Author Topic: How to install multiple SSL certificates on shared IP  (Read 16168 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
How to install multiple SSL certificates on shared IP
« on: August 20, 2014, 01:56:28 PM »
How to install multiple SSL certificates on shared IP
Now you can have unlimited number of SSL certificates on one shared IP address (no additional IP's are needed)

Install SSL Certificate (Self Singed - exception needs to be added in your browser)
1. Use CWP SSL Generator (in admin are under Security) for generating your SSL key and SelfSinged Certificate.
2. go to SSL Manager and install this Certificate for user and path which you need it
Great Now you Have installed Self Singed SSL Certificate


Install Browser Valid SSL Certificate (no exception needs to be added in your browser)
1. Use CWP SSL Generator (in admin are under Security) for generating your SSL key and SelfSinged Certificate.
2. You will get SSL output and now you will need buy SSL Certificate providing output of "BEGIN CERTIFICATE REQUEST" to SSL seller company.
3.Once you have received new SSL Certificate from valid seller you can install it by clicking on "Browse installed SSL Certificates" in CWP SSL Generator
and edit file "/etc/pki/tls/certs/DOMAIN.COM.cert"
4. go to SSL Manager and install this Certificate for user and path which you need it
Great Now you Have installed Valid SSL Certificate

** Don't forget to download your SSL Certificate and KEY from the server to your local computer for backup!!!
** Don't forget to check if your Apache is Listening on the port 443!!!

Use the following site for SSL check
https://www.sslshopper.com/ssl-checker.html
« Last Edit: January 07, 2015, 11:50:05 PM by Administrator »
AntiDDoS Protection (web + mail)
http://centos-webpanel.com/website-ddos-protection-proxy

Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp


Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor


Do you need Fast and FREE Support included for your CWP linux server?
http://centos-webpanel.com/noc-partner-list
Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #1 on: June 12, 2015, 12:36:50 PM »
Quote
** Don't forget to check if your Apache is Listening on the port 443!!!

How do I check that ??

using web service to check 443 seems to be blocked in my CWP installation !!

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #2 on: November 08, 2015, 11:43:11 AM »
Maybe you need a better tutorial …

in summary:
you need 5 files:
  • /etc/pki/tls/certs/yourdomain.tld.csr (generate with SSL generator)
  • /etc/pki/tls/private/yourdomain.tld.key (generate with SSL generator)
  • /etc/pki/tls/certs/yourdomain.tld.crt (by your SSL dealer, the web server certificate inside, you adapt)
  • /etc/pki/tls/certs/yourdomain.tld.bundle (by your SSL dealer, the CA intermediate inside, you adapt)
  • a symbolic link /etc/pki/tls/certs/yourdomain.tld.cert pointing on yourdomai.tld.crt
in CWPanel → apache settings → SSL Cert Manager → Install SSL Certificate:
choose yourdomain.tld.crt, the domain user, the domain (yourdomain.tld) and click install SSL, it's possible httpd don't restart, in this case reboot server

note: if you have some www.yourdomain.tld 5 files (.csr .key etc.) you must correct the "serverAlias www.www.yourdomain.tld" for "serverAlias yourdomain.tld" in /usr/local/apache/conf.d/vhosts-ssl.conf after Install SSL

 
OK, for humans now, maybe you can follow this one more detailed:

1) First of all, buy the SSL certificate
To buy a SSL certificate, you need:
  • a public key (with all yours informations inside) named "yourdomain.tld.csr"
  • a private key named "yourdomain.tld.key"

To create its, go in your CWPanel → Apache settings → SSL cert Manager.
In SSL vHost Manager, you go on SSL generator and fill all informations request, (an advice: in your domain case, put www.yourdomain.tld, and not yourdomain.tld, without the "www" in csr file, there is no certificate for "www.yourdomain.tld", oops).
CWPanel generate now two files: www.yourdomain.tld.csr and www.yourdomain.tld.key. (I explain like if you fill www.yourdomain.tld in SSL generator)

OK, now you can buy a certificate, in the certificate generation process, you need to give the .CSR (key inside www.yourdomain.tld.csr) to your SSL Dealer.

Well, now, you receive two other files by your SSL dealer, a web server certificate and a CA intermediate certificate

2)Next step: adapt files or config and setup
At this point you have inside your CWPanel the .csr and .key files, inside your e-mail box web certificate and CA certification.

