I recently reinstalled a CentOS 5.2 server running ISPConfig using apache for virtual web hosting. The first site I was reinstalling the RapidSSL certificate for was not working. It continued to tell me that it was a non trusted self signed certificate. Eventually I figured out the only issue was that ISPConfig was not restarting the web server thus not taking the RapidSSL cert. Once I restarted the web server manually everything worked properly. A couple things to note though are exactly how to install a SSL Certificate with ISPConfig and how to regenerate the servers self signed certificate if necessary.
Installing a SSL Certificate for a Virtual Host with ISPConfig:
- Create Site: Create the hosting account using your typical methods with ISPConfig
- Enable SSL: Make sure the hosting package has provided the option of SSL for this site and then after clicking on the site make sure SSL is enabled.
- Create CSR: After clicking on the site, click the SSL tab, Fill in your company information (Country, Province, Town, Company, Department, and Validity. Make sure that the SSL Request and SSL Certificate fields are blank. Choose “Create certificate” from the drop down and click save.
- Get the CSR: Click on the site again, then click the SSL tab, and copy the now generated CSR request.
- Obtain CRT: Visit a site that sells SSL Certificates and follow the steps until they provide you with a request for the CSR. Paste in the CSR and they will reply with a trusted SSL Certificate or CRT.
- Activate CRT: Back to the ISPConfig admin, click on the site, click the SSL tab, and paste the CRT into the SSL Certificate box. Choose Save certificate from the drop down and click save.
- Verify: Visit the address the SSL Certificate was installed for to make sure its working. If it is not working manually restart the web server and things should be rocking.
Reinstall or Regenerate Default SSL Certificate for ISPConfig:
- Navigate Directories: cd /etc/pki/tls/private/
- Generate SSL Key: openssl genrsa -des3 -out server.key 1024
- Remove Passphrase: This is optional but you should remove it if you do not want to enter a passphrase every time that Apache is restarted.
- Generate CSR: openssl req -new -key server.key -out server.csr
- Generate CRT: openssl x509 -req -days 365 -in server.csr -signkey server.key -out /etc/pki/tls/crts/server.crt
- Restart Apache: /etc/init.d/httpd restart
**Note: You will see an output like the below (enter a passphrase)
[root@ali ssl]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
………………….++++++
……++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:
Narfonix sells SSL Certificates for as low as $21.99/yr. if you purchase a 2 year RapidSSL certificate.
Be aware that, if you choose “Delete certificate” on the SSL tabs actions dropdown field, the domain key used for the request will be also deleted! My first try to solve the problem (which was in fact, that ISPConfig does not restart Apache alfter writing the crt into the file system) was to choose “Delete Certificate” from the dropdown actions field. Afterwards I wanted to refill the new received data and try asgain :( At this time I had bought the crt of course and this way I’ve lost the key, what has made the cert useless.
Really useful Control panel: first paste the stuff into the textareas, then use the command line and restart Apache. And, well, I’ve used a “stable” version of ISPConfig. I do not understand ’till today, why the hell stuff in the filsystem gets deleted whithout an undo consideration. I hit “Delete Cert” and the shebang deletes a key, what is in fact not a cert…
BTW: 2-year-certs at 24US$ here: https://secure.revolutionhosting.net/certificates/order/new/confirm/rapidssl/2