Difference between revisions of "SSL"
Rootadminacc (talk | contribs) m |
Rootadminacc (talk | contribs) m (→SSL Format) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
You cannot have two or more SSL's on one IP address, as name based virtual hosting doesn't work for SSL . This is because the Host header is part of the encrypted payload so Apache/IIS doesn't know which certificate to present. Therefore you need a second IP for a second SSL certificate unless you use '''[[Server_Name_Indication | SNI (Server Name Indication)]]''' | You cannot have two or more SSL's on one IP address, as name based virtual hosting doesn't work for SSL . This is because the Host header is part of the encrypted payload so Apache/IIS doesn't know which certificate to present. Therefore you need a second dedicated IP address for a second SSL certificate unless you use '''[[Server_Name_Indication | SNI (Server Name Indication)]]''' | ||
== [http://www.sslshopper.com/how-to-move-or-copy-an-ssl-certificate-from-one-server-to-another.html Copying SSL from server to server] == | == [http://www.sslshopper.com/how-to-move-or-copy-an-ssl-certificate-from-one-server-to-another.html Copying SSL from server to server] == | ||
Line 214: | Line 214: | ||
== [[SSL Format]] == | == [[SSL Format]] == | ||
If you receive part/s of an SSL and it is incorrectly formatted, you can fix this by putting the text into this tool: | |||
https://www.sslshopper.com/certificate-key-matcher.html | |||
== SSL on Plesk login == | == SSL on Plesk login == |
Latest revision as of 10:49, 25 February 2013
You cannot have two or more SSL's on one IP address, as name based virtual hosting doesn't work for SSL . This is because the Host header is part of the encrypted payload so Apache/IIS doesn't know which certificate to present. Therefore you need a second dedicated IP address for a second SSL certificate unless you use SNI (Server Name Indication)
Copying SSL from server to server
If you have an SSL in p12 format, .pfx format or PKCS#12, you may want to go here to find the OpenSSL command to convert it to PEM.
Generate CSR in Plesk
Plesk 9
- Main Menu - Domains
- Click the Domain
- Additional Tools - SSL Certificates
- Add SSL Certificate
- Enter the certificate name
- Fill in the preferences and set the Bits to 2048
- Click Request
- Go back to the SSL certificates menu > click the SSL
- Send the CSR and Private Key to the SSL provider.
Plesk 10
- Hosting Services - Domains
- Open in Control Panel for the domain
- Websites and Domains
- Secure Your Sites
- Same steps as Plesk 9 from "Add SSL Certificate"
Ensure you check/do the following
- Create the following email address to receive the confirmation email as SSL providers have specific requirements: admin@yourdomain (domain name of the SSL)
- Purchase the SSL with www where possible.
- Understand what an SSL is and if you need one.
Oops, no RSA or DSA server certificate found for...
Apache SSL error:
Oops, no RSA or DSA server certificate found for “‘www.somedomain.com:0′?!”
/etc/apache2/sites-available/ vim domain.co.ukssl
Add in the following:
# SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSL Engine On
Google Search of Transferring SSL certificate to new server
Install an SSL certificate into Plesk
- 1) Ensure you know if it is a Domain, Organizational or Extended SSL before installing.
- 2) Login to the Plesk Control Panel.
- 3) Go to Server Management - Tools & Utilities > SSL Certificates > Add SSL Certificate
- 4) Enter a name for your SSL. This can be anything.
- 5) Select 2048 from the Bits drop down menu.
- 6) Enter the domain name that your bought the SSL with. To check if you bought it with or without www copy the Certificate and put it into this.
- 7) Add in the Private Key, Certificate and just the DomainSSL CA Bundle from here or the OrganizationSSL Root Bundle here ONLY if it is Global Sign.
- 8) Go to Server Management - Tools & Utilities > Resources - IP Addresses > Click the IP.
- 9) Set it to Dedicated.
- 10) Select the SSL Certificate from the dropdown menu
- 11) Set the Default Site to your website.
- 12) Then go to Hosting Services - Domains > click Control Panel.
- 13) Go to the Websites and Domains tab > click the domain itself.
- 14) Under Security select Enable SSL Support.
