Installation


Upgrades


DTC-Xen Installation


DTC-Xen / Dom0 Howtos

DTC-Xen / DomU Howtos

FAQ


DTC Howtos


Manuals


Features


Roadmap


Devel docs


Wiki - i18n


Wiki - Meta


SslCert

From the forum:

http://forums.gplhost.com/phpBB2/how-do-i-install-an-ssl-certificate-vt875.html

Quick summary on how to set up SSL for a www.example.com domain.

  • Create a SSL product for being able to register for SSL
  • Add a SSL ip in the general config
  • Have your account register for that SSL IP
  • Add SSL to the subdomain you want to have this SSL IP
  • Wait for the cron to generate the self signed cert
  • Replace the self-signed cert by the real one and restart apache

This post is also helpful on this subject.

http://forums.gplhost.com/phpBB2/using-installing-and-configuring-ssl-vt2108.html

http://dtcsupport.gplhost.com/PmWiki/SSLvhost is another wiki topic on this issue as well.

Detailed How To

Below explains in more detail what is summarized above. This is intended to help people who are first time administrators of DTC. Assuming you are new to setting up a website with an SSL certificate. If you want a faster howto, there's also one here:

http://dtcsupport.gplhost.com/PmWiki/SSLvhost

Introduction - About SSL Certificates, IP's and Your Machine/VPS

Information sent between a user and the web server should be secured with an SSL connection. To secure the connection your web server needs a verified SSL certificate.

The server can run lots of domains on the same IP address. However SSL certificates are allocated to an individual IP address. So to have https://www.example.com and https://www.example.org hosted on your machine/VPS you need two IP addresses, one for each domain.

The IP address only needs to be set up for the web services. You can still run the rest of your services on the one IP.

1. Request your IP address and get it routed to your machine.

If you're using a VPS then you'll need to talk to your provider about getting another IP address assigned to your VPS.

2. Machine/VPS IP set up.

You need to tell your machine/VPS about the new IP address before DTC can do anything with it.

In the case of Debian this means editing the interfaces file in /etc/network/

eg.

   auto lo
   iface lo inet loopback

   auto eth0 eth0:1

   #Primary IP for the VPS
   iface eth0 inet static
        address 117.121.243.25
        netmask 255.255.255.0
        network 117.121.243.0
        broadcast 117.121.243.255
        gateway 117.121.243.1

   #Secondary IP for our SSL certificate 
   iface eth0:1 inet static
        address 117.121.243.28
        netmask 255.255.255.0
        network 117.121.243.0
        broadcast 117.121.243.255

Once you've edited your interfaces file you will need to restart your machine/VPS so that the OS now knows about the new IP.

3. DTC Setup - General Configuration -

You need to tell DTC about the IP address you just added to your Machine/VPS. You also need to make sure DTC is managing the IPs for vHost generation correctly.

In your DTC Admin go to: DTC general configuration --> General

  • Ensure show ssl tokens in my account is set to Yes
  • Ensure Allow use of name based shared SSL vhosts is set to No

In your DTC Admin go to: DTC general configuration --> IP Addresses and Network

  • Add the new IP address list to the list of addresses in Host IP addresses (separated by "|")
  • Make sure Use multiple IPs is set to Yes
  • Make sure Generate all apache vhosts on local network ip (NAT) is set to No

Note: If you have Generate all apache vhosts on local network ip (NAT) set to Yes then the vHost file will generate the http://(approve sites) (port 80) part of the vhost for the wrong IP address.

4. DTC Setup - SSL IP Address Pool

In your DTC Admin go to: DTC general configuration --> SSL IP Addresses

Enter the new IP address in the IPs addrs field. Enter 0000-00-00 in the Expire field and select Yes for Available then click the thick icon to save the record.

Notes: The NAT Port field should be left blank. Running a natted system is outside of the scope of this FAQ.

Leave the Login field blank. DTC will fill in this field automatically when you assign the IP to a customer.

DTC will also set the Available flag to No once the IP has been assigned to a customer (see below for info on how to assign the IP to a customer).

This is how your screen should look for the IP in the example above:

5. DTC Setup - SSL IP Product

To assign the IP to a www domain you have to assign the IP to a customer. To assign the IP to a customer you have to have an SSL Product.

So, in your DTC Admin go to: Hosting product manager

At the bottom of the screen is a section called Product list editor (SSL IPs)

You need to create an entry. See the example below.

6. DTC Setup - Attach the IP to a customer

"Note: A customer/client must be assigned to the domain to add a product to the account, else you won't see anything."

In your DTC Admin go to: Users administration, select the Customer who owns the domain you're assigning the SSL certificate to, then click on My account in the Client interface.

Assuming that you set up your IP correctly in the IP pool (step 3) and a SSL product (step 4) you'll see a button that says Buy an SSL IP under the heading SSL tokens.

Buy the IP

Click Buy an SSL IP.

DTC will then take you to the Client Payment screen. You need to confirm a payment, so it's helpful to have a payment option set up that you can complete (eg wiretransfer or cheque)

Confirm the Order

Now go back to the DTC Admin / Users administration screen. You should see a new order in the alerts screen that you need to validate.

Validate the request.

In your DTC Admin go to: Users administration, select the Customer who owns the domain you're assigning the SSL certificate to, then click on My account in the Client interface.

You should now see that the IP address is reported as being assigned to that customer.

In your DTC Admin go to: DTC general configuration --> SSL IP Addresses

You should now see that the IP address is now assigned to a login and is flagged as Available No.

