Jump to content
Froxlor Forum
  • 0

[solved] Enable SSL with own certificates for customers' domains


Nepstar

Question

Hi together

 

As meanwhile long-term Froxlor user I have to make a pretty stupid question:

 

I'd like to provide own SSL certificates to our customers where the certs are already available. Now honestly I'm failing with applying the certs to the vHosts' configurations.

So my question is: where in Froxlor do I have to use those lines:

 

<IfModule mod_ssl.c>

 

 SSLEngine On
 SSLCertificateFile /etc/apache2/ssl/customer-related-domain.crt
 SSLCertificateKeyFile /etc/apache2/ssl/customer-related-domain.key
 SSLCACertificateFile /etc/apache2/ssl/ca.pem
 SSLCertificateChainFile /etc/apache2/ssl/customer-related-domain.ca.pem
</IfModule>
 
I was already testing under Domains > customer's domain > Webserver Settings >> SSL (yes) / SSL redirect (NO) / own vHost settings (lines from above).
 
As almost expected, Apache won't be able to run anymore.
 
So far, you can see that the labels in Froxlor (in German) are not very clearly for me (maybe also for others) and I'd like to understand its labels for those settings better.
 
Can somebody give me a short introduction where I have to use the given lines?
 
Thank you very much in advance and so sorry for this question! (For usual I'm able to help newbies, now I feel as one :-).)
 
Kind regards,
Nepstar
Link to comment
Share on other sites

Recommended Posts

That wouldn't work the same way as with domains because the froxlor host is no normal domain in froxlor. Just create a custom vhost f?r your webserver for froxlor - you don't have to use the config generator for the froxlor vhost.

Link to comment
Share on other sites

0.9.29 now has added feature:

+ customers are now able to define ssl-certificates on a per-domain basis when SSL is enabled

 

but I can't find any settings for this. We've upgraded from 0.9.28 with a setup of multiple IP addresses (one per certificate). But now we want to secure more domains without having to add more IP addresses.

Any idea where these new settings of cert per domain are hidden?

 

Thanks

Christoph

Link to comment
Share on other sites

Hi again & sorry for my delayed reply!

 

Unfortunately:

Invalid command '<if', perhaps misspelled or defined by a module not included in the server configuration

My working solution:

<IfModule mod_core.c>
  <If "%{SERVER_PORT} == '443'">
    <IfModule mod_ssl.c>
       SSLEngine On
       SSLCertificateFile /etc/apache2/ssl/file.crt
       SSLCertificateKeyFile /etc/apache2/ssl/file.key
       SSLCACertificateFile /etc/apache2/ssl/file.pem
       SSLCertificateChainFile /etc/apache2/ssl/file.pem
    </IfModule>
  </If>
</IfModule>

I'll check the IP/Port part now and hope not to destroy anything... :-)

Link to comment
Share on other sites

What does the generated vhost look like?  Also, if you want to use german, why not just use the "German / Deutsch" forum?

 

Thanks for your reply. English is fine for me as everybody hopefully understands it then. And with the worldwide common language we can provide support in a better way. So, if nobody cares, I keep on English. :-) When the topic is solved, I can create a link in the German part for others.

 

Back to the topic:

The generated vHost config included once the server's cert files and once the own lines from above. Of course this cannot run correctly when the config is not well generated.

Regarding my question: where should I fill in the customers' own cert paths?

 

Thank you.

Link to comment
Share on other sites

Well, you have to specify the files above in the domain itself using Froxlor, adding your SSL stuff as "own vhost setting" interferes with the way froxlor handles SSL vhosts

 

EDIT: To do so, you need to specify the files in the "IP and Port" part

Link to comment
Share on other sites

Current status: doesn't work.

If I'll disable the SSL checkbox in IP/Port, Froxlor won't create a vhost for :443 anymore.

 

I'm still checking for another way... please let me know if I understood sth wrong. Thanks.

 

Edit:
Where should I remove all certificate entries - in the global SSL configuration or in the IP/Port settings? ...without destroying the apache configuration of course.^^

 

Edit #2:

When I'm already talking about those two configurations. Why does Froxlor contain two parts for defining the SSL certificates' paths and what's exactly the differences between those options? I got a bit confused and I don't like to apply changes before I don't know the details here... In the documentation I didn't find anything yet.

Link to comment
Share on other sites

Thanks for replying.

 

Can you tell me how to navigate to the "own vhost setting" part? Where exactly can I find what you mean? The server certs themself can be defined in two different parts: IP and Port and SSL settings. So, for me it's not clear yet, if you may mean the part under Domains > Webserver settings?

Under IP and Port it's not possible to define vhost specific settings? Or are there variables with "@@varname@@" placeholders available?

Link to comment
Share on other sites

No you dont need the "own vhost setting" - as i said in the previous posting, if you'd enter your ssl-related stuff in that field it interferes with the ssl-directives froxlor generates.

 

SSL-Settings certs -> systemwide (fallback)

IP/Port certs -> only for domains using that IP address

 

There is no per-domain ssl-certificate setting yet. Only IP-based.

 

You can also specify custom vhost-contents in IP/Port but for SSL you dont  need that. And no, there are no placeholders there.

Link to comment
Share on other sites

You can also specify custom vhost-contents in IP/Port but for SSL you dont  need that. And no, there are no placeholders there.

 

I don't agree with this part of your answer, sorry.

 

So, Froxlor is not made to use per-customers certificates in SSL connections? How do you provide non-warnings response to their https-requests in the browser then? Here I think I do need something like placeholders for SSL settings...

 

Edit:

"if you'd enter your ssl-related stuff in that field it interferes with the ssl-directives froxlor generates." - Can you give me a dummy example?

Link to comment
Share on other sites

The other ticket with the same request is around three years old with 0.9.23 as previous target version.... As a lot of feature requests have been done, why such an important feature has to wait that much time? I know this is a free open source project but I was just surprised in a bad way that this ticket seems to have no priority at all...

Link to comment
Share on other sites

I have another idea:

 

In Settings > SSL Settings > as I understand it the path values are directly written into the vhost configuration, is that correct?

In case, using the ${HTTP_HOST} apache variable should work in my point of view.

 

For example: cert file path could be "/etc/apache2/ssl/${HTTP_HOST}.crt" which should be read correctly by the httpd daemon?

 

Of course, this always requires that the HTTP_HOST is matching with the request of Froxlor and customers' webs...

Link to comment
Share on other sites

Just wait for the ticket to be closed or patch yourself

 

It's delayed for three years and lost its priority as its target version. I'll look for my own solution because unfortunately I don't find time to make a patch which will be useful. Thanks. ;-)

Link to comment
Share on other sites

Create the IP/Port as ip:443 without checking the SSL checkbox.

 

Add in domain special settings case statements with correct certificate for the domain:

 

<If "%{SERVER_PORT} == '443'">


  <IfModule mod_ssl.c>

    SSLEngine On

    SSLCertificateFile /etc/apache2/ssl/customer-related-domain.crt
    SSLCertificateKeyFile /etc/apache2/ssl/customer-related-domain.key
    SSLCACertificateFile /etc/apache2/ssl/ca.pem
    SSLCertificateChainFile /etc/apache2/ssl/customer-related-domain.ca.pem
  </IfModule>

</If>

Link to comment
Share on other sites

Why does Froxlor contain two parts for defining the SSL certificates' paths and what's exactly the differences between those options? I got a bit confused and I don't like to apply changes before I don't know the details here... In the documentation I didn't find anything yet.

Any answers?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...