Now, it's time to make a choice: the clean way or the easy way.
The clean way consist to rename correctly all the certificate files to make a standard SSL setup, the easy way consist to make a standard SSL setup and correct inside the vhosts-ssl.conf the little mistakes.

A) the clean way:
  • in your CWPanel → Apache settings → SSL cert Manager
  • follow the /etc/pki/tls/cert web-link for File Manager in this directory
  • rename the www.yourdomain.tld.csr for yourdomain.tld.csr
  • on your computer, create a file yourdomain.tld.crt and put the web certificate key inside
  • create an other file  yourdomain.tld.bundle and put the CA certificate key inside
  • upload this two files in your /etc/pki/tls/certs directory (with file manager or .. like you want)
  • with file manager go to /etc/pki/tls/private/ (put in directory case, or follow .. web-link and private web-link)
  • rename the www.yourdomain.tld.key for  yourdomain.tld.key
  • at this point, you have five files: .key .csr .crt .bundle files and a false symbolic link www.yourdomain.tld.cert pointing on www.yourdomain.tld.crt (in /etc/pki/tls/certs) we must correct this point
  • in your CWPanel → Service SSH → Send shell command send this two commands:
    • rm /etc/pki/tls/certs/www.yourdomain.tld.cert (of course you replace "yourdomain.tld")
    • ln -s /etc/pki/tls/certs/yourdomain.tld.crt /etc/pki/tls/certs/yourdomain.tld.cert (you replace "yourdomain.tld" two times the command goal is "ln -s target link")
  • now, we have the 5 correct files (.key .csr .crt .bundle and .cert link) to make the standard SSL setup
  • OK, wait a moment to ask yourself if it's a good time for reboot your server, if no, restart here when it's a good time, if yes, go back in  CWPanel → Apache settings → SSL cert Manager
  • in  Install SSL certificate, choose the "yourdomain.tld.crt", the correct user for yourdomain.tld, fill the domain case with "yourdomain.tld" and finally click on "Install SSL" button. CWPanel work and don't restart correctly httpd (apache is fall, bad new), all is correct, just reboot the server in CWPanel → CWP Setting → Reboot Server → Reboot Server now button.
  • When the server is restarted, in CWPanel → dashboard, check if httpd is running, if it's work correctly, it's all right, if it isn't, there is a big problem (not solved in this tutorial), go back in  CWPanel → Apache settings → SSL cert Manager and delete the SSL and reboot server to come back at the original situation (without SSL).

B) the easy way
  • on your computer, create a file www.yourdomain.tld.crt and put the web certificate key inside
  • create an other file  www.yourdomain.tld.bundle and put the CA certificate key inside
  • upload this two files in your /etc/pki/tls/certs directory (with file manager or .. like you want)
  • at this point, you have five files: www.yourdomain.tld.key (in /etc/pki/tls/private/ directory) www.yourdomain.tld.csr www.yourdomain.tld.crt www.yourdomain.tld.bundle files and a symbolic link www.yourdomain.tld.cert pointing on www.yourdomain.tld.crt .
  • OK, wait a moment to ask yourself if it's a good time for reboot your server, if no, restart here when it's a good time, if yes, go back in  CWPanel → Apache settings → SSL cert Manager
  • in  Install SSL certificate, choose the "www.yourdomain.tld.crt", the correct user for www.yourdomain.tld, fill the domain case with "www.yourdomain.tld" and finally click on "Install SSL" button. CWPanel work and don't restart correctly httpd (apache is fall, bad new), all is correct.
  • In CWPanel → Apache settings → SSL cert Manager, click on "/usr/local/apache/conf.d/vhosts-ssl.conf" web-link
  • look after " serverAlias www.www.yourdomain.tld", replace by  "serverAlias yourdomain.tld" (suppress the www.www.) and click on "save change" button.
  • Now, just reboot the server in CWPanel → CWP Setting → Reboot Server → Reboot Server now button.
  • When the server is restarted, in CWPanel → dashboard, check if httpd is running, if it's work correctly, it's all right, if it isn't, there is a big problem (not solved in this tutorial), go back in  CWPanel → Apache settings → SSL cert Manager and delete the SSL and reboot server to come back at the original situation (without SSL, sorry).

3)some verifications and other tasks
good, at this point, normally you have https for www.yourdomain.tld and yourdomain.tld (check yourself in your web browser)

for a better check, in  CWPanel → Apache settings → SSL cert Manager, click on Check SSL Certificate and test the two way  www.yourdomain.tld and yourdomain.tld.

