May 12, 201312 yr Hi together As meanwhile long-term Froxlor user I have to make a pretty stupid question: I'd like to provide own SSL certificates to our customers where the certs are already available. Now honestly I'm failing with applying the certs to the vHosts' configurations. So my question is: where in Froxlor do I have to use those lines: <IfModule mod_ssl.c> SSLEngine On SSLCertificateFile /etc/apache2/ssl/customer-related-domain.crt SSLCertificateKeyFile /etc/apache2/ssl/customer-related-domain.key SSLCACertificateFile /etc/apache2/ssl/ca.pem SSLCertificateChainFile /etc/apache2/ssl/customer-related-domain.ca.pem </IfModule> I was already testing under Domains > customer's domain > Webserver Settings >> SSL (yes) / SSL redirect (NO) / own vHost settings (lines from above). As almost expected, Apache won't be able to run anymore. So far, you can see that the labels in Froxlor (in German) are not very clearly for me (maybe also for others) and I'd like to understand its labels for those settings better. Can somebody give me a short introduction where I have to use the given lines? Thank you very much in advance and so sorry for this question! (For usual I'm able to help newbies, now I feel as one :-).) Kind regards, Nepstar
May 12, 201312 yr What does the generated vhost look like? Also, if you want to use german, why not just use the "German / Deutsch" forum?
May 12, 201312 yr Author What does the generated vhost look like? Also, if you want to use german, why not just use the "German / Deutsch" forum? Thanks for your reply. English is fine for me as everybody hopefully understands it then. And with the worldwide common language we can provide support in a better way. So, if nobody cares, I keep on English. :-) When the topic is solved, I can create a link in the German part for others. Back to the topic: The generated vHost config included once the server's cert files and once the own lines from above. Of course this cannot run correctly when the config is not well generated. Regarding my question: where should I fill in the customers' own cert paths? Thank you.
May 12, 201312 yr Well, you have to specify the files above in the domain itself using Froxlor, adding your SSL stuff as "own vhost setting" interferes with the way froxlor handles SSL vhosts EDIT: To do so, you need to specify the files in the "IP and Port" part
May 12, 201312 yr Author Thanks for replying. Can you tell me how to navigate to the "own vhost setting" part? Where exactly can I find what you mean? The server certs themself can be defined in two different parts: IP and Port and SSL settings. So, for me it's not clear yet, if you may mean the part under Domains > Webserver settings? Under IP and Port it's not possible to define vhost specific settings? Or are there variables with "@@varname@@" placeholders available?
May 12, 201312 yr No you dont need the "own vhost setting" - as i said in the previous posting, if you'd enter your ssl-related stuff in that field it interferes with the ssl-directives froxlor generates. SSL-Settings certs -> systemwide (fallback) IP/Port certs -> only for domains using that IP address There is no per-domain ssl-certificate setting yet. Only IP-based. You can also specify custom vhost-contents in IP/Port but for SSL you dont need that. And no, there are no placeholders there.
May 12, 201312 yr Author You can also specify custom vhost-contents in IP/Port but for SSL you dont need that. And no, there are no placeholders there. I don't agree with this part of your answer, sorry. So, Froxlor is not made to use per-customers certificates in SSL connections? How do you provide non-warnings response to their https-requests in the browser then? Here I think I do need something like placeholders for SSL settings... Edit: "if you'd enter your ssl-related stuff in that field it interferes with the ssl-directives froxlor generates." - Can you give me a dummy example?
May 12, 201312 yr Well, then don't agree with me. I'm just saying what is possible and what's not. For now, the best way is to have a separate IP for each ssl-domain.
May 12, 201312 yr Author Okay, thanks so far. So I have to order a new IP address for each customer who likes to use SSL... is there some improvement planned for this?
May 12, 201312 yr Author Ok, I'll create a feature request. :-) Even if I didn't agree with all of your parts - thanks for your support! :-)
May 12, 201312 yr Author http://redmine.froxlor.org/projects/froxlor Shit, already done... next time, please write more than just a link in your answer.
May 12, 201312 yr Author The other ticket with the same request is around three years old with 0.9.23 as previous target version.... As a lot of feature requests have been done, why such an important feature has to wait that much time? I know this is a free open source project but I was just surprised in a bad way that this ticket seems to have no priority at all...
