Need help setting up a Wild Card Multiple Domain SSL Certificate: Virtualmin Pro

18 posts / 0 new
Last post
#1 Fri, 09/30/2016 - 20:08
jflesher

Need help setting up a Wild Card Multiple Domain SSL Certificate: Virtualmin Pro

I enabled the Feature for SSL under edit virtual server, I have a new Wild Card Multiple Domain SSL Certificate from Alpha GlobalSign, I took what they sent in the email, normally it comes in files, so I had to create them, I called to make sure I put all the correct certs in the correct files, I named them:

ssl_domainnamecom.cert
ssl_domainnamecom.key
ssl_domainnamecom.ca
and enabled only SSLv3 and TLSv1.2, which should work fine, not sure if anyone uses less secure protocols nowadays.

Services -> Configure Website for SSL I set the properties and verified it under the directives in Edit Directives Settings:

SSLEngine on
SSLCertificateFile /home/domainname/ssl_domainnamecom.cert
SSLCertificateKeyFile /home/domainname/ssl_domainnamecom.key
SSLProtocol +SSLv3 +TLSv1.2 (changed to all, no help)
SSLCACertificateFile /home/domainname/ssl_domainnamecom.ca

Now under Server Configuration -> Manage SSL Certificate it shows the current servers are the default self signed certs and not the ones above, how do I fix this?

It does not work, and I am at a lose as to how to troubleshoot this.

Sat, 10/01/2016 - 06:05
applejack

Have you tried pasting the cert in the Virtualmin interface under manage SSL Certificate

Also in the directives as far as I know should be

SSLProtocol all -SSLv2 -SSLv3

Sat, 10/01/2016 - 12:42 (Reply to #2)
jflesher

Thanks I will try the SSL Protocols and see if that works.

I did find a bug, I can not paste them in, but I can upload them and they work.

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Sat, 10/01/2016 - 13:22
jflesher

Now it looks like its setup correctly as far as I can tell, all this information is correct, but it still gives me the error below. How do I know the Certificate is good, any way to verify if a Cert is good, just because I paid for it, does not mean much nowadays.

Current SSL certificate details
SSL certificate file /home/domain/ssl_domaincom.cert
SSL private key file /home/domain/ssl_domaincom.key
Web server hostname *.domain.com Issuer name AlphaSSL CA - SHA256 - G2
Issuer organization GlobalSign nv-sa Expiry date Sep 29 22:18:37 2017 GMT
Certificate type Signed by CA
Other domain names *.domain.com | domain.com
Download certificate PEM format | PKCS12 format
Download private key PEM format | PKCS12 format
Certificate authority details
CA certificate file None needed
  In file on server
/home/domain/ssl_domaincom.ca
  
Uploaded file Choose File  Pasted certificate text

Certificate authority name AlphaSSL CA - SHA256 - G2
Organization GlobalSign nv-sa
Issuer name GlobalSign Root CA
Issuer organization GlobalSign nv-sa
Expiry date Feb 20 10:00:00 2024 GMT
Certificate type Self-signed
Save Certificate

Note it says "Certificate type Self-signed" That is not right, what is up with that?

domain.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: SEC_ERROR_UNKNOWN_ISSUER

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Sat, 10/01/2016 - 13:51
jflesher

Under: External Connectivity Check

SSL website request failed 500 Can't connect to domain.com:443
Make sure your system's web server is running, that port 443 is not blocked by a firewall, and that the domain has a valid index page.

I do not have iptables or firewall enabled on this server.

I only have one virtual server with SSL enabled.

phpinfo:

Registered Stream Socket Transports tcp, udp, unix, udg, ssl, sslv3, sslv2, tls, tlsv1.0, tlsv1.1, tlsv1.2

SSL Yes
SSL Version NSS/3.19.1 Basic ECC

openssl

OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version OpenSSL 1.0.1e-fips 11 Feb 2013
Directive Local Value Master Value
openssl.cafile no value no value
openssl.capath no value no value

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Sat, 10/01/2016 - 13:46
applejack

You should be able to paste the cert file contents, I think it's the 3rd tab from the right.

I set one up last week and pointed it to the file but it didn't work until I pasted the cert file contents.

Sat, 10/01/2016 - 14:06
jflesher

As far as I can tell it took the Cert, so that is not the issue, unless I am missing something.

