Topic: Creating a Self-Signed SSL Certificate

[easydave]

After I created a self-signed SSL Certificate my sme server 7.rc2.
I use command "/etc/rc.d/init.d/httpd restart" then I got error message;

[root@mail ~]# /etc/rc.d/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs


Please help!

[cactus]

After I created a self-signed SSL Certificate my sme server 7.rc2.
I use command "/etc/rc.d/init.d/httpd restart" then I got error message;

[root@mail ~]# /etc/rc.d/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs


Please help!

I normally use this command on SME7, it has worked fo rme many times.

Code: [Select]

/etc/rc7.d/S86httpd-e-smith restart
You might also want to restart httpd-admin as this also uses the certificate I guess.

Code: [Select]

/etc/rc7.d/S86httpd-admin restart

[easydave]

It is working, no more error message.
Thanks

[CharlieBrady]

After I created a self-signed SSL Certificate my sme server 7.rc2.

SME server already comes with a self-signed certificate.

[RayG]

After I created a self-signed SSL Certificate my sme server 7.rc2.

SME server already comes with a self-signed certificate.

But that certificate is created before entering organization information.

[CharlieBrady]

After I created a self-signed SSL Certificate my sme server 7.rc2.

SME server already comes with a self-signed certificate.

But that certificate is created before entering organization information.

If you change the organisation information and the certificate does not get updated, then that's a bug - please report details to the Bug Tracker.

As a workaround, delete the certificate files, then do:

signal-event post-upgrade
signal-event reboot

[NickCritten]

After I created a self-signed SSL Certificate my sme server 7.rc2.

SME server already comes with a self-signed certificate.

Sometimes the automatically created Certificate isn't what you want...

e.g. Say your server name is rainbow.domain.com, but your users connect to  SSL pages (or use POPS/IMAPS) by a different FQDN (e.g. www.domain.com) then they will get an error saying that the name on the certificate doesn't match.

If you manually create a Cert, you can specify the system name to be www.domain.com, and then when users connect, they don't get the error (After installing the cert obviously)

On SME6 I used to name the server www if it was going to be web facing, but this option has been disabled in SME7.

[jester]

Nick,

Could this also be done for several subdomains... i send my external mail users to imaps.mydomain.com but my users get a constant message (Thunderbird) that de certificate does not match that name.

regards,
jester.

[NickCritten]

Not easily,

You'd need to change the way that the IMAPS and SMTPS services use their certificates.. i.e. youd need to get them to use a different cert from the one apache uses.

I don't even know if that is possible!

Wouldn't it be easier to set the email clients to connect to the server by the name its cert is set to? e.g. www.domain.com or servername.domain.com
This is what I do on my sites.

I know Apache can't use multiple certs unless each Virtual domain has its own IPaddress or runs on a different port.

[CharlieBrady]

e.g. Say your server name is rainbow.domain.com, but your users connect to  SSL pages (or use POPS/IMAPS) by a different FQDN (e.g. www.domain.com) then they will get an error saying that the name on the certificate doesn't match.

This is universally correct whenever you have multiple virtual domains - only a single one can match the name in the certificate.

[NickCritten]

e.g. Say your server name is rainbow.domain.com, but your users connect to  SSL pages (or use POPS/IMAPS) by a different FQDN (e.g. www.domain.com) then they will get an error saying that the name on the certificate doesn't match.

This is universally correct whenever you have multiple virtual domains - only a single one can match the name in the certificate.

Exactly,  you can only have one cert on SME(without some hacking), and you may not want the cert named to servername.domain.com

In the vast majority of cases the automatically generated one is good enough..... but sometimes it isn't!  

[jester]

Thanks for the explanation Nick!

I think i'll just go by the www-address then... it would LOOK nice though.

regards,
jester.

[NickCritten]

By the way,

I've now updated my SSL howto so that it uses the correct commands to restart the services. (the original purpose of this thread)

Charlie pointed that out to me a couple of weeks ago and I forgot to update it!

[jester]

@Charlie: posted the bug.

@Nick: I followed your howto, saw your RED security note but was thrown off by the remark: 'so you like living on the edge...' in the '2.1.2 Private Key without Password'.

So to be on the safe side i thought i'd use a password for my SME7rc2 test server..... well Apache didn't like that much: tons of errors on reboot. After correcting that i can confirm that your howto works on SME7rc2 but a extra 'Don't do this on SME7' note at the 2.1.2 section probably would help the stupid ones like me....

Regards,
jester.

[NickCritten]

It could probably do with a rewrite to be honest...

I always tell people to whizz down to the bottom and go through the "Rush Job".

I'm actually writing a script right now that will generate the commands for you automatically.