Koozali.org: home of the SME Server

custom CERT - Nick's custom template - clarifications

Offline festus

  • **
  • 43
  • +0/-0
custom CERT - Nick's custom template - clarifications
« on: August 02, 2006, 08:52:57 AM »
I have been trying to generate custom cert using Nick's templace found at:

http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl7_files/ssl.crt

I have been communicating with Nick through email on some doubts I had.
I am copying the same into this Forum topic for the benefit of all, and also to ask a few more clarifications.
--------------------------------------------------------------------------------------
Hi Festus,

Once the new template has been copied into the templates-custom directory,  anything that triggers the signal-event domain-modify will cause the Caertificate to be rebuilt.

So if you edit anything in 'Directory' in server manager, the cert will be generated.. Also if you change the system name, change domain details etc.etc

Nick


On Tue, 1 Aug 2006 19:39:45, festus@planettel.com.sg < festus@planettel.com.sg> wrote:
Dear Nick,

Many thanks for the prompt reply with clarification.
One item still not clear ?

When does the new certificate generated by your script take effect ? I was assuming that only if I go to the last step:
'signal-event domain-modify ' then the new cert will be generated. Looks like my understanding was wrong.

Does it mean, once I have downloaded the file ssl.crt into the
custom folder: /etc/e-smith/templates-custom/home/e-smith, the new cert will be automatically generated ?

Thanks for your clarification.

I will post this discussion onto the Forum, after your reply.

Best Reagrds,

Festus

Original Message -----------------------
Hi Festus,

1)
To change the length of time before a certificate expires, change Line 2 of
the ssl.crt script
e.g.
use constant KEYLIFEINDAYS => 365;
Change 365 to the number of days to expire by (2Years = 730, 3Years = 1095,
etc. etc.)

2)
If the common name reverted back to the one in my script then it looks like
you haven't done step 5:
          5) Edit the template to insert your desired Common Name (Line 13)
If you have already done this, then make sure that you have edited the
correct template
i.e
/etc/e-smith/templates-custom/home/e-smith

NOT
/etc/e-smith/templates/home/e-smith



If you get any more problems, then please post a message in sme7.x Contribs
Then drop me an email so I know it is in there.

Hope this helps.

Nick

On Tue, 1 Aug 2006 17:00:18, festus@planettel.com.sg <
festus@planettel.com.sg> wrote:
> Dear Nick,
>
> Following my earlier email to you, wanted to update you with once
experience I had with your script and request for clarification.
>
> I had already installed the ssl generated by the sme 7.0 by default, in a
number of PCs and the outlook exp was working fine without new pop-up
alerts.
>
> Yesterday I followed the instruction given by you in the following
document.
>
> Custom SSL Certificate on SME 7.0
> Version1.1
>
> I had gone up to the step 4 and let it like that.
> This afternoon we made a simple config change to enable spam blocking in
the smeserver-admin panel and saved the change.
> Lo and behold the server had autogenerated a new cert based on
> your default common name 'slewth...hk...' etc.
>
> suddently all the outlook failed to work and we had to custom generate the
cert using the proper common name and install the cert again in all the PCs.
>
> Can you explain why did this happen ?
>
> Would this mean that, in future if we make some other config change in the
sme7.0 from the control panel, it will generate again a new cert valid from
that new date ???
>
> Worried....
>
> Please help to explain what happened and whether I will get such surprises
in future.
>
> Many thanks for your advise.
>
> Best Regards,
>
> Festus Thomas

Offline festus

  • **
  • 43
  • +0/-0
Custom CERT - Additional Questions
« Reply #1 on: August 02, 2006, 09:08:24 AM »
I have the following additional questions:

a) What actions should I take in terms of deleting / moving files and
    changing configs, in order to remote totally the custom template
    in case I want to revert back to the earlier state ?

    which files are modified are generated when the new cert is generated ?
    what is the folder location for each of these files ?

-------------------------------------------------------------------------
b) What should I do, if I want to retain the cert generated by Nick's
    custom template and do not want to generate any more new certs ?
    Since my domin name, server name etc - all the basic information
    does not change, I do not want the template to keep generating new
    cert files with new valid dates, every time I make some change in the
    server-manager page or from the command prompt to run:

    signal-event domain-modify
------------------------------------------------------------------------------
c) What are the parameter changes in the 'Directory' that will require to
    run the above command ?

