[Solved] SSL usage

    Have a site on http://website.com - working on IP x.x.x.8


    added https cert to it and works for both https and http.


    another domain on x.x.x.8
    add https it also works


    however a 3rd domain I'm playing with I have a wildcard cert - using cloudflare cert


    *.domain.com
    however when I test it is is not working..


    http://domain / sub.domain.com load fine
    https://domain or invoice.domain.com load https://website.com instead


    verified that domain_ssl.conf appeared to load the correct docroot - but still not sure why it is loading domain.com and showing website.com (cert is using *.website.com)



    One of the potential issues:
    cloudflare does not have a bundle so to get it working I had to save the pem files and edit each sites <domain>_ssl.conf file for keyfile and aim directly at that sites pem file vs the existing method.


    The SSL input screen won't allow a save without bundle text pasted in - and using cloudflare - that is not possible.


    - LetsEncrypt - was playing with that but couldn't figure out sub-domains


    I need primarily a billing / invoice subdomain to be protected - however would prefer all sites with https.. especially since Cloudflare provides this free!


    --- Not sure any of this would be resolved with 1.3...
    and it seems like 1.3 is a bit off (still some stabilization time pending - before release)... - was hoping it would show up in May but now June is almost gone and I'm betting July will be busy as well and possibly not see 1.3 either.


    Either way - think the SSL is pretty nice - but primarily the fix would be to allow save without bundle text I think....?

    Edited once, last by viper_iii ().

    yes - had to fix that immediately as it broke another site I have https on that had to be fixed asap..


    had that issue directly after upgrade...
    /var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm
    mine currently looks like:


    Code
    1. return 0 if $self->{'ca_bundle_container_path'} eq '';

    So that isn't it... I was getting invalid cert errors - vs the other post was redirecting to panel vs a different site entirely.

    @viper_iii



    Quote from viper_iii

    and it seems like 1.3 is a bit off...


    Many SSL bugs were fixed in 1.3.x. And 1.3.x is stable. I'm wondering what you mean by "a bit off...".


    Please, just try 1.3.x in test server. For the wildcard issue, I'll check.


    BTW: When using wildcard SSL cert:


    • You pust put the same certificate and pk for all your subdomains. Enabling SSL for the domain only or one of it subdomain only will not enable SSL for other subdomains, even if you have a wildcard SSL certificate. To resume here, you must add the SSL for each subdomains...
    • You should normally be able to leave the CA bundle empty. i-MSCP use the CA file from the distribution.

    It would be great if you can provide me the cert and key from cloudflare. Then, I could test locally even if I'm not the owner of the domain.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    meaning hasn't been released...
    At least haven't seen a release post... figured it was still beta...


    I'll try and grab this week and see how it goes


    ------
    was reading while mobile and didn't see entire post...
    will try and send you the keys -
    trick on cloud flare is a bit different - they filter the IP address of the server - effectively hiding the actual server IP by routing all the data through them - helps with attacks I guess.

    Edited once, last by viper_iii ().

    @viper_iii


    Ok. Please read my previous answer again ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    A SSL cert is normally binded to the domain name.
    If you provide the key and cert file, he is able to create a server with this cert and locally create a host entry for that domain to his own server.
    So he will communicate with your Domain. BUT locally so he can test the SSL on his own local machine.


    Anyway.
    I would recommend to wait for the release of 1.3.0 (what im doing as well, like a dog waiting for his master xD)

    Quote from Levitas

    A SSL cert is normally binded to the domain name.
    If you provide the key and cert file, he is able to create a server with this cert and locally create a host entry for that domain to his own server.
    So he will communicate with your Domain. BUT locally so he can test the SSL on his own local machine.


    Anyway.
    I would recommend to wait for the release of 1.3.0 (what im doing as well, like a dog waiting for his master xD)

    Yes understand how that works -
    However with cloudflare that won't work - I'll probably have to aim cloudflare at his Server IP and fully resolve correctly...
    otherwise will get ssl-invalid when doing hostname to direct to ip locally which is what I use as well for testing many times.


    the cloudflare ssl is an "Origin" cert - (not exactly sure how that works), basically not as secure as a full trusted ssl and trusts that Cloudflare's cert is solid


    so if he applies the SSL keys (sent via pm) - then it won't work as it will require first having the CloudFlare server being the initiator...


    So from there cloudflare "proxies" all requests into your webserver giving it another layer of protection - haven't noticed any issues of slowness and tends to just work.


    https://blog.cloudflare.com/cloudflare-ca-encryption-origin/
    more information here on the process



    Using cloudflare as the Nameservers vs i-mscp - would be really cool if there was api that allowed edits via i-mscp to be made on cloudflare - believe this is what dreamhost just went to but not sure.

    Edited 2 times, last by viper_iii ().

    1.3.x definitely helped the issues I was seeing ..


    had some cookie issues and clearing cache helped but also


    For my use via cloudflare even using selfsigned Certs is showing up fully secure interestingly enough and not even having to use the Origin Cert provided...


    might try that later though and see if its all working correctly.


    -------
    To correct some of my tweaks / modifications in the ssl_conf files
    deleted ssl certs via GUI - then created self signed for all domains with issues.


    Currently appears to be working well.


    also have phpswitcher 2.2.5 installed and working.. really like the per site option and 7.x php is really much faster!