SSL is installed, but snakeoil cert is issued

[damn]

Hello,

I tried to install an SSL certificate on my admin domain, my admin domain is the shared server IP. Working through the DA instructions it all worked perfectly, however the Snakioil certificate was the one the browser kept getting sent.

So I decided to move the domain I wanted this to work on over to its own account, giving the domain its own IP. Installed the certificate again, waited for DNS to resolve the domain to the new IP, switch to https: and I get snakeoil again

I'm confident that I have done the SSL part correctly for this domain on its own, DA shows the virtual host settings for this domain as:

<VirtualHost 202.167.xxx.xxx:443>

	SSLEngine on
	SSLCertificateFile /usr/local/directadmin/data/users/user/domains/domain.com.cert
	SSLCertificateKeyFile /usr/local/directadmin/data/users/user/domains/domain.com.key
	SSLCACertificateFile /usr/local/directadmin/data/users/user/domains/domain.com.cacert

	ServerName www.domain.com
	ServerAlias www.domain.com domain.com 
	ServerAdmin [email protected]
	DocumentRoot /home/user/domains/domain.com/private_html
	ScriptAlias /cgi-bin/ /home/user/domains/domain.com/public_html/cgi-bin/

	UseCanonicalName OFF

	User user
	Group user
	CustomLog /var/log/httpd/domains/domain.com.bytes bytes
	CustomLog /var/log/httpd/domains/domain.com.log combined
	ErrorLog /var/log/httpd/domains/domain.com.error.log

	<Directory /home/user/domains/domain.com/private_html>
		Options +Includes -Indexes
	<IfModule !mod_suphp.c>
		php_admin_flag engine ON
		php_admin_flag safe_mode OFF
		php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f [email protected]'

		php_admin_value open_basedir /home/user/:/tmp:/usr/local/lib/php/

	</IfModule>
	</Directory>



</VirtualHost>

I read a thread somewhere else that refereed to looking in the ips.conf and removing any entries for this IP in there. I did this, and since doing that the cert that is issued to the browser says it is from "." instead of "Snakeoil.dom" however if you view the certificate there is still references for snakeoil.

Any advice fellow DA'ers?

 

[chatwizrd]

So look in /etc/httpd/conf/extra/httpd-ssl.conf to see if it is already set in there.

 

[damn]

So look in /etc/httpd/conf/extra/httpd-ssl.conf to see if it is already set in there.

/etc/httpd/conf/extra directory does not exist on my server FreeBSD 5.5

 

[DirectAdmin Support]

Hello,

You shouldn't be seeing this if the domain is on the server IP:

	SSLCertificateFile /usr/local/directadmin/data/users/user/domains/domain.com.cert
	SSLCertificateKeyFile /usr/local/directadmin/data/users/user/domains/domain.com.key

what you want to be seeing is:

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

since editing an admin domain on a shared IP should be pointing there instead.

Make sure your domain is setup to use the "shared server certificate".

Also, the /etc/httpd/conf/ips.conf should be included into the main /etc/httpd/conf/httpd.conf.
There should also be 2 virtualhosts at the bottom of that main httpd.conf, both fory our server IP, and one that has the SSL settings which poitns to the server.crt and server.key.

John

 

[damn]

Hello,

You shouldn't be seeing this if the domain is on the server IP:

	[/QUOTE]

I gave up on that and moved the domain to its own account, with own IP.

[QUOTE="damn, post: 135099, member: 2055"]Hello,

So I decided to move the domain I wanted this to work on over to its own account, giving the domain its own IP.  Installed the certificate again, waited for DNS to resolve the domain to the new IP, switch to https: and I get snakeoil again :(

[/QUOTE]

 

[DirectAdmin Support]

An easy test to see what VH is doing the SSL is to simply type in your IP via a web browser:

https://1.2.3.4

What this will tell you is where the VH is getting it's files from.
That will be the VH that you need to ensure has the cert/key you're using.
The VH you see there is the one that controls the cert being used.

Failing everything else, the server cert/key live at:
/etc/httpd/conf/ssl.crt/server.crt
/etc/httpd/conf/ssl.key/server.key

if you just want to install your cert/key manually to those locations.
Be sure to backup the original files (crt/key) in case something goes wrong.

