I couldn't find anything related to BOA best practice regarding enabling SSL to specific existing managed aegir sites. Although I did read something on devseed about mysite.drush.inc overrides in the /var/aegir/.drush folder some specifics weren't that clear and hence I couldn't get it to work on BOA. The requirement has only just come up so wanting to get a permanent solution in place before enabling more.

Any assistance is greatly appreciated.

Comments

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented

http://drupalcode.org/project/barracuda.git/blob/HEAD:/docs/SSL.txt

snlnz’s picture

snlnz CreditAttribution: snlnz commented

Thanks for your reply.

How about, in the situation where multiple aegir sites share the same IP and need self signed certs? I'm sure it's a matter of playing round with the config files but it seems a bit backward from what aegir was built upon. Is that best practice for enabling self signed ssl on aegir sites?

Say we have two or more sites running off the aegir instance that we want using ssl, self signed certs and same ip.
Later down the track we want to add additional sites with their own appropriate certificates more than likely on the same ip?

I thought I recall Aegir having the ability to generate self signed SSL certs and I was hoping it would be that easy in BOA?

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented

The problem is: Aegir built-in SSL feature is not (yet) designed to support available in Nginx (BOA) TLS SNI mode, so you can't use it to enable SSL for more than one (1) site per IP.

Our how-to is a temporary workaround and it will be easy to switch to the Aegir native SSL support when TLS SNI will be supported.

See also: http://en.wikipedia.org/wiki/Server_Name_Indication

snlnz’s picture

snlnz CreditAttribution: snlnz commented

Do we leave the issue open while this feature is not supported?

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented
Status: Active » Closed (works as designed)

I'm going to close this because it is not a Barracuda issue.

Barracuda provides a workaround, but the feature request needs to be opened in the Aegir (Hostmaster) queue.

snlnz’s picture

snlnz CreditAttribution: snlnz commented

agreed. I will post an issue on the aegir project.
tx

iub98’s picture

iub98 CreditAttribution: iub98 commented

Is the procedure to enable SSL for one site on a Aegir install the same as the link you posted above, omega8cc? Or, is there a simpler setup given I only need to enable SSL on one of my BOA sites? Thanks for this wonderful script BTW!

realityloop’s picture

realityloop
he/him
CreditAttribution: realityloop commented
Status: Closed (works as designed) » Active

Could we not add something like this in the vhost for the site in question by haveing an include thats outside the existing server block to allow it?

server {
  listen 443;
  server_name www.domain.com.au;
  ssl on;
  ssl_certificate              /etc/ssl/private/www.domain.com.au.crt;
  ssl_certificate_key          /etc/ssl/private/www.domain.com.au.key;
}
realityloop’s picture

realityloop
he/him
CreditAttribution: realityloop commented

possibly relevant

http://internetdevels.com/blog/using-http-and-https-in-drupal

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented
Status: Active » Postponed (maintainer needs more info)

@realityloop -- I'm not sure what exactly do you mean, could you elaborate? By the way, the article you have linked is a horrible example of bad Nginx config.

realityloop’s picture

realityloop
he/him
CreditAttribution: realityloop commented
Status: Postponed (maintainer needs more info) » Active

What I'd love to see is the ability to have different ssl certs per site without requiring additional IP's

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented
Status: Active » Closed (works as designed)

Then simply use BOA standard SSL how-to and use the same IP address in all server {} config containers and define the server_name to match the cert domain(s) instead of a wildcard. If you want Aegir SSL feature to support TLS/SNI, I believe there are already issues about it in the Aegir own queue.

Note that if you will have only a single IP on the system, you will have to modify or remove the BOA standard SSL wildcard proxy vhost.

~Robert

jvic’s picture

jvic CreditAttribution: jvic commented
Version: » 6.x-2.0-rc9

@omega8cc which mean that if using ssl it will be using wildcard ssl to support aegir right with only single ip?
so it is not possible to enable 1 site http(80) another https(443) simultaneously right?
does it posible to create 2 aegir the 1st aegir will be http and another will be https ?
sorry for disturb just curious.

timlie’s picture

timlie CreditAttribution: timlie commented
Issue summary: View changes

Does this work in latest BOA with nginx?:

http://community.aegirproject.org/content/content/administrator/post-ins...

Jeff Veit’s picture

Jeff Veit CreditAttribution: Jeff Veit commented

Well it borked the Boa Nginx installation we tried it on. But it turned out that there were other problems so I can't unambiguously say this was the cause, though it was the trigger.

I did learn when your https goes into a loop, that turning off the aegir ssl modules using drush doesn't help, but that if you create the file
/data/conf/no-https-aegir.inc you can log in via http and fix the problem.

Why don't you try it and report back?