(.*) $1\?config=abc.com&$3 [NC,L]
        </IfModule>
        AuthType Basic
        AuthName "Statistics for domain abc.com"
        AuthUserFile /var/www/virtual/abc.com/.htpasswd
        AuthGroupFile /var/www/virtual/abc.com/.htgroup
        Require group statistics
    </Location>

   # httpd awstats support END.

    # httpd dmn entry cgi support BEGIN.
    ScriptAlias /cgi-bin/ /var/www/virtual/abc.com/cgi-bin/
    <Directory /var/www/virtual/abc.com/cgi-bin>
        AllowOverride AuthConfig
        #Options ExecCGI
        Order allow,deny
        Allow from all
    </Directory>
    # httpd dmn entry cgi support END.

    <Directory /var/www/virtual/abc.com/htdocs>
        # httpd dmn entry PHP support BEGIN.
        # httpd dmn entry PHP support END.
        Options -Indexes Includes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    # httpd dmn entry PHP2 support BEGIN.
    <IfModule mod_php5.c>
        php_admin_value open_basedir "/var/www/virtual/abc.com/:/var/www/virtual/abc.com/phptmp/:/usr/share/php/"
        php_admin_value upload_tmp_dir "/var/www/virtual/abc.com/phptmp/"
        php_admin_value session.save_path "/var/www/virtual/abc.com/phptmp/"
        php_admin_value sendmail_path '/usr/sbin/sendmail -f vu2015 -t -i'
    </IfModule>
    <IfModule mod_fastcgi.c>
        ScriptAlias /php5/ /var/www/fcgi/abc.com/
        <Directory "/var/www/fcgi/abc.com">
            AllowOverride None
            Options +ExecCGI -MultiViews -Indexes
            Order allow,deny
            Allow from all
        </Directory>
    </IfModule>
    <IfModule mod_fcgid.c>
        Include /etc/apache2/mods-available/fcgid_ispcp.conf
        <Directory /var/www/virtual/abc.com/htdocs>
            FCGIWrapper /var/www/fcgi/abc.com/php5-fcgi-starter .php
            Options +ExecCGI
        </Directory>
        <Directory "/var/www/fcgi/abc.com">
            AllowOverride None
            Options +ExecCGI MultiViews -Indexes
            Order allow,deny
            Allow from all
        </Directory>
    </IfModule>
    # httpd dmn entry PHP2 support END.

    Include /etc/apache2/ispcp/abc.com.conf

</VirtualHost>
# httpd [abc.com] dmn entry END.

# httpd [abc.com] dmn group entry END.

# httpd [123.com] dmn group entry BEGIN.

<IfModule mod_cband.c>
    <CBandUser 123.com>
        # CBandUserLimit 0Mi
        # CBandUserScoreboard /var/www/scoreboards/123.com
        # CBandUserPeriod 4W
        # CBandUserPeriodSlice 1W
        # CBandUserExceededURL http://admin.abc.com/errors/bw_exceeded.html
    </CBandUser>
</IfModule>

# httpd [store.123.com] sub entry BEGIN.
NameVirtualHost 1.2.3.4:443
<VirtualHost 1.2.3.4:443>

    #
    #User vu2009
    #Group vu2009
    #
    
    # SSL Ennable
    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/store.123.com.crt
    SSLCertificateKeyFile /etc/ssl/certs/store.123.com.key
    
    <IfModule suexec_module>
           SuexecUserGroup vu2009 vu2009
    </IfModule>

    ServerAdmin     admin@123.com
    DocumentRoot    /var/www/virtual/123.com/store/htdocs

    ServerName      store.123.com
    ServerAlias     www.store.123.com store.123.com *.store.123.com

