Cert Question

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
1,114
A server has two sites that matter:
- Cert 1 = www.domain.net, uses the servers shared IP address. I'm thinking of installing it right on the domain, not at server level.
- Cert 2 = www.domain.com has its own IP address
- The server name is secure1.domain.com

Question: Will that work, or will the shared address pick up a snake-oil certificate for the server when someone tries to connect securely to www.domain.net?

Thanks!
 
I will digest that. I have an old version of BSD because some of the web apps do not support the newer versions of software.

Perhaps just assign the www.domain.net as the shared server address? I'm guessing there is no requirement for the server name and cert to match, and it doesn't matter if the domain is also elsewhere on the same server as long as it uses the same shared IP address in the DNS?
 
In order to get SNI working you might need to reinstall Apache against OpenSSL 1.0+

Do you mean to change your hostname to www.domain.net? If so it's not the recommended way.
 
Do you mean to change your hostname to www.domain.net?
No, I meant leave it secure1.domain.net, and install a cert for www.domain.net on it.

Actually, the version of DA I have for BSD is 1.42, and the article you referenced shows it was introduced with version 1.361, so maybe I'm good to go by just changing the enable_ssl_sni to 1 and restarting DA? Then I could just install the cert at the domain, even though it uses the server's shared address, and be done? That would be nice.
 
No, I meant leave it secure1.domain.net, and install a cert for www.domain.net on it.

With let's encrypt you can include both names into cert.


Make sure you've got OpenSSL of 1.0+ version. SNI is not support in earlier versions.
 
With let's encrypt you can include both names into cert. Make sure you've got OpenSSL of 1.0+ version. SNI is not support in earlier versions.
I think I'm in a bit of trouble. I have 0.9.8e, and from what I read, I need 0.9.8f or newer. So I still wonder if there would be a problem buying a www.domain.net cert for the server secure1.domain.com as long as they share the same IP?
 
You can install your domain.net's cert serverwide instead of secure1.domain.com. I would not expect any issue here. To be more sure you can try a free cert from Let's Encrypt first, and see how it works.

Please feel free to contact me via my site for a private help.
 
Let's Encrypt sounds complicated. All I want to do is upload CSR, verify with E-Mail, and get a CERT.
 
Actually there might be issues with letsencrypt script on old FreeBSD. I've tested it only on FreeBSD 10. In any other case it's easy to use ;)
 
Actually there might be issues with letsencrypt script on old FreeBSD. I've tested it only on FreeBSD 10. In any other case it's easy to use ;)
Thanks for all of your help. I've used the $10.00 RapidSSLs before, and I'll just go with those.

PS: I'm having some issues with GeoTrust/RapidSSL for the first time. I responded to the e-mail approval 11 hours ago and haven't received it yet. Normally it is more like 30 minutes. Their email says:

"DigiCert recently completed acquisition of the Symantec PKI and SSL/TLS businesses and is now authenticating new certificate requests. We’re also re-authenticating organization and domain information in existing accounts to maintain your website’s security and service without any disruption."

I don't know how/if GeoTrust got tangled up with Symatec. What I do I know is everything Symantec touches...
 
Thanks for all of your help. I've used the $10.00 RapidSSLs before, and I'll just go with those.
Three days later +4 hours on chat hold, I got my CERTS.
- The one I installed for the site with the private IP went well as expected.
- My idea of installing a cert at the server level with the name of a domain that is hosted on the server's shared IP address didn't, go well. It crashed the http. LOL! I didn't have time to sort it out, so I put it back like it was. I might sort it out later, or in the interest of time I might take the easy way out and put it on its own IP.

Thanks TONS! for your thoughts.
 
It crashed the http.

Installation of a cert could crash Apache and/or Nginx only if a SSL cert and KEY do not match each other. That's most likely what happened on your server.

Without SNI enabled in Directadmin you can use its interface for installing a server-wide cert, it can be installed at user level of the admin account.
 
It looks like I'm going to have to start over and buy a another cert when the cert vendors are not so backed up.

One thing that didn't go as expected was when I went to install the cert, there was a cert there already. That has never happened before. Normally, only the private key is there, and I paste the cert under it. When I checked the key, it does not match the csr and cert, and the old and new private keys are the same.

PS: This is likely what I didn't do:
"if you create the certificate request (CSR) as an Admin on the server IP. This method is slightly different in that you're working on the shared server certificate, and it cannot have a temporary key set. This means that when the CSR is created, the key is displayed with the CSR and is not saved anywhere. The Admin *must* copy the key from that location and save it somewhere safe. Failure to save the key will prevent you from installing the certificate generated from the CSR, as the key is required."

I've done this about a dozen times in the past, but I didn't know this or run into the problem because I had the cert within a few minutes, and never closed the window. This time it took 3 days, and a login long expired. When I got back, I pasted in the cert, but the key was the old key, which I know for certain from the backup I had of it and the old info that displays.

PSS: Oh duh! Not true. I have that in my procedures as plain as day. I simply didn't follow my own documented procedures, so I can even cop the excuse above. I'll climb back under my rock now.
 
Last edited:
If you lost your SSL key, you can re-issue the cert. Normally SSL-providers allow to re-issue a cert without extra payments.
 
If you lost your SSL key, you can re-issue the cert. Normally SSL-providers allow to re-issue a cert without extra payments.
If you buy directly from RapidSSL at just over 6 times the price, that is true. If you buy from a reseller, that is not true. This is only the 3rd cert I've blown in my lifetime. I also noticed that apparently the cert "train wreck" is almost over. It is not down to the normal 1/2 hour yet, but it is down from 3 days plus 4 hours on chat hold, to a few hours. Oddly, Comodo was/is? in the same boat at the same time.

I followed my own procedures and saved off the key this time and the cert install went fine. However, the one issue I always have with server certs, is that DA seems to never write the intermediate cert file anywhere, unless I'm missing something.
- FreeBSD 7.2
- Apache 2.2.24
- DA 1.42.1

To make Intermediate cert work I:
Manually make one here:
/etc/httpd/conf/ssl.crt/server.ca
Copy it here:
/etc/httpd/conf/server-ca.crt
Flag it wheel:root, and 600.

The stock httpd-ssl.conf looks like this:
Code:
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
and I make an entry in the /etc/httpd/conf/extra/httpd-includes.conf like this:
Code:
#####################
#  Intermediate SSL Certificate
#####################
SSLCertificateChainFile /etc/httpd/conf/server-ca.crt
so it doesn't get overwritten, restart Apache, and check it here:
https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp

If you have any improvements to this process, I'd love to hear it.

Edited: Removed procedures posted for DA and Exim because I've been using symlinks for some of them.
Thanks!
 
Last edited:
OK, I've never bought directly from issuers, never had problems with renewing Comodo certs bought from https://www.ssls.com/ .


CAroot is an option in Directadmin interface. At the bottom of a page you can find "Click Here to paste a CA Root Certificate".
 
Back
Top