I enabled the Feature for SSL under edit virtual server,
I have a new Wild Card Multiple Domain SSL Certificate from Alpha GlobalSign,
I took what they sent in the email, normally it comes in files, so I had to create them, I called to make sure I put all the correct certs in the correct files, I named them:
ssl_domainnamecom.cert
ssl_domainnamecom.key
ssl_domainnamecom.ca
and enabled only SSLv3 and TLSv1.2, which should work fine, not sure if anyone uses less secure protocols nowadays.
Services -> Configure Website for SSL
I set the properties and verified it under the directives in Edit Directives
Settings:
SSLEngine on
SSLCertificateFile /home/domainname/ssl_domainnamecom.cert
SSLCertificateKeyFile /home/domainname/ssl_domainnamecom.key
SSLProtocol +SSLv3 +TLSv1.2 (changed to all, no help)
SSLCACertificateFile /home/domainname/ssl_domainnamecom.ca
Now under Server Configuration -> Manage SSL Certificate
it shows the current servers are the default self signed certs and not the ones above, how do I fix this?
It does not work, and I am at a lose as to how to troubleshoot this.
Have you tried pasting the cert in the Virtualmin interface under manage SSL Certificate
Also in the directives as far as I know should be
SSLProtocol all -SSLv2 -SSLv3
Thanks I will try the SSL Protocols and see if that works.
I did find a bug, I can not paste them in, but I can upload them and they work.
Now it looks like its setup correctly as far as I can tell, all this information is correct, but it still gives me the error below.
How do I know the Certificate is good, any way to verify if a Cert is good, just because I paid for it, does not mean much nowadays.
Current SSL certificate details
SSL certificate file /home/domain/ssl_domaincom.cert
SSL private key file /home/domain/ssl_domaincom.key
Web server hostname *.domain.com Issuer name AlphaSSL CA - SHA256 - G2
Issuer organization GlobalSign nv-sa Expiry date Sep 29 22:18:37 2017 GMT
Certificate type Signed by CA
Other domain names *.domain.com | domain.com
Download certificate PEM format | PKCS12 format
Download private key PEM format | PKCS12 format
Certificate authority details
CA certificate file None needed
In file on server
/home/domain/ssl_domaincom.ca
Uploaded file Choose File Pasted certificate text
Certificate authority name AlphaSSL CA - SHA256 - G2
Organization GlobalSign nv-sa
Issuer name GlobalSign Root CA
Issuer organization GlobalSign nv-sa
Expiry date Feb 20 10:00:00 2024 GMT
Certificate type Self-signed
Save Certificate
Note it says “Certificate type Self-signed” That is not right, what is up with that?
domain.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: SEC_ERROR_UNKNOWN_ISSUER
You should be able to paste the cert file contents, I think it’s the 3rd tab from the right.
I set one up last week and pointed it to the file but it didn’t work until I pasted the cert file contents.
Under: External Connectivity Check
SSL website request failed 500 Can't connect to domain.com:443
Make sure your system's web server is running, that port 443 is not blocked by a firewall, and that the domain has a valid index page.
I do not have iptables or firewall enabled on this server.
I only have one virtual server with SSL enabled.
phpinfo:
Registered Stream Socket Transports tcp, udp, unix, udg, ssl, sslv3, sslv2, tls, tlsv1.0, tlsv1.1, tlsv1.2
SSL Yes
SSL Version NSS/3.19.1 Basic ECC
openssl
OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version OpenSSL 1.0.1e-fips 11 Feb 2013
Directive Local Value Master Value
openssl.cafile no value no value
openssl.capath no value no value
As far as I can tell it took the Cert, so that is not the issue, unless I am missing something.
This shows port 443 is open
nmap -sT -O localhost
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
1022/tcp open exp2
2222/tcp open EtherNet/IP-1
3306/tcp open mysql
5432/tcp open postgresql
10000/tcp open snet-sensor-mgmt
20000/tcp open dnp
If I check it here:
https://www.sslshopper.com/ssl-checker.html#hostname=rodremelin.com
or
https://globalsign.ssllabs.com/analyze.html?d=rodremelin.com&latest
I get trust issues:
rodremelin.com resolves to 216.117.167.15
Server Type: Apache/2.4.6
The certificate will expire in 356 days.
Remind me
The hostname (rodremelin.com) is correctly listed in the certificate.
The certificate is not trusted in all web browsers.
You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.
Learn more about this error.
The fastest way to fix this problem is to contact your SSL provider.
Common name: rodremelin.com
Organization: SomeOrganization
Location: SomeCity, SomeState, –
Valid from September 23, 2016 to September 23, 2017
Serial Number: 22112 (0x5660)
Signature Algorithm: sha256WithRSAEncryption
Issuer: rodremelin.com
Does this mean its installed Correctly, what do I do about this:
You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. ?
No it is still coming up as the self signed certificate
https://rodremelin.com
Click the lock icon / https
All this just to find out this is not a Multiple Domain Cert, the people we purchased through got confused about Multiple Sub Domains, so I was lost from the beginning.
That sound like a plan, never heard of it before, that is big help, thanks, all I need is some type of security, nothing fancy, but I would like if for the site as well as email from the site, and Self Signed is all I normally use.
How many domain do you need this for ?
You can always try using the free Let’s Encrypt cert which is integrated into Virtualmin but depends on what level of security you need.
https://letsencrypt.org
Also if this is your server and you’re concerned about security you really should have a firewall enabled ConfigServer Security & Firewall you’ll be amazed at how many hacking attempts a server gets.
http://www.configserver.com
For ConfigServer Security & Firewall install via Webmin see below. You should be ok with the default set up after it is installed.
http://doxfer.webmin.com/Webmin/ConfigServer_Security_%26_Firewall
After you have installed the cert there is an option to copy to Dovecot, Postfix, Webmin and Usermin.
The problem with Let’s Encrypt certs is that they only last 3 months. In Virtualmin you can set an auto update period but I have read elsewhere in this forum the update doesn’t work. Either way if it is does then you would almost certainly have to copy it back to Dovecot etc
Alternatively you may be able to point to the server cert in Dovecot etc in those servers settings.
I’m currently testing a Let’s Encrypt cert on a site but haven’t tried it for mail yet.
It is working on my installation without a fail, 4 domains auto renewing every 2 months.
Hi that’s good to know. So have you configured it for Postfix, Dovecot etc If so I would be interested in knowing how ?
What ended up being the problem was that the front end was set up correctly, but the back end was still forcing the self signed CA, it had to be manually changed in /etc/httpd/conf.d/ to make it work, this is a bug I am sure of it, but its fixed now, wow, that took a lot of effort to figure out, I got the help from my new Hosting Company AIT.com, they are great, I am on SSD drive with 200 GB, 8 GB RAM, 12 Cores, for $44, with the best tech support, they deserve a plug.
Now I can work on all these other things, thanks for all the help.