- 15) Check the SSL here. Using this tool as well you can ensure you have a Domain, Organizational or Extended SSL under the Issuer heading. Ensure you have the correct root/CA bundle.
Note: Wildcard SSL's use a Domain SSL CA.
Alternate guide
- 1) Login to the Plesk Control Panel.
- 2) Select Domains from the left hand menu.
- 3) Click on the domain name that the certificate is for - "yourdomain.com".
- 4) Click on the Certificates menu item.
- 5) There is a button in the middle of the page labelled Browse. Click Browse and navigate to the location of the certificate (save certificate into .txt) you received.
- 6) Select it, then select Send File, this will upload and attach the certificate to the corresponding private key.
- 7) The certificate name will now appear in the list of certificates at the bottom of the page. Click on the name of the certificate in the list.
- 8) Download the appropriate CA/CA Bundle and paste contents in the CA Certificate box.
- 9) Click the Send Text button.
- 10) Now click Up Level from the top right of the screen and choose Setup.
- 11) At the top of the page, select the SSL Certificate you've installed from the SSL Certificate drop-down menu.
- 12) Click the Server item from the left hand menu.
- 13) Click on the Service Management menu item.
- 14) You now need to Stop and Start the Apache process.
Bundle Intermediate Root CA's
AlphaSSL root intermediate CA
Comodo root intermediate CA
These are Global Signs:
DomainSSL Root Bundle
DomainSSL Root CA
OrganizationSSL Root Bundle
ExtendedSSL Root Bundle
OLD pre-June 2011 OrganizationSSL Root Bundle
Install through command line
This can be used after the SSL has been placed in Plesk within either the Domain or Server SSL section.
Linux:
cd /opt/psa/bin certificate --assign-cert "CertificateName" -domain yourdomain.com -ip ServerIPAddress
Or:
cd /usr/local/psa/admin/plib/api-cli certificate.php --assign-cert "CertificateName" -domain yourdomain.com -ip ServerIPAddress
Windows:
CLI guide: http://download1.parallels.com/Plesk/PPP9/Doc/en-US/plesk-9.5-win-cli.pdf
cd %plesk_cli% certificate.exe --assign-cert "CertificateName" -domain yourdomain.com -ip ServerIPAddress
Plesk + CentOS SSL bug
httpd can pick up a Private Key in /etc/httpd/conf.d/ssl.conf potentially from either:
/etc/pki/tls/certs/localhost.crt
or
/etc/pki/tls/private/localhost.key
or another bit below line 68. You can sometimes comment out everything from line 68 and then check if it works on http://sslshopper.com/ssl-checker.html
You can see the original file in the server here: vim etc/httpd/conf.d/ssl.conf
Install SSL in WHM/cPanel
I understand the risks on domain SSL
If a domain is asking "I Understand the Risks" with an SSL, check the Technical Details and what domains it is registered under. Use SSL Checker
If the domain shows as having issues with common name, it is likely the SSL was ordered with the www prefix but installed without or vice versa.
PEM extraction
PKCS/PFK/PFX
Plesk SSL errors
Unable to set the certificate: Unable to put certificate file: Unable to arrange cert file: cp2tempnam failed: filemng failed: filemng: Unable to open file "/var/lock/files/": No such file or directory.
Create the /var/lock/files directory manually and remove entries from the psa database, certificates table.
ERROR: PleskFatalException Up Level SSLCertificate::check_signs() failed: openssl_x509_checkpurpose() failed: -------------------------------------------------------------------------------- 0: CertificatePropertiesUIPointer.php:454 CertificatePropertiesUIPointer->accessItemEdit(string 'POST', NULL null) 1: CertificatePropertiesUIPointer.php:19 CertificatePropertiesUIPointer->accessItem(string 'POST', NULL null) 2: UIPointer.php:595 UIPointer->access(string 'POST') 3: plesk.php:52
Possible solution for CentOS on Plesk 10.3: http://forum.parallels.com/showthread.php?t=112512
Open SSL Guide: http://php.net/manual/en/book.openssl.php
Above is in the case where SSL issued from GlobalSign through 123-reg.co.uk was trying to install.