    Alias /errors /var/www/virtual/123.com/errors/

    RedirectMatch permanent ^/ftp[\/]?$        https://admin.abc.com/ftp/
    RedirectMatch permanent ^/pma[\/]?$        https://admin.abc.com/pma/
    RedirectMatch permanent ^/webmail[\/]?$    https://admin.abc.com/webmail/
    RedirectMatch permanent ^/ispcp[\/]?$    https://admin.abc.com/

    ErrorDocument 401 /errors/401.html
    ErrorDocument 403 /errors/403.html
    ErrorDocument 404 /errors/404.html
    ErrorDocument 500 /errors/500.html
    ErrorDocument 503 /errors/503.html

    <IfModule mod_cband.c>
        CBandUser 123.com
    </IfModule>

    # httpd sub entry cgi support BEGIN.
    ScriptAlias /cgi-bin/ /var/www/virtual/123.com/store/cgi-bin/
    <Directory /var/www/virtual/123.com/store/cgi-bin>
        AllowOverride AuthConfig
        #Options ExecCGI
        Order allow,deny
        Allow from all
    </Directory>
    # httpd sub entry cgi support END.

    <Directory /var/www/virtual/123.com/store/htdocs>
        # httpd sub entry PHP support BEGIN.
        # httpd sub entry PHP support END.
        Options -Indexes Includes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    # httpd sub entry PHP2 support BEGIN.
    <IfModule mod_php5.c>
        php_admin_value open_basedir "/var/www/virtual/123.com/:/var/www/virtual/123.com/phptmp/:/usr/share/php/"
        php_admin_value upload_tmp_dir "/var/www/virtual/123.com/phptmp/"
        php_admin_value session.save_path "/var/www/virtual/123.com/phptmp/"
        php_admin_value sendmail_path '/usr/sbin/sendmail -f vu2009 -t -i'
    </IfModule>
    <IfModule mod_fastcgi.c>
        ScriptAlias /php5/ /var/www/fcgi/123.com/
        <Directory "/var/www/fcgi/123.com">
            AllowOverride None
            Options +ExecCGI -MultiViews -Indexes
            Order allow,deny
            Allow from all
        </Directory>
    </IfModule>
    <IfModule mod_fcgid.c>
        Include /etc/apache2/mods-available/fcgid_ispcp.conf
        <Directory /var/www/virtual/123.com/store/htdocs>
            FCGIWrapper /var/www/fcgi/123.com/php5-fcgi-starter .php
            Options +ExecCGI
        </Directory>
        <Directory "/var/www/fcgi/123.com">
            AllowOverride None
            Options +ExecCGI MultiViews -Indexes
            Order allow,deny
            Allow from all
        </Directory>
    </IfModule>
    # httpd sub entry PHP2 support END.

    Include /etc/apache2/ispcp/store.123.com.conf

</VirtualHost>
# httpd [store.123.com] sub entry END.

# httpd [{SUB_NAME}] sub entry BEGIN.
# httpd [{SUB_NAME}] sub entry END.

# httpd [123.com] dmn entry BEGIN.
<VirtualHost 1.2.3.4:80>

    <IfModule suexec_module>
           SuexecUserGroup vu2009 vu2009
    </IfModule>

    ServerAdmin     webmaster@123.com
    DocumentRoot    /var/www/virtual/123.com/htdocs

    ServerName      123.com
    ServerAlias     www.123.com 123.com *.123.com vu2009.admin.abc.com

    Alias /errors   /var/www/virtual/123.com/errors/

    RedirectMatch permanent ^/ftp[\/]?$        http://admin.abc.com/ftp/
    RedirectMatch permanent ^/pma[\/]?$        http://admin.abc.com/pma/
    RedirectMatch permanent ^/webmail[\/]?$    http://admin.abc.com/webmail/
    RedirectMatch permanent ^/ispcp[\/]?$    http://admin.abc.com/

    ErrorDocument 401 /errors/401.html
    ErrorDocument 403 /errors/403.html
    ErrorDocument 404 /errors/404.html
    ErrorDocument 500 /errors/500.html
    ErrorDocument 503 /errors/503.html