7. DTC Setup - Attach the IP to a sub-domain

In your DTC Admin go to: Users administration, select the Customer who owns the domain you're assigning the SSL certificate to, then click on the domain you're assigning the SSL Certificate to in the Client interface.

Click on Subdomains, then select the www subdomain.

The drop down Use an SSL vhost using this IP will now have your new IP address in it.

Choose the IP address in the drop down then click the Tick icon to save the record.

8. DTC Setup - Set the right IP for the domain

In your DTC Admin go to: Users administration, select the Customer who owns the domain you're assigning the SSL certificate to, then click on the Domain config.

  • Select the correct IP from the drop down in the IP Address field.

Note: If you have the wrong IP address selected then the vHost file will be generated for a different IP.

What happens next?

DTC will now update your DNS server (and push the change to your upstream DNS if you're using that feature) and create a new entry in the vhosts file the next time DTC runs its cron job.

DTC will generate an SSL certificate and keys in the users SSL folder:

/var/www/sites/CUSTOMER/DOMAIN/subdomains/www/ssl

   root@myMachineVPS>_ /var/www/sites/example/example.com/subdomains/www/ssl# ll

   -rw-r--r-- 1 root root 963 Jun 25 04:07 privkey.pem
   -rw-r--r-- 1 root root 952 Jun 25 04:10 www.example.com.cert.cert
   -rw-r--r-- 1 root root 733 Jun 25 04:07 www.example.com.cert.csr
   -rw-r--r-- 1 root root 887 Jun 25 04:09 www.example.com.cert.key

Give the cron job a chance to do its job.

In your DTC Admin go to: Configuration generation to see when the next cron job will execute.

How to Test your work

Now you can check the entry in the DNS server using the dig tool

   # dig www.example.com

   ; <<>> DiG 9.6-ESV-R1 <<>> www.example.com
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52219
   ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

   ;; QUESTION SECTION:
   ;www.example.com.            IN      A

   ;; ANSWER SECTION:
   www.example.com.     7200    IN      A       117.121.243.28

   ;; AUTHORITY SECTION:
   example.com.         7200    IN      NS      ns2.gplhost.com.
   example.com.         7200    IN      NS      ns1.gplhost.com.

If you do a dig on example.com (without the www bit) you'll see that the IP is the same as for your machine/VPS (as it was before you started working on this process).

Note: You need to remember that the change will not take effect until the TTL for the domain times out. In the example above that's 2 hours (7200 seconds)

Check your vHosts.conf file

The vHosts file lives in: /var/lib/dtc/etc

At the top of the file you should see the listening set up:

   Listen 117.121.243.25:80
   Listen 117.121.243.28:80
   Listen 117.121.243.25:443

Do a search for the domain you've just set up and you should see that the VirtualHost entry on the right IP.

   <VirtualHost 117.121.243.28:80>
           ServerName www.example.com
           Alias /stats /var/www/sites/example/example.com/subdomains/www/logs

Further down you should see the SSL port settings:

   Listen 117.121.243.28:443
   <VirtualHost 117.121.243.28:443>
           SSLEngine on
           SSLCertificateFile /var/www/sites/example/example.com/subdomains/www/ssl/www.example.com.cert.cert
           SSLCertificateKeyFile /var/www/sites/example/example.com/subdomains/www/ssl/www.example.com.cert.key

Notice the Listen entry is here (not at the top of the file). Notice the naming of the cert and key files. You need to know about this when naming your files in the next section (below).

9. SSL Certificate Setup

DTC generated an SSL files for you. However these files won't have the correct information in them to purchase a verified SSL certificate. You'll need to regenerate the files.

  • Back up the existing files in: /var/www/sites/CUSTOMER/DOMAIN/subdomains/www/ssl
  • Generate your new certificate files:

In the domains ssl folder run:

   # openssl req -new > www.exmaple.com.cert.csr

(replace example.com with the domain name for the customers web site)

If you need to use 2048 or higher bits, use the following command:

   # openssl req -new -newkey rsa:2048 -nodes -keyout privkey.pem -out www.exmaple.com.cert.csr

Note: You will be prompted for a passphrase. Just enter 12345 as we'll be removing it in the next step.

Note: When you're prompted for the Common Name you need to enter the domain name you want the SSL certificate for. eg www.example.com

Now remove the passphrase

   # openssl rsa -in privkey.pem -out www.example.com.cert.key

You'll be prompted for the passphrase you used in the step above.

(If you type ls -l first, you'll see the new files have been generated for you)

Now convert the request into signed cert

   # openssl x509 -in www.example.com.cert.csr -out www.example.com.cert.cert -req -signkey new.cert.key -days 3650

What Next?

The CSR (Certificate Signing Request) file is the one you'll need to provide to the SSL provider to generate your validated SSL certificate.

Once you've got your SSL certificate back from the SSL provider you can copy the content in to the .cert.cert file. eg www.example.com.cert.cert

Note: In DTC you have to follow the naming of the files. Some help sites for apache say to name the file crt, but this won't work because the file is referenced in the vhost file that DTC generates (have a look at your vhosts file to see what I mean).

  • Test your configuration.

Once you've installed your cert in the cert file you need to test that apache will load when you do the restart:

   # apache2ctl configtest

Should say:

   Syntax OK
  • Restart your web service:
   # /etc/init.d/apache2 restart

You should get this message:

   Restarting web server: apache2 ... waiting .
  • Test your installation.

Go to your web browser and test that the https://www.example.com (or what ever your customers domain is) comes up as expected. You should not be prompted to accept the certificate any more.

Remember to keep a back up of your new files.

Page last modified on May 13, 2015, at 03:13 PM EST