Server Name Indication - SNI
- Via Tools and Utilities > Shared SSL [Switch on Shared SSL] for specific domain/subscription
- Go into Subscriptions, click the specific one you switched it on for
- Manage in Control Panel > Websites and Domains tab
- Show Advanced Operations
- Manage each Domain
- [Switch on Shared SSL] under the specific domain/subscription
- Leave virtual directory name as is
- Set httpdocs
http://tutorials.ausweb.com.au/web-hosting/plesk-server-management-windows/managing-shared-ssl.html
http://www.1hostingvision.com/shop/faq.cfm?Action=foundqa&faqid=564&FAQCategoryID=273
http://www.codero.com/knowledge-base/questions/51/__print
http://www.ourshop.com/resources/shared-ssl.html
http://support.hostgator.com/articles/ssl-certificates/ssl-setup-use/how-to-set-up-and-use-your-shared-ssl
SSL Checker messages
SSL doesn't work with www
Checking in SSL Checker if you get "None of the common names in the certificate match the name that was entered. You may receive an error when accessing this site in a web browser."
Go to http://www.sslshopper.com/certificate-decoder.html and enter your Certificate with BEGIN and END. It will show you the common name that it was ordered with. You may need to re-purchase the SSL with www as doing this secures it with and without normally. Buying without may only secure the non www version.
Intermediate/chain/CA incorrect
If you receive "You may need to install an Intermediate/chain certificate to link it to a trusted root certificate." on SSL Checker you need to go to http://www.globalsign.com/support/root-certificate/root-globalsign.php and copy all of that CA into a notepad and then into your domain's SSL section.
Bug: On Plesk 11 for a Wildcard SSL if the CA is not picked or it says it is incorrect when it is the right one, do /opt/psa/admin/bin/nginxmng --disable
SSL Format
If you receive part/s of an SSL and it is incorrectly formatted, you can fix this by putting the text into this tool:
https://www.sslshopper.com/certificate-key-matcher.html
SSL on Plesk login
- Tools and Utilities
- SSL Certificates
- Click the checkbox next to the SSL
- Secure the panel
Self-signed certificate
This message relates to the un-trusted connection message that is shown when logging into Plesk or cPanel. The certificate used to secure Plesk/cPanel is self signed and is safe to accept. Please note you will also receive this security warning when accessing the WHM (Web Host Manager) or Virtuozzo Control Panel and Parallels Product Installer pages.
When logging into your server over port 8443, you may be presented with a security warning by the web browser. This is due to the type of certificate being used for added security. There are 2 types of certificates: an Authority Signed certificate and a Self Signed certificate.
Both are the exact same level of security, but a self signed certificate is issued by the hosting company or control panel and needs to be accepted in the users browser. This is because the browser does not recognize the hosting company or control panel as the issuer, whereas it already recognizes established authorities who issue SSL certificates.
In order to access your server over port 8443 you will need to accept the security warning.
SSL Renegotiation
The wrong certificate is shown for my domain in the browser
This page includes other resources which are not secure
This confirms that it is something in your code.
Notes:
With regards to TLS renegotiation, this is a new feature only recently made public. But the majority of servers do not support this so you would need to install it yourself.
If the SSL certificate doesn't match your private key this suggests that it was ordered with the wrong CSR. we would recommend you to contact the SSL provider.
What an SSL secures
By having a SSL and using Secure HTTP this will encrypt sensitive data while transmitting through the Internet. Phishing is down to the coding of the website, permissions of folders and simply setting poor passwords and is therefore not directly related to HTTPS.
Note that SSL will not be enabled for your entire store but only for the sections where sensitive data is transmitted. This is so because secure connections (HTTPS) are slower than regular connections (HTTP), hence SSL is applied only where it is really needed.
1) Confirm that the SSL Certificate was successfully installed. Look at the website to see when HTTPS activates when on a transactional page where personal information will be transmitted through the Internet.
2) It is normal practice to have only these pages resolving via HTTPS.
3) If you wish to use the HTTPS protocol throughout their website (Magento e.g.), go to the Magento Admin area:-> System -> Configuration -> Web. Enable "Use Secure URLs in Frontend".