Untrusted SSL certificate

Quote from c0urier

Are you sure there is no insecure content on the site, I mean images linking/loading from other places.
I'm using Wildcard and I haven't seen that issue if it's correctly installed, only if we have had a relation to another site or a wrongly installed certificate.

Normally you can check what it tires to connected with ex. Chrome dev console.
https://support.google.com/chrome/answer/1342714?hl=en

Back to business...
I am testing the SSL issue again.
Correct me if I am wrong. But this is how we have done with SSL:

1. Installed IMSCP from scratch
2. We said yes to use SSL under installation
3. We chose smarthost as mail server (this works ok)
4. We said no to "have own certificate"
5. We said no to use local DNS server
6. Finished up the installation
7. Made all settings in admin panel (including activate ssl)
8. Made a reseller
9. logged in as reseller
10. made a hosting plan
11. made a customer
12. logged in to that customer
13. added the key and certificate and hit save
14. went to the site https://...

When looking at the certificate text it says:

maar.securenetwork.dk uses an invalid security certificate.

The certificate can not be relied on , as it is signed by the proprietor.
The certificate is only valid for *. Host2.concrete5.dk.

(Error code: sec_error_untrusted_issuer)

It seems to me that it thinks that it is the server certificate (host2.concrete5.dk), but the certificate is issued to *securenetwork.dk

Any idea?

Hello,

Both sites host2.concrete5.dk and maar.securenetwork.dk reuse the same ip? I bet it's SNI problem... See http://debian-handbook.info/br…sect.http-web-server.html

eg:

Quote

QUICK LOOK Apache supports SNI

Starting with Debian Squeeze, the Apache server supports an SSL protocol extension called Server Name Indication (SNI). This extension allows the browser to send the hostname of the web server during the establishment of the SSL connection, much earlier than the HTTP request itself, which was previously used to identify the requested virtual host among those hosted on the same server (with the same IP address and port). This allows Apache to select the most appropriate SSL certificate for the transaction to proceed.

Before SNI, Apache would always use the certificate defined in the default virtual host. Clients trying to access another virtual host would then display warnings, since the certificate they received didn't match the website they were trying to access. Fortunately, most browsers now work with SNI; this includes Microsoft Internet Explorer starting with version 7.0 (starting on Vista), Mozilla Firefox starting with version 2.0, Apple Safari since version 3.2.1, and all versions of Google Chrome.

The Apache package provided in Debian is built with support for SNI; no particular configuration is therefore needed, apart from enabling name-based virtual hosting on port 443 (SSL) as well as the usual port 80. This is a simple matter of editing /etc/apache2/ports.conf so it includes the following:

<IfModule mod_ssl.c>
NameVirtualHost *:443
Listen 443
</IfModule>

Care should also be taken to ensure that the configuration for the first virtual host (the one used by default) does enable TLSv1, since Apache uses the parameters of this first virtual host to establish secure connections, and they had better allow them!

Display More

I looked in to the file ports.conf:

Quote

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

#NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443
</IfModule>

Display More

And added your suggestion:

Quote

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

#NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
NameVirtualHost *:443
Listen 443
</IfModule>

Display More

I still have problems and have to investigate if I have a bad certificate. It still comes up as untrusted!

It is totally ok. I am just confused about all this SSL stuff.

Take your time!

It is wildcard!

The certificate is for *.securenetwork.dk (not *.concrete5.dk)

But the hosting server has the hostname host2.concrete5.dk (our test server) and maar.securenetwork.dk is a customer (test customer for testing certificate).

Btw. We are roling back to clean snapshot again now. too many loose ends right now. faster to reinstall. Tried to install Zend Optimizer and some thing went wrong...