    <IfModule mod_cband.c>
        CBandUser 123.com
    </IfModule>

    # httpd awstats support BEGIN.

   ProxyRequests Off

   <Proxy *>
      Order deny,allow
      Allow from all
   </Proxy>

   ProxyPass            /stats    http://localhost/stats/123.com
   ProxyPassReverse        /stats    http://localhost/stats/123.com

    <Location /stats>
        <IfModule mod_rewrite.c>
            RewriteEngine on
            RewriteRule ^(.+)\?config=([^\?\&]+)(.*) $1\?config=123.com&$3 [NC,L]
        </IfModule>
        AuthType Basic
        AuthName "Statistics for domain 123.com"
        AuthUserFile /var/www/virtual/123.com/.htpasswd
        AuthGroupFile /var/www/virtual/123.com/.htgroup
        Require group statistics
    </Location>

   # httpd awstats support END.

    # httpd dmn entry cgi support BEGIN.
    ScriptAlias /cgi-bin/ /var/www/virtual/123.com/cgi-bin/
    <Directory /var/www/virtual/123.com/cgi-bin>
        AllowOverride AuthConfig
        #Options ExecCGI
        Order allow,deny
        Allow from all
    </Directory>
    # httpd dmn entry cgi support END.

    <Directory /var/www/virtual/123.com/htdocs>
        # httpd dmn entry PHP support BEGIN.
        # httpd dmn entry PHP support END.
        Options -Indexes Includes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    # httpd dmn entry PHP2 support BEGIN.
    <IfModule mod_php5.c>
        php_admin_value open_basedir "/var/www/virtual/123.com/:/var/www/virtual/123.com/phptmp/:/usr/share/php/"
        php_admin_value upload_tmp_dir "/var/www/virtual/123.com/phptmp/"
        php_admin_value session.save_path "/var/www/virtual/123.com/phptmp/"
        php_admin_value sendmail_path '/usr/sbin/sendmail -f vu2009 -t -i'
    </IfModule>
    <IfModule mod_fastcgi.c>
        ScriptAlias /php5/ /var/www/fcgi/123.com/
        <Directory "/var/www/fcgi/123.com">
            AllowOverride None
            Options +ExecCGI -MultiViews -Indexes
            Order allow,deny
            Allow from all
        </Directory>
    </IfModule>
    <IfModule mod_fcgid.c>
        Include /etc/apache2/mods-available/fcgid_ispcp.conf
        <Directory /var/www/virtual/123.com/htdocs>
            FCGIWrapper /var/www/fcgi/123.com/php5-fcgi-starter .php
            Options +ExecCGI
        </Directory>
        <Directory "/var/www/fcgi/123.com">
            AllowOverride None
            Options +ExecCGI MultiViews -Indexes
            Order allow,deny
            Allow from all
        </Directory>
    </IfModule>
    # httpd dmn entry PHP2 support END.

    Include /etc/apache2/ispcp/123.com.conf

</VirtualHost>






(04-17-2010 08:55 PM)mr.x Wrote:  Hi,

(04-17-2010 07:44 AM)Macsloverd Wrote:  Is there anyone who can help me with this?

Thanks in advance.
Please show us your config files
Br
Jan


RE: [Problem]SSL Certificate for Vitual Hosts - mr.x - 04-18-2010 05:14 AM

Hi,
(04-18-2010 03:46 AM)Macsloverd Wrote:  Sure, here are the configuration files:

I did a quick look. Looks to me if there are to many * inside.
Please check the *.123.com and the other domains with *.
Try it without the * in your configuration.

Br
Jan

RE: [Problem]SSL Certificate for Vitual Hosts - Macsloverd - 04-18-2010 07:13 AM

(04-18-2010 05:14 AM)mr.x Wrote:  Hi,
(04-18-2010 03:46 AM)Macsloverd Wrote:  Sure, here are the configuration files:

I did a quick look. Looks to me if there are to many * inside.
Please check the *.123.com and the other domains with *.
Try it without the * in your configuration.

