Topic: Creating a Self-Signed SSL Certificate

[easydave]

After I created a self-signed SSL Certificate my sme server 7.rc2.
I use command "/etc/rc.d/init.d/httpd restart" then I got error message;

[root@mail ~]# /etc/rc.d/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs


Please help!

[cactus]

After I created a self-signed SSL Certificate my sme server 7.rc2.
I use command "/etc/rc.d/init.d/httpd restart" then I got error message;

[root@mail ~]# /etc/rc.d/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs


Please help!

I normally use this command on SME7, it has worked fo rme many times.

Code: [Select]

/etc/rc7.d/S86httpd-e-smith restart
You might also want to restart httpd-admin as this also uses the certificate I guess.

Code: [Select]

/etc/rc7.d/S86httpd-admin restart

[easydave]

It is working, no more error message.
Thanks

[CharlieBrady]

After I created a self-signed SSL Certificate my sme server 7.rc2.

SME server already comes with a self-signed certificate.

[RayG]

After I created a self-signed SSL Certificate my sme server 7.rc2.

SME server already comes with a self-signed certificate.

But that certificate is created before entering organization information.

[CharlieBrady]

After I created a self-signed SSL Certificate my sme server 7.rc2.

SME server already comes with a self-signed certificate.

But that certificate is created before entering organization information.

If you change the organisation information and the certificate does not get updated, then that's a bug - please report details to the Bug Tracker.

As a workaround, delete the certificate files, then do:

signal-event post-upgrade
signal-event reboot

[NickCritten]

After I created a self-signed SSL Certificate my sme server 7.rc2.

SME server already comes with a self-signed certificate.

Sometimes the automatically created Certificate isn't what you want...

e.g. Say your server name is rainbow.domain.com, but your users connect to  SSL pages (or use POPS/IMAPS) by a different FQDN (e.g. www.domain.com) then they will get an error saying that the name on the certificate doesn't match.

If you manually create a Cert, you can specify the system name to be www.domain.com, and then when users connect, they don't get the error (After installing the cert obviously)

On SME6 I used to name the server www if it was going to be web facing, but this option has been disabled in SME7.

[jester]

Nick,

Could this also be done for several subdomains... i send my external mail users to imaps.mydomain.com but my users get a constant message (Thunderbird) that de certificate does not match that name.

regards,
jester.

[NickCritten]

Not easily,

You'd need to change the way that the IMAPS and SMTPS services use their certificates.. i.e. youd need to get them to use a different cert from the one apache uses.

I don't even know if that is possible!

Wouldn't it be easier to set the email clients to connect to the server by the name its cert is set to? e.g. www.domain.com or servername.domain.com
This is what I do on my sites.

I know Apache can't use multiple certs unless each Virtual domain has its own IPaddress or runs on a different port.

[CharlieBrady]

e.g. Say your server name is rainbow.domain.com, but your users connect to  SSL pages (or use POPS/IMAPS) by a different FQDN (e.g. www.domain.com) then they will get an error saying that the name on the certificate doesn't match.

This is universally correct whenever you have multiple virtual domains - only a single one can match the name in the certificate.

[NickCritten]

e.g. Say your server name is rainbow.domain.com, but your users connect to  SSL pages (or use POPS/IMAPS) by a different FQDN (e.g. www.domain.com) then they will get an error saying that the name on the certificate doesn't match.

This is universally correct whenever you have multiple virtual domains - only a single one can match the name in the certificate.

Exactly,  you can only have one cert on SME(without some hacking), and you may not want the cert named to servername.domain.com

In the vast majority of cases the automatically generated one is good enough..... but sometimes it isn't!  

[jester]

Thanks for the explanation Nick!

I think i'll just go by the www-address then... it would LOOK nice though.

regards,
jester.

[NickCritten]

By the way,

I've now updated my SSL howto so that it uses the correct commands to restart the services. (the original purpose of this thread)

Charlie pointed that out to me a couple of weeks ago and I forgot to update it!

[jester]

@Charlie: posted the bug.

@Nick: I followed your howto, saw your RED security note but was thrown off by the remark: 'so you like living on the edge...' in the '2.1.2 Private Key without Password'.

