Topic: CA ssl cert install

[jameswilson]

Hi all im running an ecommerce site in one of my ibays.I have purchased an ssl cert and gave the cert but cant for the life of me get it to install. I have followed the how-to's but whenrerv i reboot my server httpd wont start and all is b#ggered First time i restored form a backup but i know use the undo ssl commands and all is back to normal, but i need to get my ssl cert on my server. Also can i only have 1 ssl per server, what if i wanted different ssl's per ibay

Regards
and thanks

James

[warren]

James,

Also can i only have 1 ssl per server, what if i wanted different ssl's per ibay

Multiple ssl certs:
http://forums.contribs.org/index.php?topic=31423.0

Search SSL how to :

http://forums.contribs.org/index.php?topic=30370.0  will bring up
( http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl.htm
which points users running SME7 to :
http://mirror.contribs.org/smeserver/contribs//nickcritten/howtos/ssl7.htm

And as they sayin the classics, clear as mud when you search.

Warren

[jameswilson]

thanks for those but i have tried that but if i follow that my webserver stops and i have to undo it. My server name is a different domain that i have the cert for ie
my server name
router.jpwilson.eu

my domain cert
securitywarehouse.co.uk

[jameswilson]

the version 7 one works but is still using a self issued cert not my ca cert!

Anyone any clues im losing my hair here lol

[william_syd]

Did you try this how-to..?

Creating a CA signed SSL Certificate

I would try using your CA cert just by itself for the primary ibay/email. If it doesn't work then this quote from the RH manual might apply.

   Note that if you do not want to type in a passphrase every
    time you start your secure server, you must use the following
    two commands instead of make genkey to create the key.

If it does work, the cert/key pair is ok and you'll have to search more for individual ibay info.

[jameswilson]

Thanks i was thinking of moving my domains to spare areas renaming the sertver and retrying

Thnaks for this i will try bt this way will only allow me to have 1 cert per server not per domain/ibay

[william_syd]

Thanks i was thinking of moving my domains to spare areas renaming the sertver and retrying

Thnaks for this i will try bt this way will only allow me to have 1 cert per server not per domain/ibay

Interesting info

http://forums.contribs.org/index.php?topic=31772.0

I've been looking around.... maybe a custom template of /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/25SSLDirectives to get the certificate location like /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCertificateFile

Also look at /etc/httpd/conf/httpd.conf

If you don't find an answer maybe raise a New Feature Request [NFR] in the bug tracker.

[jameswilson]

hi again.
I have now renamed my server but whenever i try to install my ca cert it stops my webserver and no pages are displayed. I then cant get into server manager or anything but stangly the text based browser on the console still functions. It seems to be the cert and anytime i replace my default one problems begin.
Im obviously doing something wrong as i need to get rid of the security warning on my clients browsers. Any help or guidance is much appriciated!!

James

[jameswilson]

also i notice that when going to https://www.securitywarehouse.co.uk/catalog
i get  a warning about the ca not being known fair enough as the only way apache functions is with a self signed cert
and for some reason that the name doesnt match the cert. When clicking view cert it says its the correct name etc so this might be part of the problem

[william_syd]

also i notice that when going to https://www.securitywarehouse.co.uk/catalog
i get  a warning about the ca not being known fair enough as the only way apache functions is with a self signed cert
and for some reason that the name doesnt match the cert. When clicking view cert it says its the correct name etc so this might be part of the problem

What commands did you use to make your server key ?

This

Code: [Select]

make genkey or

Code: [Select]

/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

Regarding the above quote..

Your site is www.securitywarehouse.co.uk but the cert is for securitywarehouse.co.uk

Have a look at my cert at https://secure.magicwilly.info and you will see it's a wildcard cert so I can change the bit in front of the domain as I please.

[jameswilson]

Thanks for all your help william

What commands did you use to make your server key ?

i used

/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

re the wildcard thing yes that makes sense to me but i purchased a wildcard cert to stop that but yes when i currently open my site without the www  that error dissaperas so now its deffinetly a certificate issue.

As im obviously struggling doing this at the command line is there anything i can install that will help or should i keep on the cli

Thanks again.

ps i have also tried editing ssl.conf in in /etc/httpd/conf.d to match my 2 certificate files (my cert and a ca-bundle)

[jameswilson]

Im also wondering if i should start from scratch again and genreate keys etc again and reapply for my ca cert in case ive screwed something up somewhere also this machine has been renamed twice now copuld that be an issue

[william_syd]

Thanks for all your help william

What commands did you use to make your server key ?

i used

/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

Thats good as it will allow apache to start without asking for a password.

ps i have also tried editing ssl.conf in in /etc/httpd/conf.d to match my 2 certificate files (my cert and a ca-bundle)

I don't think that file is used in the SME world.

/etc/httpd/conf/httpd.conf is the file you want. However you never edit this file directly.

I believe your certificate and key are fine but the key points are-

* the CA SSL how to will only show you how to change your certificate on a global level (server-manager and ibays)

* for ibays only, I don't think there is a system in place yet.. you will have to learn about the templating system and the configuration db system.

I suggest you read the developer manual, join the developer mailing list and ask questions. I'm sure others would like a solution to this as well.

[jameswilson]

* the CA SSL how to will only show you how to change your certificate on a global level (server-manager and ibays)

I dont mind as this is my only ecomm site on this server, but i notice that most of the faq's for ssl tell me to use my cpanle, which i assume is a web i/f for isp's. It obviously must be possible as you got yours on. How did you do that, just by following the how-to's you listed?

Anyway thanks again william

[william_syd]

* the CA SSL how to will only show you how to change your certificate on a global level (server-manager and ibays)

I dont mind as this is my only ecomm site on this server, but i notice that most of the faq's for ssl tell me to use my cpanle, which i assume is a web i/f for isp's. It obviously must be possible as you got yours on. How did you do that, just by following the how-to's you listed?

Anyway thanks again william

WinSCP - http://winscp.net/eng/index.php
PuTTY - http://www.chiark.greenend.org.uk/~sgtatham/putty/
HowTo - http://no.longer.valid/phpwiki/index.php/Creating%20a%20CA%20signed%20SSL%20Certificate

Thats how I did it.

[jameswilson]

William
Thanks a million.
I re applied for my cert and created a new key. I must have messed somethhing up as it now works. I think that your server name should match your web cert name


Again thankyou very much as when i did what I was supposed to all worked as expected

[jameswilson]

Hi all again
Has anything been made easier for use with ca certs. As i cant find the above how to on the wiki and my cert has expired.
I have replaced all the files the key, the csr and the cert with then new ones and then the web server doesnt start. If i rename them back all is well again.
Any ideas?

[jameswilson]

I have been following the guide here

http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl6.htm
and all seems fine apart from i think there is a typo in the part where you create the csr file.
If i do

Code: [Select]

openssl req -new -nodes -keyout myserver.key -out server.csrWhen i get the .crt file back from my ca and place it in the folder and restart my web server wont start.

James

[jameswilson]

Just to let you know i was using the wrong key. It appears that everytime that command is run a new key is generated. Use the key from the csr not an old one

You live and learn lol