    I have copied below the various values we can select under 'Director'

1) LDAP directory access = Allow Public Access

2) Default department  
3) Default company  
4) Default Street address  
5) Default City  
6) Default Phone Number  

7) Existing users   Leave as they areUpdate with new defaults

Is it safe to assume that only items 2-6 above, if I change, then the new
cert is needed. Changing items 1 and 7 and saving change will not generate a new cert ??
-----------------------------------------------------------------------

Kindly clarify.

Offline NickCritten

  • *
  • 245
  • +0/-0
Re: Custom CERT - Additional Questions
« Reply #2 on: August 02, 2006, 11:33:43 AM »
Quote from: "festus"
I have the following additional questions:

a) What actions should I take in terms of deleting / moving files and
    changing configs, in order to remote totally the custom template
    in case I want to revert back to the earlier state ?

    which files are modified are generated when the new cert is generated ?
    what is the folder location for each of these files ?

I don't understand you entirely on this, please re-phrase the question
The files modified are the Certificate and Key

Quote from: "festus"

b) What should I do, if I want to retain the cert generated by Nick's
    custom template and do not want to generate any more new certs ?
    Since my domin name, server name etc - all the basic information
    does not change, I do not want the template to keep generating new
    cert files with new valid dates, every time I make some change in the
    server-manager page or from the command prompt to run:

    signal-event domain-modify

The Cert will not regenerate unless it expires, or your domain or Directory information changes.

Quote from: "festus"

c) What are the parameter changes in the 'Directory' that will require to
    run the above command ?

    I have copied below the various values we can select under 'Director'

1) LDAP directory access = Allow Public Access

2) Default department  
3) Default company  
4) Default Street address  
5) Default City  
6) Default Phone Number  

7) Existing users   Leave as they areUpdate with new defaults

Is it safe to assume that only items 2-6 above, if I change, then the new
cert is needed. Changing items 1 and 7 and saving change will not generate a new cert ??


With My Custom Template installed the cert will be rebuilt if:
$defaultCity, $defaultCompany, $defaultDepartment or $domainName are changed.

Without My Custom Template, it will also be rebuilt if $systemName  changes.
...
Nick

"No good deed goes unpunished." :-x...

Offline festus

  • **
  • 43
  • +0/-0
Re: Custom CERT - Additional Questions
« Reply #3 on: August 02, 2006, 11:55:03 AM »
Quote
I don't understand you entirely on this, please re-phrase the question. The files modified are the Certificate and Key


You have partly answered my question.
I want to know the exact file names and the folder location.

Also, if I backup these files and for some reason a new cert is generated by the smeserver due to changes in the parameters you had mentioned, if i restore the backup files, would it retain the earlier cert.

I am thinking of a backup plan, just in case for some reason a new cert is generated with a new valid date -  could i replace the new files with the earlier version so that my client PCs can continue to uese the earlier cert that would have been already installed in the client PC ?

Offline NickCritten

  • *
  • 245
  • +0/-0
Re: Custom CERT - Additional Questions
« Reply #4 on: August 02, 2006, 12:06:07 PM »
Quote from: "festus"

You have partly answered my question.
I want to know the exact file names and the folder location.

They are in /home/e-smith

Quote from: "festus"

Also, if I backup these files and for some reason a new cert is generated by the smeserver due to changes in the parameters you had mentioned, if i restore the backup files, would it retain the earlier cert.

No
If something occured to make the cert regenerate in the first place, then that change will still be in effect, the next time the certificate is checked, and it will be regenerated again
[/quote]

Quote from: "festus"

I am thinking of a backup plan, just in case for some reason a new cert is generated with a new valid date -  could i replace the new files with the earlier version so that my client PCs can continue to uese the earlier cert that would have been already installed in the client PC ?

If a new Cert is generated because the previous one has expired then the previous one is useless anyway because your clients won't accept it, even if you've installed it.

All you have to do is set up your Box, THEN distribute the certificate.
If you wnat the cert to last longer than a year, then change Line 2 of the Template to more Days (Default is 365 - 1 year).
...
Nick

"No good deed goes unpunished." :-x...

Offline festus

  • **
  • 43
  • +0/-0
New Cert - Just by changing the Spam Filter level
« Reply #5 on: August 08, 2006, 01:23:24 PM »
Hi Nick,

I am wondering if I am the only one having this problem.
Based on your explanations, a new cert should be generated only if there is any change to the entries under the 'Directory'.

However, just this morning we had a problem just by changing the Spam Sensitivity changed from Normal to 'High'. After saving this change, strangely the unknown cert alert started poping up in all the Client PC using outlook express!! This is very stressful since there are several PCs where we have to go and install the new cert again - very very frustrating for us as well as the users. Now we are worried about changing anything in the server-manager page.