John

 

[damn]

Both https://1.2.3.4 (the IP for this www.domain.com) and https://www.domain.com throw a warning, and you view the certificate and it says it is for snakeoil.dom

Okay well rather than replacing the existing server certs with the individual domain ones, I edited the httpd.conf <VirtualHost _default_:443> and commented out the server certificates, replacing the lines with the path to the client certificate eg:

SSLCertificateFile /usr/local/directadmin/data/users/user/domains/domain.com.cert
#SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/directadmin/data/users/user/domains/domain.com.key
#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
SSLCACertificateFile /usr/local/directadmin/data/users/user/domains/domain.com.cacert

And regardless where the browser goes:
https://1.1.1.1 (default server IP)
https://1.2.3.4 (dedicated IP for this particular client / DA account)
https://domain.com

I STILL get snakeoil!! Where else does it come from?

 

[DirectAdmin Support]

If 1.2.3.4 is an owned IP, then check the following.

1) Admin Level -> IP Manager -> make sure 1.2.3.4 is status "owned".

2) /etc/httpd/conf/ips.conf should only have:

NameVirtualHost 1.2.3.4:80
NameVirtualHost 1.2.3.4:443

for the 1.2.3.4 IP address. There should be no VirtualHosts in there.

3) Admin Level -> List Users -> Advanced Search -> IP equals 1.2.3.4, search.
Ensure that the user in question is the only user on the IP.

4) Make sure the domain actually resolves to 1.2.3.4 and not the old 1.1.1.1 IP address. If the dns cache still goes to the old IP, that would cause confusion/problems.

6) Are there more than 1 domains on this User? Go to:
User Level -> Domain Administration (domain setup) -> select the domain you're working with and click "set as default". If one of the other domains is the default domain, then it will be first in the list and will override any ssl settings, since ssl happens before the host is known, so the first VH rules ssl certs for that IP.

7) Oh, and close your browser and reopen. Browsers cache certificates sometimes, which can also be confusing.

John

 

[damn]

Correct, 1.2.3.4 is an owned IP. If I enter in http or https://1.2.3.4 I get the site for www.domain.com

1) Correct, that IP is owned, reseller admin (me) and the user that I specifically setup for this domain & SSL cert

2) Correct, only the name host lines for this IP, no virtual hosts

3) Advanced search returns only the one user, the user I have setup specifically for this domain

4) Yes DNS is all fine, resolves correctly to the new dedicated IP

6) Yes domain.com is the only domain that I setup for this specific user. I went in and re-clicked default regardless

7) Opened & closed browsers, different computers, different locations & days, all no difference.

Something, somewhere is forcing this snakeoil cert regardless

 

[nobaloney]

Something, somewhere is forcing this snakeoil cert regardless

I wouldn't call it forcing; instead I'd say that there last reference to SSLCertificateFile being found apache when attempting to deliver pages for the domain is pointing towards the wrong actual file.

Consider that apache will continue to read down through the httpd.conf file and all included files, and use the last reference to SSLCertificateFile in a context for that domain.

I think you may have to search for all instances of SSLCertificateFile on your server, in /etc/httpd/conf/httpd.conf and in all files included by reference in /etc/httpd/conf/httpd.conf, and all files included by reference in any of those files, checking the context for your domain name, until you find the wrong one.

Jeff

 

[DirectAdmin Support]

Hello,

If you're seeing the correct website when you go to https://1.2.3.4 then the correct cert/key's are being used, since it's the first VH in the list.

Double check the cert/key listed in the httpd.conf file and then try manually putting your cert/key to that location.

John

 

[damn]

I un-commented out the server ones, copied the client ones over to the server, restarted & still got snakeoil.

I went into the client account & told it to use a new, self generated cert to see if that worked - which it did. So then I went through generating a new CSR, getting the cert re-issued, uploaded it along with the CA & it works

 

[philmcdonnell]

I am having the same issue with my server. I bought a rapidssl certificate and tried to install it. I realized that the domain I want to use is the server's main domain and also the admin account. I thought I could just add an IP and move the domain to that IP but it doesn't seem to work.

I keep getting SnakeOil as well.

Can I install the cert even though it is the main server domain? If so how? Can I use it with the existing IP address that is shared with others?

Would it help if I give you the domain and IP addresses?

Thanks in advance,
Phil

 

[chatwizrd]

Check all the apache configs to see if the ssl cert is loading from somewhere.

 

[philmcdonnell]

I am having the same issue with my server. I bought a rapidssl certificate and tried to install it. I realized that the domain I want to use is the server's main domain and also the admin account. I thought I could just add an IP and move the domain to that IP but it doesn't seem to work.

I keep getting SnakeOil as well.

Can I install the cert even though it is the main server domain? If so how? Can I use it with the existing IP address that is shared with others?

Would it help if I give you the domain and IP addresses?

