[BlueOnyx:09907] Re: SSL Warning On 5106R

SB9-PageKeeper Service ml at sb9.com
Tue Mar 27 13:30:09 -05 2012 

----- Original Message ----- 
Subject: Re: [BlueOnyx:09900] Re: SSL Warning On 5106R


> Hi David,
>
> SB9-PageKeeper Service wrote:
>> I'm Aware that SSL must be on only 1 IP and not shared.
>> That IP is being shared but no SSL is being used for it.
>> netstat -an does not show that IP address state as LISTEN.
>
> Is there actually a certificate that is installed for the site?

No.

>
> I have seen this behavior before where although SSL is enabled, a cert is 
> not actually installed.  This can happen when you generate a new CSR 
> without having the "self-signed" checked.

All sites on the .71 IP address show the default message below on the SSL in 
BO.
"There is currently no certificate for this site. Create or import a 
certificate to view information for that certificate."

>
> When you start SSL on a site, you need to generate a CSR (click "Create 
> Signing Request") and ensure that you have "Generate Self-Signed 
> Certificate" checked.   The reason for this is because BlueOnyx will 
> generate a "placeholder" certificate to get the SSL service started on the 
> site while you wait for the certificate to come back from your CA.

Don't apply here. This warning happens during the vsite creation on the 
shared IP.

"SSL is already being used by 'www.1st-site-using-this-IP.xxx' which shares 
the same IP address, 'Shaired.IP.Address.nnn', as this site.
SSL can only be enabled for one site using a shared IP address. Change the 
IP address of this site or disable
SSL for 'www.1st-site-using-this-IP.xxx' if you want to enable SSL for this 
site."

On the other SSL problem (below)... thats the other problem with the GUI not 
importing...
"[BlueOnyx:09573]  Unable to Import Signed SSL Cert"
It creates the placeholder. It just won't upload the signed cert.
(I end up overwriting the placeholder with the externally signed cert till a 
fix is found)
2 different Issues with the SSL part of the GUI.

>
> If you do NOT allow this placeholder self-signed cert, then sometimes what 
> will happen is the service will just fail to start on the site.
>
> In the event you have already submitted your CSR and received your "real" 
> cert back already, then here is what I would suggest to "kick start" the 
> SSL service:
>
> From CLI, as root go to /home/sites/www.domain.tld/ and execute the 
> following commands to backup your cert directory:
>
> # mkdir cert-bak
> # cp certs/* cert-bak/
>
> Now in the BX GUI, go to the SSL management for the site and click Create 
> Signing Request") and ensure that you have "Generate Self-Signed 
> Certificate" checked.   This is going to create a new CSR and overwrite 
> what you had in the certs directory before.  In other words, if you 
> already got a cert, this will invalidate it.  That's the reason for the 
> backup above.  You can discard the CSR that is generated.
>
> Now go back to the CLI and execute:
> # rm -rf certs/*
> # cp cert-bak/* certs/
> # service httpd restart
>
> See if that doesn't get things shaken out for you.
>
> -- 
> Chris Gebhardt
--

Thanks
David Hahn

More information about the Blueonyx mailing list