We made absolutely no change to the company or domain information in the Directory page or Domains page.

Would appreciate if this issue can be investigated by the core development team. There must be some bug, since the above sequence of event is not supposed to happen. Should I post this as a possible bug ?

In such a scenario, as an emergency measure, can I restore the last working cert files from the back-up and will it prevent the cert alert from coming up ? I would rather not go around re-installing a new cert every time we make some small config change in the admin page..

I have done a backup of the folliwing files which seem to be associated to the cert. I assume any new cert will replace these files. Suppose I have a back up of these files and just restore, will it help me to manage the uncertainty about a new cert being imposed on me just for making some minor config change like the spam level setting ??

/home/e-smith/ssl.crt/server.domain.crt
/home/e-smith/ssl.key/server.domain.key
/home/e-smith/ssl.pem/server.domain.pem

URGENTLY NEED ADVISE AND HELP TO RESOLVE THIS PROBLEM
HELP !!!!!

Offline NickCritten

  • *
  • 245
  • +0/-0
custom CERT - Nick's custom template - clarifications
« Reply #6 on: August 09, 2006, 03:05:35 PM »
Incase anyone else wants to look at this, the howto is here:
http://no.longer.valid/phpwiki/index.php/Creating%20a%20Custom%20signed%20SSL%20Certificate

Hi festus,

I don't know what to tell you...

I have this Template installed on 3 production machines, and I have been contacted by at least 6 people all saying that this works fine.

I supect that something else is going on which is causing your problems.


As you requested, I investigated the Certificate being regenerated when you change your spam settings, and I can categorically confirm that doing this will NOT cause the template to be expanded.

Please ensure that you are using my custom template ONLY on SME7Final (It should still work fine on 7 <final but it hasn't been fully tested.

If you believe that your system is regenerating Certs when it should not be, then please raise a bug in the Bugtracker
...
Nick

"No good deed goes unpunished." :-x...

Offline byte

  • *
  • 2,183
  • +2/-0
custom CERT - Nick's custom template - clarifications
« Reply #7 on: August 09, 2006, 03:19:57 PM »
Quote from: "NickCritten"

If you believe that your system is regenerating Certs when it should not be, then please raise a bug in the Bugtracker


Does this bug help?

http://bugs.contribs.org/show_bug.cgi?id=1602
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline NickCritten

  • *
  • 245
  • +0/-0
custom CERT - Nick's custom template - clarifications
« Reply #8 on: August 09, 2006, 05:09:41 PM »
Quote from: "byte"
Quote from: "NickCritten"

If you believe that your system is regenerating Certs when it should not be, then please raise a bug in the Bugtracker


Does this bug help?

http://bugs.contribs.org/show_bug.cgi?id=1602


Thanks Byte!

Festus,

Read that bug, Your answer will be in there.
...
Nick

"No good deed goes unpunished." :-x...

Offline festus

  • **
  • 43
  • +0/-0
Will continue to gather data on the problem we experienced
« Reply #9 on: August 10, 2006, 10:33:59 AM »
Many Thanks Nick for your very helpful input and directions.
Read the bug you had provided the link for.
But our situation does not seem to fit into that problem description.

I will try to study the 2 certs, before and after the spam settings change and see if we can figure out what exactly changed and hopefully get some clue.

Thanks again for all your help and advise.

Festus

Offline JonB

  • *
  • 351
  • +0/-0
custom CERT - Nick's custom template - clarifications
« Reply #10 on: August 10, 2006, 01:32:43 PM »
I think you will find it is not a bug at all but it is working exactly as it should.


Nicks custom cert contrib recreates the cert in /home/e-smith as it should however that is not the only place that there are certificate .pem files.

There is also a cert.pem file in /var/service/qpsmtpd/ssl and it is this that is used for POP3S, SSMTP and IMAPS.

When you use Nicks custom cert contrib, change the CommonName and do a

signal-event domain-modify

it changes the cert in /home/e-smith but it does not change the cert.pem in /var/service/qpsmtpd/ssl

so you have the situation where you have different 2 certs, one for https which may be domain.com and the original cert for POP3S, SSMTP and IMAPS which is still host.domain.com

When festus changed his spam settings the server does a

signal-event email-update.

One of the actions for email-update is to copy /home/e-smith/ssl.pem/domain.pem to /var/service/qpsmtpd.ssl/cert.pem

The certs are now in sync

That is why the cert changed when festus changed an email setting.

