SSL error

8 posts / 0 new
Last post
#1 Sat, 10/22/2005 - 00:45
chosts

SSL error

I am trying to create my first domain and this is the error that I have:

Failed to create virtual server : SSL cannot be enabled unless a website is configured, and a virtual IP address allocated

Any ideas?

Thank you.

Sat, 10/22/2005 - 02:47
FaisalMehmood

Hi.

If enabled, an SSL website will be created for every new domain. If set to "Yes, but not by default" it will be possible to choose to create an SSL website upon domain creation. Note that SSL websites require an IP all to themselves, so it is not enabled for all sites by default. Many websites will not need SSL security, and so they can share a single IP with hundreds or thousands of other websites.

To turn this feature off. Or Change it, click on the Virtualmin Server module in webmin. Then on the top left click on module configuration.

Find:
SSL website setup enabled?

Change this value to :
yes, but not by default
or No.

Thanks.
Faisal.

Mon, 01/09/2006 - 16:34 (Reply to #2)
JohnPenrod

Why do SSL websites require their own IP address when you can tie multiple vhosts to the same IP for ssl in a normal apache config?

Is this a limitation of virtualmin?

Thanks,

John P.

Tue, 01/10/2006 - 00:43 (Reply to #3)
ADobkin

No, this is not a limitation of Virtualmin. Almost all hosting setups have the same requirement. There is a pretty good explanation here:

http://lists.evolt.org/archive/Week-of-Mon-20040712/161610.html

Fri, 11/18/2005 - 10:56
BenjaminVanWagner

i am having getting this same error

and i realize what it is saying..

but i cannot get it to let me create an SSL.. the bottom option only allows me to enter an ip and doesnt allow me to specify virtual like in the screen shot for the domain creation page in docs here..

I am using x.x.9.1 on eth0 (only primary eth interface)
I have added eth0:2 -> eth0:63 with addresses of x.x.9.2 -> x.x.9.63

net int for virt is eth0
base num for vert is x.x.9.2
def virt serv ip is x.x.9.1

under the default template i added x.x.9.2 -> x.x.9.63 to assignable address range..

does any know why I cant choose virtual in domain creation ??

Tue, 01/10/2006 - 10:22
Joe
Joe's picture

As Alan pointed out, the "SSL domain must have its own IP" requirement is not a Virtualmin limitation, it is a limitation of the protocol.

Technically, it is possible, as you point out, to configure apache to serve SSL to multiple domains from the same IP. However, only one certificate can be served (because the decision about which certificate to serve is tied to the IP on which the server was contacted and not the domain name, which is discovered after the session becomes encrypted). So, all but one of your domains will necessarily trigger errors that look like a man-in-the-middle attack to users and client browsers, or at best an unverified certificate. Thus, the only way to provide an SSL domain without errors is to give it its own IP address.

It would be technically trivial to allow multiple SSL hosts on a single IP, all sharing a system-wide certificate, but client browsers are extremely persnickety about getting the same certificate for multiple domains. Mozilla/Firefox will even refuse to download anything from a site under some circumstances of sites that share a certificate.

I think this is just a no-win situation for us (me and Jamie). Since, if we provide the option, folks will use it and complain about some sites not working with some browsers (and of course it is Virtualmins fault). Or if we don't, folks will complain because Apache lets them do it (and of course, this is also Virtualmins fault). Life is hard. ;-)

We can open a wish in the bug-tracker, and get this added as a configurable option (with big warning signs about the implications of doing so). I don't like it, but I reckon if I make the warnings strong enough, I can wipe my hands of the issues that arise later. ;-)

--

Check out the forum guidelines!

Sat, 01/14/2006 - 10:02
JohnPenrod

Thanks Alan and Joe,

Your 100% right. Thanks for bringing me up to speed on this.

I agree that (IMHO) you should not add the option, it would confuse things.

John P.

Thu, 12/21/2006 - 10:22
DM

I am not certain if I've posted about this before but this problem is still happening.

I have 5 IPs on the machine and I have skipped the first two and am trying to bind an SSL site on the 3rd one but it keeps popping up with the same error.

How do I let virtualmin know that this IP is available to be bound exclusively to that domain?

(this problem has persisted on two different machines)

Thanks.