[HowTo] Create your own SSL CA and secure multiple services

[FeG]

Hi all...

I've just posted this HowTo to the ispCP wiki:

HowTo - Create your own SSL CA and secure multiple services.

It describes the following points:
* Creating your own SSL Certification Authority (CA) to sign SSL certificates by yourself
* Securing these services with SSL encryption:
- apache (ispCP Webinterface, phpMyAdmin, Webmail)
- postfix
- courier POP/IMAP
- ProFTPD

Of course, there are mistakes in this HowTo - but I didn't found them already so if you do, please tell me...

Greetings
FeG

[rsmithgs]

looks good, will do a run through of it soonish see how it goes

[DaSilva]

I have finished step 2.2 but it doesn't work.
In the ispCP admin panel HTTPS is shown as running and the certificate is displayed too at the first time browsing to my secured domain but there it shows:

Quote:Not Found

The requested URL /php5/php5-fcgi-starter/index.php was not found on this server.
Apache/2.2.0 (Fedora) Server at http://www.frefel.net Port 443

/var/log/apache2/users/ssl.frefel.net-error.log (many of that):

Code:

[Wed Apr 02 14:32:57 2008] [warn] (9)Bad file descriptor: Failed to acquire SSL session cache lock
[Wed Apr 02 14:32:57 2008] [warn] (9)Bad file descriptor: Failed to release SSL session cache lock
[Wed Apr 02 14:32:57 2008] [error] [client 145.228.98.240] (2)No such file or directory: FastCGI: stat() of "/var/www/ispcp/gui/php5" failed

/etc/apache2/sites-enabled/01_ssl_master.conf looks like this (edited @ with [at]):

Code:

NameVirtualHost 193.34.68.126:443
<VirtualHost 193.34.68.126:443>
     #
     # SSL Start
     #
     SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/apache.cert.pem
     SSLCertificateKeyFile /etc/apache2/ssl/apache.key.pem
     #
     # SSL End
     #
     ServerAdmin     support[at]frefel.net
     DocumentRoot    /var/www/ispcp/gui
     ServerName      frefel.net
     ErrorLog        /var/log/apache2/users/ssl.frefel.net-error.log
     TransferLog     /var/log/apache2/users/ssl.frefel.net-access.log
     CustomLog       /var/log/apache2/ssl.frefel.net-traf.log traff
     CustomLog       /var/log/apache2/ssl.frefel.net-combined.log combined

Internet Explorer 7 shows

   

at first and then error 404.

What can I do to fix this?
Iam using Debian Etch 64.
Thanks in advance.

[FeG]

Hi DaSilva,

DaSilva Wrote:I have finished step 2.2 but it doesn't work.
...
/etc/apache2/sites-enabled/01_ssl_master.conf looks like this:

Code:

NameVirtualHost 193.34.68.126:443
<VirtualHost 193.34.68.126:443>
     ...

Are maybe these lines missing?

Code:

<IfModule mod_fastcgi.c>
           SuexecUserGroup vu2000 vu2000
    </IfModule>

    <Directory /var/www/ispcp/gui>
        Options -Indexes Includes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

    <IfModule mod_fastcgi.c>
        ScriptAlias /php4/ /var/www/fcgi/master/
        ScriptAlias /php5/ /var/www/fcgi/master/
        <Directory "/var/www/fcgi/master">
            AllowOverride None
            Options +ExecCGI MultiViews -Indexes
            Order allow,deny
            Allow from all
        </Directory>
    </IfModule>

    <IfModule mod_php4.c>
        <Directory /var/www/ispcp/gui>
            php_admin_value open_basedir "/var/www/ispcp/gui/:/etc/ispcp/:/proc/:/var/www/virtual/:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
            php_admin_value session.save_path "/var/www/ispcp/gui/phptmp/"
        </Directory>
    </IfModule>
    <IfModule mod_php5.c>
        <Directory /var/www/ispcp/gui>
            php_admin_value open_basedir "/var/www/ispcp/gui/:/etc/ispcp/:/proc/:/var/www/virtual/:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
            php_admin_value session.save_path "/var/www/ispcp/gui/phptmp/"
        </Directory>
    </IfModule>

In the HowTo I only said "below here, nothing has to be changed", but these lines has to stay there..

Quote:Internet Explorer 7 shows ...

This is normal, because IE doesn't know your CA - of course.. you have to install it; if you've fully followed my howto, this link should lead you there: http://yourdomain.com/RootCA.crt

Greetings
FeG

[DaSilva]

Thanks for your help.
I have misunderstood that comment.
That thing with the IE7 looks unprofessional.
"Dumb" customers could think the connection is not safe.
Other https sites (like my bank) have not this problem.
Is it not possible to have SSL support but without that message?
Thanks for help!

[Cube]

You have to buy a certificate at a trusted CA.

[rsmithgs]

Or get your customers to install the certificate on there machine

[DaSilva]

How much does that cost?
Is there no free version available?

[rsmithgs]

About £260 a year.

Nope, you can generate one yourself but that brings you back to square one unless you distribute the certificate to your clients and ask them to add it to there PC.

[Kika]

DaSilva Wrote:How much does that cost?

https://www.verisign.com/ssl/buy-ssl-cer...index.html

DaSilva Wrote:Is there no free version available?

No, there are no free certificate at a trusted CA.