Apache SNI

[Norman]

Hey guys,

 

i have a question about the SNI feature. As far as i understand the feature in froxlor, you add a new IP/Port combination with the same settings as the "normal" port 80 combination. Except that you check the SSL option and leave the cert. data blank. My aim is, that customer domains are available via ssl AND the froxlor panel has its own ssl cert. But i got already stuck, try to provide a customer ssl domain. See screenshots -> http://imgur.com/a/ceWdY

 

I basicly followed this blogpost: https://open-admin.de/howto/ssl-zertifikat-in-froxlor-einbinden-ab-0-9-29-sni/

 

Thanks in advance!

[Ithariel]

It looks like SSL is not Running. What do you get from a manual restart of your apache? (apache2ctl restart)

 

Also, are you sure, Apache is running on port 443? What output do you get from 

netstat -tulpen|grep 443

[birdpunisher]

Hey Norman,

 

i'm facing the exactly same problem as you now - sorry for reviving an old thread, but did you get the problem resolved? I currently have Froxlor 0.9.34 with Debian Squeeze LTS and Apache 2.2.16 running, and when I enter the certificate and ca and private key data in the Domain settings of the customer, it doesn't work, as soon as I enter those details via the Settings->SSL-Settings Page, specifying the paths to the files https works for that one specific domain, however now every site running under that IP gets the SSL Host data.. as described perfectly by you. 

 

I also tried every suggestion from d00p and Ithariel with no success unfortunately..

 

Does anyone here have a fix that I could try? I can feel I'm really close to finally getting it done, it must be a small setting I forgot..

 

my settings are exactly the same as Normans in terms of what is enabled and configured in Froxlor, the site works perfectly fine over http and my vHosts File concerning that one domain "myserver" looks as follows:

# 35_froxlor_ssl_vhost_myserver.conf
# Created 30.09.2015 01:21
# Do NOT manually edit this file, all changes will be deleted after the next do$

# Domain ID: 5 (SSL) - CustomerID: 3 - CustomerLogin: myserver
<VirtualHost *.*.*.*:443>
  ServerName myserver.com
  ServerAlias *.myserver.com
  ServerAdmin guy@myserver.com
  SSLEngine On
  SSLProtocol ALL -SSLv2 -SSLv3
  SSLHonorCipherOrder On
  SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL$
  SSLVerifyDepth 10
  SSLCertificateFile /etc/ssl/froxlor-custom/myserver_cert.crt
  SSLCertificateKeyFile /etc/ssl/froxlor-custom/myserver_priv.key
  SSLCACertificateFile /etc/ssl/froxlor-custom/myserver_CA.pem
  SSLCertificateChainFile /etc/ssl/froxlor-custom/myserver_chain.pem
  DocumentRoot "/var/customers/webs/myserver/"
  ErrorLog "/var/customers/logs/myserver-error.log"
  CustomLog "/var/customers/logs/myserver-access.log" combined
</VirtualHost>

I will post the files you request if someone wants to take a look at it..it would be very much appreciated!

 

Thanks in advance

[birdpunisher]

I tried again with doing the same as this guy did: https://forum.froxlor.org/index.php/topic/12490-viele-ssl-domains-nur-eine-ip-sni-mit-apache-2-fragen/ and now it seems to work (for this one domain, haven't tried with the other sites on this server), although I still want to understand why the symlink to default-ssl had to be established as well as the virtualHost IP to be changed from _default_:443 to [myIP]:443 .. 

[Norman]

Hey Ithariel,

 

sorry for the delayed answer. Here's the output:

netstat -tulpen|grep 443
tcp6       0      0 :::443                  :::*                    LISTEN      0          494179      4043/apache2

netstat -anp |grep apache
tcp6       0      0 :::80                   :::*                    LISTEN      4043/apache2
tcp6       0      0 :::443                  :::*                    LISTEN      4043/apache2

The vhosts are:

# 10_froxlor_ipandport_78.46.184.XXX.443.conf
# Created 24.11.2014 13:09
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.

NameVirtualHost 78.46.184.XXX:443
<VirtualHost 78.46.184.XXX:443>
DocumentRoot "/var/www/froxlor/"
 ServerName sas.XXX.XX
</VirtualHost>

and the ssl vhost above.

 

The only ssl cert is present in the ssl config via the customer panel.

Thanks!

[d00p]

Did you forget to check "This is a SSL ip/port" in the ip/port settings? Because there are no SSL-Config-directives in your ssl-vhost....

[Norman]

Hi d00p,

 

this checkbox is enabled. This is on purpose, because when i add any cert. data there - any other SSL data, like these added in the customer section are ignored. Then any SSL Host will be delivered via the cert. data set in the ip/port settings. This was the behaviour till now. 

I just tested it again: Added the cert. data for the froxlor panel in the ip/port settings and the customer cert. via the customer panel. Now every SSL Host uses the customer cert. Here is a paste including all active vhosts: http://pastebin.com/JnJHg3Jj

 

Thanks in advance

 

Edit: Of course entries like kunde.de are just placeholder for a another domain

[Ithariel]

Hello Norman,

 

go to IP's and Ports, edit your SSL IP and remove the vHost for it. Wait for the Cron and then have fun with SSL.

[Ithariel]

Is mod_ssl active?

Where do you get this error?

While opening the froxlor panel or your domain?

What do you get in your error log? 

You should also check your cert/key/ca-bundle if they are matching.

[Norman]

Hi Ithariel,

 

mod_ssl is active. The error page appears on both sites (froxlor and customer domain).

When I "regularly" add the cert in the configuration->SSL page, the froxlor panel and the customer domain is available via ssl. But then i cant use sni. The apache log and syslog dont list any errors. The cert/key/ca-bundle are matching. I'm helpless - i cant find any indication where the error is. 

[Ithariel]

What output do you get from this command?

openssl s_client -connect yourdomain:443 

Can you post the froxlor ssl vhost of your domain?

[Norman]

Output from openssl

CONNECTED(00000003)
140277286078120:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:774:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

vhost config (some parts are "censored" with *):

# 22_froxlor_ssl_vhost_www.***.de.conf
# Created 17.11.2014 14:28
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.

# Domain ID: 4 (SSL) - CustomerID: 2 - CustomerLogin: **
<VirtualHost *IP*:443>
  ServerName www.***.de
  ServerAlias *.www.**.de
  ServerAdmin admin@***
  SSLEngine On
  SSLHonorCipherOrder On
  SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
  SSLVerifyDepth 10
  SSLCertificateFile /etc/ssl/froxlor-custom/www.**.de.crt
  SSLCertificateKeyFile /etc/ssl/froxlor-custom/www.**.de.key
  SSLCertificateChainFile /etc/ssl/froxlor-custom/www.**.de_chain.pem
  DocumentRoot "/var/customers/webs/**/"
  FcgidIdleTimeout 30
  SuexecUserGroup "**" "*"
  <Directory "/var/customers/webs/*/">
    <FilesMatch "\.(php)$">
      SetHandler fcgid-script
      FcgidWrapper /var/www/php-fcgi-scripts/**/www.**.de/php-fcgi-starter .php
      Options +ExecCGI
    </FilesMatch>
    Order allow,deny
    allow from all
  </Directory>
  ErrorLog "/var/customers/logs/**-error.log"
  CustomLog "/var/customers/logs/*-access.log" combined
</VirtualHost>

As I said. When i add the same cert data in the configuration->ssl page -everythings working fine. Its an brand new froxlor setup on an debian. No special config. Just the "stock config"

 

thanks!