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Sat, 10/01/2016 - 14:22
jflesher

This shows port 443 is open

nmap -sT -O localhost

PORT      STATE SERVICE
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
110/tcp   open  pop3
143/tcp   open  imap
443/tcp   open  https
587/tcp   open  submission
993/tcp   open  imaps
995/tcp   open  pop3s
1022/tcp  open  exp2
2222/tcp  open  EtherNet/IP-1
3306/tcp  open  mysql
5432/tcp  open  postgresql
10000/tcp open  snet-sensor-mgmt
20000/tcp open  dnp

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Sat, 10/01/2016 - 14:42
jflesher

If I check it here:

https://www.sslshopper.com/ssl-checker.html#hostname=rodremelin.com

or

https://globalsign.ssllabs.com/analyze.html?d=rodremelin.com&latest

I get trust issues:

rodremelin.com resolves to 216.117.167.15

Server Type: Apache/2.4.6

The certificate will expire in 356 days.
Remind me

The hostname (rodremelin.com) is correctly listed in the certificate.

The certificate is not trusted in all web browsers.
You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.
Learn more about this error.
The fastest way to fix this problem is to contact your SSL provider.
Common name: rodremelin.com
Organization: SomeOrganization
Location: SomeCity, SomeState, --
Valid from September 23, 2016 to September 23, 2017
Serial Number: 22112 (0x5660)
Signature Algorithm: sha256WithRSAEncryption
Issuer: rodremelin.com

Does this mean its installed Correctly, what do I do about this: You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. ?

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Sat, 10/01/2016 - 15:36
applejack

No it is still coming up as the self signed certificate

https://rodremelin.com

Click the lock icon / https

Sat, 10/01/2016 - 15:39
jflesher

All this just to find out this is not a Multiple Domain Cert, the people we purchased through got confused about Multiple Sub Domains, so I was lost from the beginning.

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Sat, 10/01/2016 - 15:50
applejack

How many domain do you need this for ?

You can always try using the free Let's Encrypt cert which is integrated into Virtualmin but depends on what level of security you need.

https://letsencrypt.org

Also if this is your server and you're concerned about security you really should have a firewall enabled ConfigServer Security & Firewall you'll be amazed at how many hacking attempts a server gets.

http://www.configserver.com

Sat, 10/01/2016 - 15:48
jflesher

That sound like a plan, never heard of it before, that is big help, thanks, all I need is some type of security, nothing fancy, but I would like if for the site as well as email from the site, and Self Signed is all I normally use.

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Sat, 10/01/2016 - 15:55
applejack

For ConfigServer Security & Firewall install via Webmin see below. You should be ok with the default set up after it is installed.

http://doxfer.webmin.com/Webmin/ConfigServer_Security_%26_Firewall

Sat, 10/01/2016 - 16:03
applejack

After you have installed the cert there is an option to copy to Dovecot, Postfix, Webmin and Usermin.

The problem with Let's Encrypt certs is that they only last 3 months. In Virtualmin you can set an auto update period but I have read elsewhere in this forum the update doesn't work. Either way if it is does then you would almost certainly have to copy it back to Dovecot etc

Alternatively you may be able to point to the server cert in Dovecot etc in those servers settings.

I'm currently testing a Let's Encrypt cert on a site but haven't tried it for mail yet.

Sun, 10/02/2016 - 22:52 (Reply to #15)
coderinthebox

It is working on my installation without a fail, 4 domains auto renewing every 2 months.

Visit me at coderinthebox.com

Mon, 10/03/2016 - 04:25 (Reply to #16)
applejack

Hi that's good to know. So have you configured it for Postfix, Dovecot etc If so I would be interested in knowing how ?

Fri, 10/07/2016 - 12:31
jflesher

What ended up being the problem was that the front end was set up correctly, but the back end was still forcing the self signed CA, it had to be manually changed in /etc/httpd/conf.d/ to make it work, this is a bug I am sure of it, but its fixed now, wow, that took a lot of effort to figure out, I got the help from my new Hosting Company AIT.com, they are great, I am on SSD drive with 200 GB, 8 GB RAM, 12 Cores, for $44, with the best tech support, they deserve a plug.

Now I can work on all these other things, thanks for all the help.

Jeffrey Scott Flesher
Medically Retired Gulf War Vet