SSL support - script and instructions

[Feyr]

i needed to host SSL sites on my ispcp installation, so i wrote a script to do it. i don't expect it to be in mainline because 1. it's in perl 2. it's quickly put together 3. it may have major bugs that could cause worldwar III. use at your own risk

installation instructions:
first install the attached script somewhere (i used /var/www/ispcp-bin)
then add a new file in /etc/cron.d with the following line (adjust the first path to the script)
*/6 * * * * root /var/www/ispcp-bin/upd-ssl.pl > /etc/apache2/sites-enabled/ispcp-ssl.conf

once that is done. the script is ready to go. do the following to create a new SSL site:

applied to a potential domain named http://www.test.com. where the common name of the certificate is "www.test.com"


in ISPCP:
as root,
1. go to settings (top menu) then manage IPs (left menu)
2. add your IP with the sitename and the alias as http://www.test.com
3. go to manage user, click "edit" next to the reseller
-fill in the two password fields (bug, you have to change the password every time. but you can reuse it if you remember it)
- click the checkbox next to the new IP you added
- click update
4. switch to the reseller
5. add a user as usual, but select the new IP as the domain IP


IN a root shell:
1. put the certificate AND the unencrypted key in a file named "www.test.com.pem", back it up safely
2. copy that file to /etc/apache2/ssl
3. edit /etc/ispcp/apache/ssl.list, add a line in the following format: "www.test.com http://www.test.com.pem" where the first argument is the site name and the second the certificate file we created in step 1
4. edit /etc/network/interfaces, add an ip like you normally would for an ip alias, don't forget to add the interface to the "auto" line
5. type ifup -a


last: wait 6 minutes

CAVEAT:
ispcp doesn't permit modifying a site's IP address, to add SSL to an existing site you have to delete it first


----


that's all, any comments, modifications, or unforseen bugs are welcome. i coded this in roughly an hour late at night, i wouldn't be surprised if it was full of them. but it seem to work

NOTE: rename the script to remove the .txt, forum didn't like my .pl extension..
NOTE: be careful of the http:// in my instructions, it's the forum software adding it. stick to what's logical

[BeNe]

Fine - SSL is still a small hole in ispCP.
Ok everybody can do it on his own, but he - this sounds great.
Thanks for it!

Greez BeNe

[Feyr]

thanks,

i just wanted to add. it would be trivial to add a table in the database to replace the ssl.list file, and integrate it with a custom menu in ispcp: i just don't care that much for it and i don't have the time to do the menu part

i also wanted to give credit to Over the Top Computing Inc., who ultimately pays for this script and gave his OK for me to post it here

[sseitz]

(08-21-2008 02:19 PM)Feyr Wrote:  that's all, any comments, modifications, or unforseen bugs are welcome. i coded this in roughly an hour late at night, i wouldn't be surprised if it was full of them. but it seem to work

Thanks for this!

By now your script ignores domainnames with dashes in it. I'm not really good in Perl Regexp, but I assume changing line 41 to

Code:

my @servname=map { $_ =~ /^\s+Servername\s+([\w-.]+)/i; $1 } grep(/ServerName/i, @tmpvirthost);

will do the trick.

cheers,

Stephan

[Feyr]

(04-06-2009 04:57 AM)sseitz Wrote:  Thanks for this!

By now your script ignores domainnames with dashes in it. I'm not really good in Perl Regexp, but I assume changing line 41 to

Code:

my @servname=map { $_ =~ /^\s+Servername\s+([\w-.]+)/i; $1 } grep(/ServerName/i, @tmpvirthost);

will do the trick.

cheers,

Stephan

nice catch, yes that's indeed the place to change it

i'm attaching a new version with this fix included, i also added a feature to it since then that i didn't post

if there's a file ending with .CA matching an existing .pem file in /etc/apache2/ssl, it will add a "SSLCACertificateFile" with its path to the virtualhost of that site. this allows for chained certificates (like netsolssl.com does and probably a bunch of others)
  upd-ssl.pl.txt (Size: 1.53 KB / Downloads: 61)

[nuno]

Hi Feyr, first many thanks for this howto.

Can I ask if this script and instructions still are updated in this moment?

Regards
Nuno

[Feyr]

it's not updated per se, but i see no reason why it wouldn't work with any newer version: it acts on the apache config files, not the ispcp ones. the instructions might be a bit different: just remember that you need to give your ssl sites their own ip address in ispcp and you're good to go

[mafia]

Hi Feyr,

ispCP Version 1.0.5
added to the command is how cron.dc cd / Nano

thank you