For Nicks howto to be correct and get the certs in sync you need to do

signal-event domain-update
signal-event email-update

Jon
...

Offline festus

  • **
  • 43
  • +0/-0
Thanks Jon. You saved my day !!
« Reply #11 on: August 11, 2006, 12:46:02 AM »
Hi Jon,

Your clear and expert explanation to the mystery has saved my day !

Thank you so much for finding time to analyse the problem accurately.
and explain. It is obvious that you have a very good understanding of how the code logic works with smeserver for generating certs.

Your explanation indeed removed the uncertainity about what may happen if we make changes at the panel. Based on your explanation, once the two certs synch, we should not have any repeat of what happened.

Thanks again to Nick for your contributions and efforts to help find a solution.

Festus

P.S - Jon, since you seem to have a good grasp of the smeserver code, may be you can also help me resolve another mystery about not being able to access the smeserver using putty & ssh2. My posting on this issue can be found at:

http://forums.contribs.org/index.php?topic=33107.0

Topic = PUTTY - ssh remote access - terminal shuts down
&
Bug#1789 - ssh terminal on putty shuts down on entering root

Offline NickCritten

  • *
  • 245
  • +0/-0
custom CERT - Nick's custom template - clarifications
« Reply #12 on: August 11, 2006, 09:50:28 AM »
Quote from: "JonB"
For Nicks howto to be correct and get the certs in sync you need to do

signal-event domain-update
signal-event email-update

Jon


Hi Jon,

Thanks for saving the day for Festus... I was starting to get quite puzzled!

I shall update the Howto to include the extra step.  :hammer:
...
Nick

"No good deed goes unpunished." :-x...

bcdaus

custom CERT - Nick's custom template - clarifications
« Reply #13 on: April 15, 2007, 12:25:40 AM »
I know this is an old thread, but I just wanted to update it with the new URL for the How To :
http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl7.htm

Works great on v7.1.3.

One thing to be aware of is the the event signal-event domain-update does not seem to be in 7.1.3, but signal-event domain-modify (as mentioned in the HOWTO) is.  Also don't forget to do the
signal-event email-update to sync the two certs.

With Thanks,
Bill.

Offline NickCritten

  • *
  • 245
  • +0/-0
custom CERT - Nick's custom template - clarifications
« Reply #14 on: April 15, 2007, 01:45:40 PM »
Thanks bcdaus,

I've updated the Howto with the extra line - I must have forgotten to update it back then.

It will take a few hours for the change to sync up to the mirrors though.
...
Nick

"No good deed goes unpunished." :-x...

Offline daniel

  • ***
  • 146
  • +0/-0
  • Platinum Sponsor
    • http://www.charton-mgmt.com
multiple domain certificate key
« Reply #15 on: April 24, 2007, 04:13:25 AM »
Thanks NickC for the updated howto.  

Is it possible to have multiple common names in the ssl.crt file., ie www.domain.com, mail.domain.com, smtp.domain.com?  Will that generate or will it break the certificate if there is more than one commonname?

Offline TrevorB

  • *
  • 259
  • +0/-0
    • http://www.batley.id.au
custom CERT - Nick's custom template - clarifications
« Reply #16 on: April 24, 2007, 05:54:11 AM »
Nick,

any chance of putting this in the wiki?

http://wiki.contribs.org/Category:Howto

Offline berdie

  • *
  • 237
  • +0/-0
custom CERT - Nick's custom template - clarifications
« Reply #17 on: April 24, 2007, 12:03:24 PM »
Quote from: "TrevorB"
any chance of putting this in the wiki?

http://wiki.contribs.org/Category:Howto
Hallo,

I've made a RPM-package based on this great howto from Nick.
Here is the link: http://wiki.contribs.org/Certificate

Rgds.
Dietmar

Offline NickCritten

  • *
  • 245
  • +0/-0
custom CERT - Nick's custom template - clarifications
« Reply #18 on: April 24, 2007, 02:42:41 PM »
Hi Gents,

You will be happy to hear the the magicians also know as the Dev team have now built this ability into the base of SME so my howto is defunct as of SME 7.1.3

Please see Bug 1689 for details.

The correct method of doing this now is:

Code: [Select]
config setprop modSSL CommonName www.domain.com
expand-template /home/e-smith/ssl.crt/crt


I will put this in the Wiki.
...
Nick

"No good deed goes unpunished." :-x...