Current time: 12-24-2024, 03:44 AM Hello There, Guest! (LoginRegister)


Post Reply 
howto - mehrere ssl certs für kunden (startssl.com)
Author Message
fulltilt Offline
Member
***

Posts: 1,225
Joined: Apr 2007
Reputation: 5
Post: #1
howto - mehrere ssl certs für kunden (startssl.com)
hab bislang keine richtig funktionierende Doku hier gefunden um mehere SSL Certs zu integrieren.
Hier mal ein kurzes howto um Zertifikate von startSSL.com für mehrere Kunden zu integrieren.

Code:
sudo aptitude install libapache2-mod-gnutls
a2enmod gnutls
a2dismod ssl
Code:
nano /etc/apache2/ports.conf
Wichtig: vor der “Listen 80″ einfügen:
Listen 443
Code:
/etc/apache2/mods-available/gnutls.conf
folgendermassen abändern:
<IfModule mod_gnutls.c>
  GnuTLSCache dbm /var/cache/apache2/gnutls_cache
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl    .crl
  GnuTLSCacheTimeout 300
  NameVirtualHost *:443
</IfModule>
Code:
cd /etc/apache2/ssl-domainname
(für jedes cert einen extra folder erstellen und rein wechseln cd /)
Code:
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
A challenge password und An optional company name leer lassen
Common Name = *.domain.tld
Dieses CSR lädt man bei StartSSL dann hoch
Man ruft den "Certificate Wizard" auf
Typ des Zertifikats (Web)
Den nächsten Schritt überspringt man
Man öffnet den CSR und kopiert den ASCII-Text des CSR einfach in die Textbox.
Den restlichen Anfragen folgt man einfach so wie sie sind.

unter der certbox:
intermediate and root CA certificates
diese beiden certs in den entsprechenden ssl Ordner kopieren
(für jedes cert einen neuen ssl-domainname ordner in /etc/apache2/ erstellen
Code:
nano apache.crt (cert aus certbox einfügen)

cat apache.crt sub.class2.server.ca.pem > apache-gnutls.crt

nano /etc/apache2/sites-available/domainname.conf
einfügen und anpassen

<VirtualHost *:443>
    ServerName      domain.tld

    GnuTLSEnable on
    GnuTLSPriorities SECURE:!MD5
    GnuTLSCertificateFile /etc/apache2/ssl-domainname/apache-gnutls.crt
    GnuTLSKeyFile /etc/apache2/ssl-domainname/server.key

    ServerAdmin     webmaster@domain.tld
    DocumentRoot    /var/www/virtual/domain.tld/htdocs

    ServerAlias     www.domain.tld domain.tld

    Alias /errors   /var/www/virtual/domain.tld/errors/

    ErrorDocument 401 /errors/401.html
    ErrorDocument 403 /errors/403.html
    ErrorDocument 404 /errors/404.html
    ErrorDocument 500 /errors/500.html
    ErrorDocument 503 /errors/503.html

    <IfModule suexec_module>
           SuexecUserGroup vu2266 vu2266
    </IfModule>

    <Directory /var/www/virtual/domain.tld/htdocs>
        # httpd dmn entry PHP support BEGIN.
        # httpd dmn entry PHP support END.
        Options -Indexes Includes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    # httpd dmn entry PHP2 support BEGIN.
    <IfModule mod_php5.c>
        php_admin_value open_basedir "/var/www/virtual/domain.tld/:/var/www/virtual/domain.tld/phptmp/:/usr/share/php/"
        php_admin_value upload_tmp_dir "/var/www/virtual/domain.tld/phptmp/"
        php_admin_value session.save_path "/var/www/virtual/domain.tld/phptmp/"
        php_admin_value sendmail_path '/usr/sbin/sendmail -f vuXXXX -t -i'
    </IfModule>
    <IfModule mod_fastcgi.c>
        ScriptAlias /php5/ /var/www/fcgi/domain.tld/
        <Directory "/var/www/fcgi/domain.tld">
            AllowOverride None
            Options +ExecCGI -MultiViews -Indexes
            Order allow,deny
            Allow from all
        </Directory>
    </IfModule>
    <IfModule mod_fcgid.c>
        <Directory /var/www/virtual/domain.tld/htdocs>
            FCGIWrapper /var/www/fcgi/domain.tld/php5-fcgi-starter .php
            Options +ExecCGI
        </Directory>
        <Directory "/var/www/fcgi/domain.tld">
            AllowOverride None
            Options +ExecCGI MultiViews -Indexes
            Order allow,deny
            Allow from all
        </Directory>
    </IfModule>
    # httpd dmn entry PHP2 support END.
</VirtualHost>
Info von STARTSSL decrypt the private key:
Why do I have to provide a password every time I restart Apache?
Because the private key is encrypted by default, the Apache web server will ask every time at startup for the password. You should decrypt the private key and change the file permission to chmod 400 as user root. For instructions how to decrypt the private key see the next question.

How can I decrypt the private key?
Decrypt the private key by either using the OpenSSL utility (command: openssl rsa -in ssl.key -out ssl.key) or login to the StartSSL™ Control Panel. Click on the "Tool Box" tab and select "Decrypt Private Key", submit the encrypted private key and password. Save the content of the text box into a file. On the server make sure to change the permissions to be readable only by the super user (chmod 400 as user root).
Code:
dieses dann als neuen server.key speichern
chmod 400 server.key

a2ensite domainname.conf
/etc/init.d/apache2 restart
01-16-2011 12:47 AM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)