Br
Jan

Thanks!
I'll try it out tomorrow and I'll let you know about it.

RE: [Problem]SSL Certificate for Vitual Hosts - Macsloverd - 04-18-2010 05:24 PM

I have been trying to change the server alias, however it doesn't work.

Finally, I have got answers from apache website: It is not possible to set SSL for more than one Name-based virtual host.

The reason is that SSL encapsulation happens before HTTP protocol so that apache can not tell which virtual host the client want to connect, so that apache provides the first that it finds, in this case, admin control panel as it is defined in the 00_master.conf.

It is, however, possible to set IP-based virtual host together with multiple SSL connection.

People who are interesting in detailed information can find here with question: "Why can't I use SSL with name-based/non-IP-based virtual hosts?" and "Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?"


(04-18-2010 07:13 AM)Macsloverd Wrote:  
(04-18-2010 05:14 AM)mr.x Wrote:  Hi,
(04-18-2010 03:46 AM)Macsloverd Wrote:  Sure, here are the configuration files:

I did a quick look. Looks to me if there are to many * inside.
Please check the *.123.com and the other domains with *.
Try it without the * in your configuration.

Br
Jan

Thanks!
I'll try it out tomorrow and I'll let you know about it.


RE: [Problem]SSL Certificate for Vitual Hosts - mr.x - 04-18-2010 06:07 PM

(04-18-2010 05:24 PM)Macsloverd Wrote:  Finally, I have got answers from apache website: It is not possible to set SSL for more than one Name-based virtual host.

Its possible, but you need for each vhost an own IP address.
May be pround is something for u .-)

Have a nice weekend

Jan

RE: [Problem]SSL Certificate for Vitual Hosts - Macsloverd - 04-18-2010 07:19 PM

I've been searching alternative solutions regarding to this issue and the SNI (Server Name Indication) came up to my attention.

It is said that mod_ssl supports SNI in some versions and another mod called GnuTLS is also support SNI.

I am not sure with version of mod_ssl I have been using, so I gave a shot to GnuTLS mod with no luck - https doesn't even work - though I have no idea about the GnuTLS.(Most likely I did something wrong)

Additionally, I read an article about ISPConfig, it was said that this ISPConfig supports multiple name-based SSL virtual hosts without telling specifically how and why. I am running out of experimental computers Tongue, hence I can't try it out to find out whether it is true and if so, what makes it have the ability to do so.

Anyway, I will keep seeking solutions and I appreciate that ispCP would consider enabling this feature in the future. Dedicate IP address is not really easy to "Generate" after all.

Thank you for your help.
Nice weekend to you too.

(04-18-2010 06:07 PM)mr.x Wrote:  
(04-18-2010 05:24 PM)Macsloverd Wrote:  Finally, I have got answers from apache website: It is not possible to set SSL for more than one Name-based virtual host.

Its possible, but you need for each vhost an own IP address.
May be pround is something for u .-)

Have a nice weekend

Jan


RE: [Solved]SSL Certificate for Vitual Hosts - trial - 04-20-2010 04:04 PM

For SNI install backported from squisee apache 2.2.12 or over (current 2.2.15-3) and compile open ssl (to get .i or newer), then you will get SNI fast and simple. Don't recomment gnutls for apache.

RE: [Solved]SSL Certificate for Vitual Hosts - aseques - 04-20-2010 08:21 PM

Hi, I've just seen your problem.
You can follow the guide here to have what I am using:
http://www.isp-control.net/documentation/doku.php?id=howto:defaultport

Basically I use port 8443 under ssl for management, and 443 for hosting ssl.
This altogether with some rewrite magic, makes a clean solutions for multi-hosting + ssl (and something that will work even on internet explorer...)