If you have a problem with chain it's the .bundle file not correct, if you have a problem with certificate, it's the .crt file the problem. it's possible the file .csr in your server is not the same one who SSL dealer have (if you have restart all but in the middle).

If it's all OK, you can do something else now:
like make a backup of the .csr .key .crt and .bundle, files
or like make a donate for CentOS Web Panel
(maybe I can suggest you to give +10% of your project price: server+hostname+certificate, you know a free advice is not the same price of a free beer, copy of CentOSWebPanel is free, server and work to create and maintain this project is not)

note: sorry if there are some English mistakes, I'm French, English is really not my native language

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #3 on: November 08, 2015, 01:20:23 PM »


Thanks fafache ! Can you maybe also if you have the time, explain how to secure the CWP panel https://domainname.ext:2031 
with an bought SSL certificate.

I am used to Parallels / Odin Plesk with this panel securing the Control panel login can be done through the GUI.I know
Plesk is license based and CWP is free. Would be great if it could be done through gui though.

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #4 on: April 21, 2016, 01:26:01 PM »
How can i add letsencyrpt ssl for multi domains in the same ip?

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #5 on: June 16, 2016, 02:57:59 PM »
It would be nice if you would include somewhere in your post for us newbies how badly this can mess your s*** up if it doesn't work. Tried this and my whole server shut down. He says simply go in and delete the SSL certificate files and your back to normal..... only if it was that simple. Took me hours but I finally managed to get my server back up with no SSL certificate installed yay me!  >:( Something happened to my mail server and it still isn't working. It's been about 3 days and I still haven't got that figured out. No errors, I rebuilt the mail server I've checked and tried everything, but still can't send or receive mail..

*******SO NEWBIES YOU'VE BEEN WARNED!!!! PROCEED WITH CAUTION!!!*******

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #6 on: July 26, 2016, 07:09:58 PM »
To enable SNI you have to do little more works

1. Add to apache config
Code: [Select]
NameVirtualHost *:4432. Change every ssl VirtualHost from
Code: [Select]
<VirtualHost IP Address:443>to
Code: [Select]
<VirtualHost *:443>3.Restart apache

This setup is tested with 1 certificate from certificate authority and 1 lets encrypt. Both certificates work fine.
Files for ssl vhosts are located (in my case):
Code: [Select]
/usr/local/apache/conf.d/vhosts-ssl.conf
/usr/local/apache/conf.d/vhosts-ssl-letsencrypt.conf
« Last Edit: July 29, 2016, 10:52:16 AM by Neo2SHYAlien »
“Would you tell me, please, which way I ought to go from here?”
“That depends a good deal on where you want to get to,” said the Cat.
“I don’t much care where–” said Alice.
“Then it doesn’t matter which way you go,” said the Cat.

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #7 on: July 29, 2016, 10:31:57 AM »
How can i add letsencyrpt ssl for multi domains in the same ip?

edit /usr/local/apache/conf.d/vhosts-ssl-letsencrypt.conf , add this line
Quote
NameVirtualHost *:443
Listen 443

Please take note NameVirtualHost *:443 must above Liten 443
If you dont add that line above the Listen, you will get this warning when you restart httpd
Quote
[warn] _default_ VirtualHost overlap on port 443, the first has precedence
and the SSL is valid for first domain only

And... If you want to install SSL for multiple domains, you should change to * , instead of your actual ip
For example :


# vhost_start your_domain.com
<VirtualHost *:443>
 ServerName your_domain.com
 ServerAdmin no-reply@your_domain.com

...
...
# vhost_end your_domain.com

# another domain in same VPS, same shared ip
# vhost_start your_domain2.com
<VirtualHost *:443>
 ServerName your_domain2.com
 ServerAdmin no-reply@your_domain2.com
...
...
# vhost_end your_domain2.com

You are good to go with Let's encrypt for multiple domains.


-------------------
Another thing need to consider, If you try to add certificate on a webpage protected with username and password, with .htaccess – you’ll get an error like this. Let’s encrypt cannot read the file under .well-known, so you need to temporary disable the .htaccess security by moving or renaming the file, while doing the let’s encrypt process.
-------------------
« Last Edit: July 29, 2016, 10:39:48 AM by locvfx »