Thanks in advance,
Phil

I just recreated the csr, key, cert and installed it manually in the files

/etc/httpd/conf/ssl.crt/server.crt
/etc/httpd/conf/ssl.key/server.key

Then restarted the httpd service and all works fine now.... I think something in the web interface of DA is causing the issue.

Also I would suggest that when you generate a CSR you go back to the ssl screen and copy the KEY and save it to a text file just in case you need it later.

Regards,
Phil

 

[Charles2]

I ran into a problem with my SSL.
I installed the SSL for DA
which gets put into

/usr/local/directadmin/conf

/usr/local/directadmin/conf/cacert.pem
/usr/local/directadmin/conf/cakey.pem
/usr/local/directadmin/conf/carootcert.pem

I added these lines to directadmin.conf file

SSL=1
ssl_redirect_host=server.mydomain.info
carootcert=/usr/local/directadmin/conf/carootcert.pem

That way when I go to https://server.mydomain.info:2222
it is using the cert. that I have for server.mydomain.info(My Host Name)
Everything is fine there.

I then added the domain mydomain.info under the admin user in DA.
I generated a CSR(within DA) which it created these files:

/etc/httpd/conf/ssl.key/server.key
/etc/httpd/conf/ssl.crt/server.crt

I got my SSL and pasted it correctly into the box. I am using Comodo POSITIVE SSL and they have a CA Root Cert.
So in DA I clicked the link for the CA Root Cert and pasted it.
It created this file:

/usr/local/directadmin/data/users/admin/domains/mydomain.info.cacert

In the /usr/local/directadmin/data/users/admin/httpd.conf file it has this:

ServerRoot /etc/httpd



<VirtualHost main.ip.address.server:80>
        ServerName www.mydomain.info
        ServerAlias www.mydomain.info mydomain.info 
        ServerAdmin [email protected]
        DocumentRoot /home/admin/domains/mydomain.info/public_html
        ScriptAlias /cgi-bin/ /home/admin/domains/mydomain.info/public_html/cgi-bin/

        UseCanonicalName OFF

        SuexecUserGroup admin admin
        CustomLog /var/log/httpd/domains/mydomain.info.bytes bytes
        CustomLog /var/log/httpd/domains/mydomain.info.log combined
        ErrorLog /var/log/httpd/domains/mydomain.info.error.log

        <Directory /home/admin/domains/mydomain.info/public_html>
                Options +Includes -Indexes
                suPHP_Engine ON
                suPHP_UserGroup admin admin
        </Directory>
</VirtualHost>


<VirtualHost main.ip.address.server:443>

        SSLEngine on
        SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
        SSLCACertificateFile /usr/local/directadmin/data/users/admin/domains/mydomain.info.cacert

        ServerName www.mydomain.info
        ServerAlias www.mydomain.info mydomain.info 
        ServerAdmin [email protected]
        DocumentRoot /home/admin/domains/mydomain.info/private_html
        ScriptAlias /cgi-bin/ /home/admin/domains/mydomain.info/public_html/cgi-bin/

        UseCanonicalName OFF

        SuexecUserGroup admin admin
        CustomLog /var/log/httpd/domains/mydomain.info.bytes bytes
        CustomLog /var/log/httpd/domains/mydomain.info.log combined
        ErrorLog /var/log/httpd/domains/mydomain.info.error.log

        <Directory /home/admin/domains/mydomain.info/private_html>
                Options +Includes -Indexes
                suPHP_Engine ON
                suPHP_UserGroup admin admin
        </Directory>
</VirtualHost>

For some reason it wasn't reading the
SSLCACertificateFile /usr/local/directadmin/data/users/admin/domains/mydomain.info.cacert

I had to add this line to the
/etc/httpd/conf/httpd.conf

SSLCACertificateFile /usr/local/directadmin/data/users/admin/domains/mydomain.info.cacert

I have 2 certs. One for server.mydomain.info and one for www.mydomain.info
The server.mydomain.info cert. is for DA which is also my Host Name
The www.mydomain.info cert. is for the mydomain.info which is added under the admin user.
The Admin user is using the server IP Address which DA uses.

Why is apache not reading the SSLCACertificateFile /usr/local/directadmin/data/users/admin/domains/mydomain.info.cacert
that is in the /usr/local/directadmin/data/users/admin/httpd.conf file?

Both of the certs. are Positive SSL Certs both from Comodo.

 

[DhoTjai]

Edit ips.conf (/etc/httpd/conf/ips.conf), find the IP address, change the crt/key/ca and restart apache. This will make the domain use the SSL certificate.

The problem I have now, is that he change back to the old config. So after a few days, it change back to the snakeoil certificate. Does anyone know how to stop this?