SSL config for the server

NodeWorx General Discussion
1

So I decided to test my server’s SSL config via the Qualysis SSLLabs test, right? It immediately fails the test because it immediately goes to a customer’s domain, which has an invalid SSL certificate… I’ve already informed the customer of this.

I discover that for whatever reason, InterWorx does NOT have the server’s system page set to use SSL by default.

For example, if I’m trying to configure https://helmsgate.eidolonhost.com, you’ll notice that it goes to a customer’s account instead. Obviously, this is not what I want.

So I’ve spent the last little while looking for where InterWorx’s hiding the SSL certificates for itself since NodeWorx and SiteWorx is secured by a valid Comodo SSL certificate. It seems to be located in /etc/pki/tls/certs/localhost.crt in ssl.conf but I’m not sure if that’s the correct location.

Also… why is /var/www/html not using an SSL certificate by default? Or rather, where’s the system page that shows up when you normally visit a server’s website directly via its hostname? I ask because it seems to be missing and I’m having trouble finding where the Welcome page that’s generated by default for SiteWorx accounts would be for just the /var/www/html area.

Note: If you visit http://helmsgate.eidolonhost.com you will see the word “Test”. So it’s CLEARLY working… but I’ve no idea where its config for that is.

2

Hi kerio

This has been covered here on the forums for some time, but please see this post, which should help explain a little

If you want the server hostname to be validated, you need to create the siteworx account for it

I hope that helps and hope you enjoy the Christmas break

Many thanks

John

Shared IP SSL not working correctly
Hi

I’m sorry to bother you, and we have had a client install an SSL on our shared IP used for hosting, which appears to have stopped the server SSL from been accessed.

I’m sorry if the above is not explained well, but I’ll try to explain more as follows (please note this is on a shred hosted IP):

Server SSL installed and working fine (with no other SSL installed)

Client installed their own SSL onto their domain in siteworx

When checking server SSL using qual labs, it shows the client SSL, and fails test (on trust)

I set the client to dedicated IP, all returns to normal

I copied the PK, CSR, Cert and chain, deleted the SSL and returned client back to shared IP, but when attempting to put the SSL back, it failed stating Cert does not match for private key.

I asked our client to resetup SSL from new, which they completed, and it is back to failing SSL test for server SSL, whilst the client SSL is fine, but then there is only these 2 SSL on the shared IP.

I have not taken any pictures as we don’t have permission to show clients domain.

Please could I ask if we have not completed anything correctly or if this is a bug perhaps.

Lastly, the openssl was updated this morning to ver 5.4 from ver 5.1

Thanking you all in advance

Many thanks

John

http://forums.interworx.com/showpost.php?p=25029

3

[QUOTE=d2d4j;28197]Hi kerio

This has been covered here on the forums for some time, but please see this post, which should help explain a little

If you want the server hostname to be validated, you need to create the siteworx account for it

I hope that helps and hope you enjoy the Christmas break

Many thanks

John

Shared IP SSL not working correctly
Hi

I’m sorry to bother you, and we have had a client install an SSL on our shared IP used for hosting, which appears to have stopped the server SSL from been accessed.

I’m sorry if the above is not explained well, but I’ll try to explain more as follows (please note this is on a shred hosted IP):

Server SSL installed and working fine (with no other SSL installed)

Client installed their own SSL onto their domain in siteworx

When checking server SSL using qual labs, it shows the client SSL, and fails test (on trust)

I set the client to dedicated IP, all returns to normal

I copied the PK, CSR, Cert and chain, deleted the SSL and returned client back to shared IP, but when attempting to put the SSL back, it failed stating Cert does not match for private key.

I asked our client to resetup SSL from new, which they completed, and it is back to failing SSL test for server SSL, whilst the client SSL is fine, but then there is only these 2 SSL on the shared IP.

I have not taken any pictures as we don’t have permission to show clients domain.

Please could I ask if we have not completed anything correctly or if this is a bug perhaps.

Lastly, the openssl was updated this morning to ver 5.4 from ver 5.1

Thanking you all in advance

Many thanks
John

http://forums.interworx.com/showpost.php?p=25029[/QUOTE]

I was hoping to not have to do it that way… is it really the only way to do that? If so, why was it not ever made an option to NOT do it that way like cPanel can?

4

Hi kerio

IW are aware of this, and it’s on the roadmap to change it I believe.

You currently have 2 options, first as above or secondly, set each SSL to static IP

These are the only current options I’m aware off myself apart from setting every SSL on first setup, which is the way cpanel overcomes SNI https I believe

Many thanks

John

5

Hi Kerio
I was thinking about this, and thought you could use the following, which redirects back to http (unsecure) website. You could add it as a hook to automate it, but it is based on the server domain name SSL (which must first exist as siteworx account) and you ned to replace the following with your own correct information
IP-ADDRESS ip address of your shared server for hosting
SITEWORX-ACCOUNT.DOMAIN your siteworx account domain (not server siteworx name)
server-Unix-name your siteworx unix name
server-domain.name your server domain name (not your siteworx domain name)
This was only a quick 10 minute fix, tested partially so it correctly redirects back to non secure web site, and I am sure there is a better solution, or the code could be reduced, so please feel free to add too or change as you see fit, but I would ask if you do, if you could update this post.
I hope it helps a little
Many thanks
John

<VirtualHost IP-ADDRESS:443>
ServerName SITEWORX-ACCOUNT.DOMAIN
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [L,R=301]
SSLEngine on
SSLHonorCipherOrder On
SSLCACertificatePath /home/server-Unix-name/var/server-domain.name/ssl
SSLCertificateKeyFile /home/server-Unix-name/var/server-domain.name/ssl/server-domain.name.priv.key
SSLCertificateFile /home/server-Unix-name/var/server-domain.name/ssl/server-domain.name.crt
SSLCACertificateFile /home/server-Unix-name/var/server-domain.name/ssl/server-domain.name.chain.crt
SSLOptions +ExportCertData +StrictRequire
SetEnvIf User-Agent “.MSIE.” nokeepalive ssl-unclean-shutdown
</VirtualHost>

6

I eventually built a new server and properly set up the IW SiteWorx account for the hostname. Works nicely, I must say, since I made a server-wide change to ensure that every single domain on the server that has SSL certs automatically get A+.

Pleased as punch that I made it work server-wide and not just site specific. Gotta love ssl.conf! :stuck_out_tongue:

Edit: Feel free to check out the server’s rating. The server is https://helmsgate.eidolonhost.com and there’s a link to the SiteWorx log-in. I should probably do some stuff to prettify the default page with tutorials and whatnot…

7

[QUOTE=Keiro;28872]I eventually built a new server and properly set up the IW SiteWorx account for the hostname. Works nicely, I must say, since I made a server-wide change to ensure that every single domain on the server that has SSL certs automatically get A+.

Pleased as punch that I made it work server-wide and not just site specific. Gotta love ssl.conf! :stuck_out_tongue:

Edit: Feel free to check out the server’s rating. The server is https://helmsgate.eidolonhost.com and there’s a link to the SiteWorx log-in. I should probably do some stuff to prettify the default page with tutorials and whatnot…[/QUOTE]

I would be interested to know what changes you made to accomplish A+. I’ve been A for a while and have never seemed to be able to push to A+. I’m guessing that has to do with HSTS and SNI support on all domains (those two things are at the top of your report but not mine https://www.ssllabs.com/ssltest/analyze.html?d=sereph.122media.com). Are those these changes you are talking about?

8

Yup. I will update on this later. I am on mobile.