adding SSL to existing virtual server with active subdomains

I already have SSL with a commercial cert set up for the server's 'own' domain (and copied to webmin, usermin, dovecot and postfix). That's all working fine. I use external DNS services and so have local DNS services disabled.

IF I was setting up a new virtual server, the set-up process includes being able to specify a Virtual Network Interface and I could use one of the additional IPs assigned to my physical server. However, I need to activate SSL (with a wildcard cert) for an existing virtual server with active subdomains, and in that case things don't look so straightforward. It's a production site so I'm reluctant to just try things hoping they'll work, and so I would appreciate some step-by-step guidance if possible.

Thanks in advance. (sorry if this is a duplicate)

Status: 
Closed (fixed)

Comments

Howdy -- there's instructions for adding a new SSL certificate to a Virtual Server here:

http://www.virtualmin.com/documentation/tutorial/how-to-add-an-ssl-certi...

The Virtual Servers are controlled individually -- so changing the top-level Virtual Server won't effect it's Sub-Servers.

The instructions above include having you move the Virtual Server to it's own IP address -- so you'll also need to update your DNS service with your domain's new IP address.

SoftwareLibrarian's picture
Submitted by SoftwareLibrarian on Wed, 07/06/2011 - 20:09 Pro Licensee

When I get to step 5 of the instructions you directed me to - clicking 'Change Now' after entering the new private IP for the virtual server, I get the following message:

Failed to change IP address : No interface for the IP address 208.75.57.225 exists

I know that the addresses .224 (the address currently used by the physical server) through .228 are assigned to my server - what am I missing?

Is that IP already setup on your server?

If so, you'd need to click the "Already Active" checkbox next to the IP address you enter, prior to clicking "Change Now".

SoftwareLibrarian's picture
Submitted by SoftwareLibrarian on Wed, 07/06/2011 - 20:36 Pro Licensee

Ok, I tried it again - making SURE I checked "Already Active", but I got the same result:

Failed to change IP address : No interface for the IP address 208.75.57.225 exists

Is there somewhere else I need to indicate that the additional addresses .225 through .228 point at this physical server?

Hmm, that makes it sound like that particular IP address may not be active on your server.

What output do you receive if you run this command:

ifconfig | grep 208.75.57.225

If there isn't any output, that sounds like the interface isn't active. All that means is that when in the Change IP Address screen, you'd want to avoid checking the "Already active" checkbox.

SoftwareLibrarian's picture
Submitted by SoftwareLibrarian on Wed, 07/06/2011 - 21:04 Pro Licensee

ok, that seemed to do the trick for the virtual server - arabianhorseworld.com - now, what do I do about the IP address for the existing sub-servers, video.arabianhorseworld.com and subscription.arabianhorseworld.com ? (I'm going to get a wildcard cert for *.arabianhorseworld.com)

I think that one is as simple as going into Change IP Address, and changing the IP for your Sub-Server to the same IP that hosts your wildcard SSL certificate. Virtualmin should at that point detect that the SSL cert applies to your Sub-Server, and would allow you to specify the same IP address.

That does assume that you've already added the wildcard SSL cert to the top-level Virtual Server.

I would use a .htaccess file for that.

Go into the public_html folder for the domain "subscription.arabianhorseworld.com", and create a .htaccess file with the contents:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://subscription.arabianhorseworld.com/$1 [R,L]
SoftwareLibrarian's picture
Submitted by SoftwareLibrarian on Thu, 07/14/2011 - 17:03 Pro Licensee

Ok, I (finally) received my wildcard cert from GeoTrust, and installed it in the top-level Virtual Server. However, when I now try to change the IP for the Sub-Server to the private address used by the top-level Virtual Server (different from the rest of this Virtualmin installation), I get the error: Failed to change IP address : The virtual interface IP address is already in use

What to do?

Assuming the cert will match the sub-server domain too, what you need to do is :

  1. Select the top-level server from the left menu.
  2. Go to Server Configuration -> Change IP Address.
  3. Click the button "Convert Private Address to Shared"
  4. Select the sub-server from the left menu
  5. Go to Server Configuration -> Change IP Address.
  6. In the "New IP address" field, select the IP of the top-level server, and click "Save".
  7. Enable SSL for the sub-server.
SoftwareLibrarian's picture
Submitted by SoftwareLibrarian on Thu, 07/14/2011 - 17:45 Pro Licensee

those steps 1-3 make all the difference - thanks!

Automatically closed -- issue fixed for 2 weeks with no activity.