Need help with SSL Install for subdomain/vhost

[malffred]

Hey guys,

The SSL install looked quite straight forward so I thought I'd try it first before I posted it but haven't been able to get it to work.

I'm running several subdomain VHOSTS from my litespeed install and I'm trying to install a GoDaddy Turbo SSL cert I just got from them.

So first I'd like to ask if you guys have a tutorial or wiki entry that goes through an SSL cert install? I didn't see one.

But from the admin concole, I clicked on listeners, then clicked the SSL tab and filled in the correct info for the various fields. My httpd_conf file for SSL looks like so:

<keyFile>/home/sugarstats/ssl/sugarstats.key</keyFile>
<certFile>/home/sugarstats/ssl/manage.sugarstats.com.crt</certFile>
<certChain>0</certChain>
<CACertPath></CACertPath>
<CACertFile>/home/sugarstats/ssl/sf_issuing.crt</CACertFile>
<ciphers>ALL:!ADH:+SSLv2:+SSLv3:+TLSv1:+HIGH:+MEDI UM:+LOW:!EXPORT56:!EXPORT40:@STRENGTH</ciphers>

I recieved 2 certs from GoDaddy:

1.) manage.sugarstats.com.crt # I assume this is the certFile
2.) sf_issuing.crt # I assume this is the CACertFile?

Then did a restart but when I try to access via SSL I get a "connection reset" error or "connection interrupted" error in firefox. From the browser activity bar it shows it switching between "connecting" and "connected" multiple times then shows the error.

I should mention that this is only for one of the subdomains/vhosts (manage.sugarstats.com) and not all of them. The SSL cert from godaddy is also specific to that subdomain (i.e subdomain.mydomain.com). But I did not change any settings within that subdomain from the LSWS admin panel as I didn't see any SSL settings to set regarding VHOSTS.

Should I be putting the certs/keys into /opt/lsws/conf/cert ?

Also does it matter where I store the actual certs/key files and does it matter who the owner is/what the permissions are for them? If so what are the correct settings?

Thanks for any help, I've just switched form a nginx+mongrel_cluster setup for a few php/rails domains and this is by far the best/fastest solution taking everything into account.

[mistwang]

Is there any error message in error.log regarding the SSL configuration?
Your configuration looks all right to me. Maybe the SSL session get cached during the testing when the configuration is not right. Try from another browser or from any machine.

It does not matter where you put the certs and keys.

Thanks for the praise, please help us spread the words. :-)

[mistwang]

It does look like something is wrong, what about remove the CA certification file, does it work? Your cert will not be trusted this way, but I want to know what exactly causes the problem.
Maybe something wrong with sf_issuing.crt, have you tried https://certificates.starfieldtech.c.../ca_bundle.crt instead?

[malffred]

mistwang,

Thanks for the input. I'm moving it over to a different server and maybe that will help. I'll try it again and check for errors then post back here.

[malffred]

So I created a new listener called SSL and added the domain I wanted, set it to port 443, put in the right keys, make the connection "secure" and get the following error:

[SSL] Config SSL Context for listener *:443 with Certificate File: /home/sugarstats/ssl/manage.sugarstats.com.crt and Key File:/home/sugarstats/ssl/sugarstats.key get SSL error: error:0906406D:PEM routinesEF_CALLBACKroblems getting password

The default listener on Port 80 works fine.

Perhaps I need to re-d/l my certs from GoDaddy?

[mistwang]

You need to remove the password protection of your private key file.

try command

Code:

openssl rsa -in server.skey -out server.key

Also, you need to create a listener on port 443, and bind SSL certificate there. port 80 is for normal HTTP traffic.

If you plan to host mutltiple secured site, you need a unique IP for each site, when you create listener, only bind to that IP.

[malffred]

Great, that worked perfectly. I guess thats what I get for following godaddy's instructions. I'll remember this, thanks.