hab bislang keine richtig funktionierende Doku hier gefunden um mehere SSL Certs zu integrieren.
Hier mal ein kurzes howto um Zertifikate von startSSL.com für mehrere Kunden zu integrieren.
Code:
sudo aptitude install libapache2-mod-gnutls
a2enmod gnutls
a2dismod ssl
Code:
nano /etc/apache2/ports.conf
Wichtig: vor der “Listen 80″ einfügen:
Listen 443
Code:
/etc/apache2/mods-available/gnutls.conf
folgendermassen abändern:
<IfModule mod_gnutls.c>
GnuTLSCache dbm /var/cache/apache2/gnutls_cache
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
GnuTLSCacheTimeout 300
NameVirtualHost *:443
</IfModule>
Code:
cd /etc/apache2/ssl-domainname
(für jedes cert einen extra folder erstellen und rein wechseln cd /)
Code:
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
A challenge password und An optional company name leer lassen
Common Name = *.domain.tld
Dieses CSR lädt man bei StartSSL dann hoch
Man ruft den "Certificate Wizard" auf
Typ des Zertifikats (Web)
Den nächsten Schritt überspringt man
Man öffnet den CSR und kopiert den ASCII-Text des CSR einfach in die Textbox.
Den restlichen Anfragen folgt man einfach so wie sie sind.
unter der certbox:
intermediate and root CA certificates
diese beiden certs in den entsprechenden ssl Ordner kopieren
(für jedes cert einen neuen ssl-domainname ordner in /etc/apache2/ erstellen
Code:
nano apache.crt (cert aus certbox einfügen)
cat apache.crt sub.class2.server.ca.pem > apache-gnutls.crt
nano /etc/apache2/sites-available/domainname.conf
einfügen und anpassen
<VirtualHost *:443>
ServerName domain.tld
GnuTLSEnable on
GnuTLSPriorities SECURE:!MD5
GnuTLSCertificateFile /etc/apache2/ssl-domainname/apache-gnutls.crt
GnuTLSKeyFile /etc/apache2/ssl-domainname/server.key
ServerAdmin webmaster@domain.tld
DocumentRoot /var/www/virtual/domain.tld/htdocs
ServerAlias www.domain.tld domain.tld
Alias /errors /var/www/virtual/domain.tld/errors/
ErrorDocument 401 /errors/401.html
ErrorDocument 403 /errors/403.html
ErrorDocument 404 /errors/404.html
ErrorDocument 500 /errors/500.html
ErrorDocument 503 /errors/503.html
<IfModule suexec_module>
SuexecUserGroup vu2266 vu2266
</IfModule>
<Directory /var/www/virtual/domain.tld/htdocs>
# httpd dmn entry PHP support BEGIN.
# httpd dmn entry PHP support END.
Options -Indexes Includes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
# httpd dmn entry PHP2 support BEGIN.
<IfModule mod_php5.c>
php_admin_value open_basedir "/var/www/virtual/domain.tld/:/var/www/virtual/domain.tld/phptmp/:/usr/share/php/"
php_admin_value upload_tmp_dir "/var/www/virtual/domain.tld/phptmp/"
php_admin_value session.save_path "/var/www/virtual/domain.tld/phptmp/"
php_admin_value sendmail_path '/usr/sbin/sendmail -f vuXXXX -t -i'
</IfModule>
<IfModule mod_fastcgi.c>
ScriptAlias /php5/ /var/www/fcgi/domain.tld/
<Directory "/var/www/fcgi/domain.tld">
AllowOverride None
Options +ExecCGI -MultiViews -Indexes
Order allow,deny
Allow from all
</Directory>
</IfModule>
<IfModule mod_fcgid.c>
<Directory /var/www/virtual/domain.tld/htdocs>
FCGIWrapper /var/www/fcgi/domain.tld/php5-fcgi-starter .php
Options +ExecCGI
</Directory>
<Directory "/var/www/fcgi/domain.tld">
AllowOverride None
Options +ExecCGI MultiViews -Indexes
Order allow,deny
Allow from all
</Directory>
</IfModule>
# httpd dmn entry PHP2 support END.
</VirtualHost>
Info von STARTSSL decrypt the private key:
Why do I have to provide a password every time I restart Apache?
Because the private key is encrypted by default, the Apache web server will ask every time at startup for the password. You should decrypt the private key and change the file permission to chmod 400 as user root. For instructions how to decrypt the private key see the next question.
How can I decrypt the private key?
Decrypt the private key by either using the OpenSSL utility (command: openssl rsa -in ssl.key -out ssl.key) or login to the StartSSL™ Control Panel. Click on the "Tool Box" tab and select "Decrypt Private Key", submit the encrypted private key and password. Save the content of the text box into a file. On the server make sure to change the permissions to be readable only by the super user (chmod 400 as user root).
Code:
dieses dann als neuen server.key speichern
chmod 400 server.key
a2ensite domainname.conf
/etc/init.d/apache2 restart