Vhostswithssl
From ISPMan
If for example you created a vhost called "www" and want to "enable SSL" for it, you can choose the following way:
- Create SSL Certs as usual (manually)
- Create a vhost called "www:443" within ISPMan's admin UI.
- On creation set the vhots's documentroot / homedirectory to /var/www/mydomain/vhosts/www
(it defaults to /var/www/mydomain/vhosts/www:443 , what is most likely not what you want) - Set the IP address for that vhost. You need an own IP-address per additional ssl-vhost. Only one cert per IP. Thats usually means: One IP, only ssl vhost. (wildcard certs might be an exception).
- Create the directory /var/www/mydomain/vhosts/shop/certs/ and copy your cert stuff in. Keep in mind to set the permissions in a way that only your user and root can read it. (Or the other users on the system can easily steal your identity)
- Add the "Enable SSL stanza" in the "Extra Configuration" of the vhost:
"Extra Configuration"
SSLEngine on SSLCertificateFile /var/www/mydomain/vhosts/www/certs/www.mydomain.pem.crt SSLCertificateKeyFile /var/www/mydomain/vhosts/www/certs/www.mydomain.key SSLCACertificateFile /var/www/mydomain/vhosts/www/certs/cross-ca-bundle.crt
This of course only works, if your apache is already preprared to run SSL (via mod_ssl or apache_ssl for example, e.g. with "a2enmod ssl").
To protect the ISPMan Web UI, you should at least use a self-signed SSL cert. On Debian there is a package "ssl-cert" which ships a script called "make-ssl-cert", which can create a such a snakepil-cert in one line
/usr/sbin/make-ssl-cert generate-default-snakeoil [--force-overwrite]
To protect the ISPMan Web UI you can use these stanzas in the Apache context of the Web UI:
SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