So to be on the safe side i thought i'd use a password for my SME7rc2 test server..... well Apache didn't like that much: tons of errors on reboot. After correcting that i can confirm that your howto works on SME7rc2 but a extra 'Don't do this on SME7' note at the 2.1.2 section probably would help the stupid ones like me....

Regards,
jester.

[NickCritten]

It could probably do with a rewrite to be honest...

I always tell people to whizz down to the bottom and go through the "Rush Job".

I'm actually writing a script right now that will generate the commands for you automatically.

[NickCritten]

Jester (and anyone else who's interested)

I've just knocked together this script... Would you like to give it a go?

http://lmeit.co.uk/sslauto.php

It's very quick-and-dirty at the mo and doesn't contain the instructions, but you should get the Idea from the other Howto

[kabowers]

Hi Nick,
just tried your script, it worked fine.

one slight change possibly needed, where you ask for the domain name you may want to indicate to leave out "www." or you will get some people having trouble.

off topic

hows sunny Cardiff these days?
Are you still with NSL?

[CharlieBrady]

Hi Nick,
just tried your script, it worked fine.

Until the certificate expires, when it will again be replaced by the standard SME one.

All the script generated by that website does is give you a chance to provide new answers to the questions below:

...
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
...

The standard SME template answers these with:

--
---
"City" property from "directory" panel
"Company" property from "directory" panel
"Department" property from "directory" panel
$SystemName.$DomainName
admin@$SystemName.$DomainName

If you want different answers to those ones, then most of them you can change via the "directory" panel, and the remaining ones you can change by changing your SystemName or DomainName - or by using a custom template.

If you think any of the default answers should be changed, or the certificate is not updated any time that it should be, then please use the Bug Tracker.

[NickCritten]

off topic

hows sunny Cardiff these days?
Are you still with NSL?

Hiya Keith!!

No time right now I'm on the way to work.. Will PM you later

[jester]

Hi Nick,

Love it! I'm in the UK at the moment.... i'll give the instructions a go as soon as i get back to Holland where my test server is.

Thanx!
jester.

[jester]

Hi Nick,

Your auto generated howto works like a charm..... it would do well as a server-manager panel: only needs to ask for a new 'common name' and when to expire, rest is known.

I've got no more msg complaining about non matching names.

Thanx!!
jester.

[NickCritten]

No Worries... I'll tidy it up at some point.

btw I've logged a feature request on BugTracker..

You might be interested:  http://bugs.contribs.org/show_bug.cgi?id=1508


KBowers: Could you email me please? My address on the SSL Howto,

Cheers,

[NickCritten]

or by using a custom template.

Please see my new template-based howto:
http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl7.htm

How does this float your boat?

[NickCritten]

or by using a custom template.

Please see my new template-based howto:
http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl7.htm

How does this float your boat?

I just noticed a typo in the template text - Uploading V1.0.1
It should come up on ibilblio in an hour or two.

[andy_wismer]

@CharlieBrady:

If the server has virtual hosts in the form of say:

mail.domainname.xxx
www.domainname.xxx
intranet.domainname.xxx

it IS possible to create a Certificate for *.domainname.xxx.

A Certificate for the IP adress helps too. On say SuSE I created one for the internal IP, one for the external IP (The Server only has the port forwarded from a Sonicwall Firewall...) and one for the name as shown above.

That does work.

Regards

Andy

[NickCritten]

@CharlieBrady:

it IS possible to create a Certificate for *.domainname.xxx.

A Certificate for the IP adress helps too. On say SuSE I created one for the internal IP, one for the external IP (The Server only has the port forwarded from a Sonicwall Firewall...) and one for the name as shown above.

That does work.

Regards

Andy

Hi Andy,

Could you tell me how you do this?

Cheers,

Nick

[andy_wismer]

Hi Nick

I found that about 1-2 years ago in a german linux mag called FreeX. I still have the mag and have done a small How-To (In German) for some friends, I'll post a small how-to in english say by Friday or Saturday...

Regards

Andy

[NickCritten]

Sweet

[mercyh]

Nice work on the howto

[NickCritten]

Nice work on the howto

Thanks