May 12, 201312 yr Author I have another idea: In Settings > SSL Settings > as I understand it the path values are directly written into the vhost configuration, is that correct? In case, using the ${HTTP_HOST} apache variable should work in my point of view. For example: cert file path could be "/etc/apache2/ssl/${HTTP_HOST}.crt" which should be read correctly by the httpd daemon? Of course, this always requires that the HTTP_HOST is matching with the request of Froxlor and customers' webs...
May 12, 201312 yr Author Just wait for the ticket to be closed or patch yourself It's delayed for three years and lost its priority as its target version. I'll look for my own solution because unfortunately I don't find time to make a patch which will be useful. Thanks. ;-)
May 13, 201312 yr Create the IP/Port as ip:443 without checking the SSL checkbox. Add in domain special settings case statements with correct certificate for the domain: <If "%{SERVER_PORT} == '443'"> <IfModule mod_ssl.c> SSLEngine On SSLCertificateFile /etc/apache2/ssl/customer-related-domain.crt SSLCertificateKeyFile /etc/apache2/ssl/customer-related-domain.key SSLCACertificateFile /etc/apache2/ssl/ca.pem SSLCertificateChainFile /etc/apache2/ssl/customer-related-domain.ca.pem </IfModule> </If>
May 15, 201312 yr Author Create the IP/Port as ip:443 without checking the SSL checkbox. Add in domain special settings case statements with correct certificate for the domain: <If "%{SERVER_PORT} == '443'"> <IfModule mod_ssl.c> SSLEngine On SSLCertificateFile /etc/apache2/ssl/customer-related-domain.crt SSLCertificateKeyFile /etc/apache2/ssl/customer-related-domain.key SSLCACertificateFile /etc/apache2/ssl/ca.pem SSLCertificateChainFile /etc/apache2/ssl/customer-related-domain.ca.pem </IfModule> </If> Thank you, looks already more interesting. For using Froxlor over SSL, I should make the same if-statement in the IP:Port section > Own vHost Settings?
May 22, 201312 yr That wouldn't work the same way as with domains because the froxlor host is no normal domain in froxlor. Just create a custom vhost f?r your webserver for froxlor - you don't have to use the config generator for the froxlor vhost.
June 22, 201312 yr Author Hi again & sorry for my delayed reply! Unfortunately: Invalid command '<if', perhaps misspelled or defined by a module not included in the server configuration My working solution: <IfModule mod_core.c> <If "%{SERVER_PORT} == '443'"> <IfModule mod_ssl.c> SSLEngine On SSLCertificateFile /etc/apache2/ssl/file.crt SSLCertificateKeyFile /etc/apache2/ssl/file.key SSLCACertificateFile /etc/apache2/ssl/file.pem SSLCertificateChainFile /etc/apache2/ssl/file.pem </IfModule> </If> </IfModule> I'll check the IP/Port part now and hope not to destroy anything... :-)
June 22, 201312 yr Author Current status: doesn't work. If I'll disable the SSL checkbox in IP/Port, Froxlor won't create a vhost for :443 anymore. I'm still checking for another way... please let me know if I understood sth wrong. Thanks. Edit:Where should I remove all certificate entries - in the global SSL configuration or in the IP/Port settings? ...without destroying the apache configuration of course.^^ Edit #2: When I'm already talking about those two configurations. Why does Froxlor contain two parts for defining the SSL certificates' paths and what's exactly the differences between those options? I got a bit confused and I don't like to apply changes before I don't know the details here... In the documentation I didn't find anything yet.
June 25, 201312 yr Author Why does Froxlor contain two parts for defining the SSL certificates' paths and what's exactly the differences between those options? I got a bit confused and I don't like to apply changes before I don't know the details here... In the documentation I didn't find anything yet. Any answers?
June 25, 201312 yr Author I took this solution, too: http://forum.froxlor.org/index.php?/topic/1641-ssl-zertifikate-aber-wie/#entry7881
September 30, 201312 yr 0.9.29 now has added feature: + customers are now able to define ssl-certificates on a per-domain basis when SSL is enabled but I can't find any settings for this. We've upgraded from 0.9.28 with a setup of multiple IP addresses (one per certificate). But now we want to secure more domains without having to add more IP addresses. Any idea where these new settings of cert per domain are hidden? Thanks Christoph
Archived
This topic is now archived and is closed to further replies.