Client can bring Apache server down by installing SSL certificate with wrong CSR
Hi,
Recently, one of our clients just messed up our whole hosting by bringing the Apache server down. And the very big problem was that the Apache could not start anymore because of wrong hostnames error in the certificate.
The client did this as follows.
- He created a domainname.
- Activated SSL, created the request and requested a CA certificate.
- Deleted the domain in ISPConfig for some reason.
- Recreated the same domain, activated SSL, created the certifcate request again.
- Then the client changed the CA certificate content with the SSL certificate in ISPConfig from the request that has been made the first time.
- After that he saved it and Apache was totally disabled and couldn't start anymore. I had to remove al his certificates and disable SSL for the client.
So the problem was that the CSR and the CRT don't match at all. I also saw someone on the forum who had the same problem but he thought that it was a Comodo problem. It is not because I can easily reproduce this by doing the same steps. Everytime, Apache goes down.
So the client shouldn't be able to configure his own SSL site (or I should be able to choose if a client can or cannot), or it should have some check that the right certificate is being installed.