Koozali.org: home of the SME Server

Transplanting an existing ssl cert to SME7.x

tarball

Transplanting an existing ssl cert to SME7.x
« on: July 02, 2007, 11:09:17 AM »
I've done my best to RTFM on this and I've read the contribs threads, but I'm giving up and asking you all.

I recently replaced my organization's SME6 box with a SME 7.1.3.   I configged everything from a clean install.  

The last thing I did was to move over the ssl.key and ssl.crt from the old machine to 7.1.3.  This was a cert that we had bought from Thawte.  Just as I had done before when moving to the 6.1-01 box, I very simply renamed the existing ssl.crt and ssl.key and moved over with WinSCP the ones we had bought.

You can guess the rest of the story - the ssl.crt is overwritten everytime the machine is rebooted.  Even worse, I installed MasterSleepy's "snort + oinkmaster + guardian + base" contribs, and that setup overwrites my cert every night at 4:00am, driving me nuts (but I am truly grateful to Mr. Van Hees for his great site).

 The Thawte site says something on the order of "move the key and cert over to the new machine on a floppy" - that's all.  Can someone please point me to where I can read the correct way to transplant an existing key and cert in such a way that SME7 will not overwrite the cert and replace it with a self-generated one, creating a mismatch with my Thawte key?  

TIA,

tarball

Offline raem

  • *
  • 3,972
  • +4/-0
Re: Transplanting an existing ssl cert to SME7.x
« Reply #1 on: July 02, 2007, 11:16:19 AM »
tarball

You missed the wiki, see
http://wiki.contribs.org/Category:Howto
http://wiki.contribs.org/Custom_CA_Certificate

where it says to also config the sme db

config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key


Please let us know if that fixes things.
...

Offline william_syd

  • ****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
Re: Transplanting an existing ssl cert to SME7.x
« Reply #2 on: July 02, 2007, 01:32:01 PM »
Quote from: "tarball"


The last thing I did was to move over the ssl.key and ssl.crt from the old machine to 7.1.3.  This was a cert that we had bought from Thawte.  Just as I had done before when moving to the 6.1-01 box, I very simply renamed the existing ssl.crt and ssl.key and moved over with WinSCP the ones we had bought.

You can guess the rest of the story - the ssl.crt is overwritten everytime the machine is rebooted.

tarball


I had a similar problem in the SME6 days.

This thread is still relevant.

http://forums.contribs.org/index.php?topic=30320.0
Regards,
William

IF I give advise.. It's only if it was me....

tarball

Re: Transplanting an existing ssl cert to SME7.x
« Reply #3 on: July 02, 2007, 01:49:59 PM »
Thanks for the quick response, Ray.

No, I didn't miss the wiki, but perhaps I misunderstood it.

It appears that the wiki is offering me a free way to avoid the popup on our site's https page.  Much appreciated, but the whole purpose of this thing was to display the Thawte seal on our registration page to get the gingerly Japanese to enter their personal information into our website following the draconian personal info laws enacted here in Japan on April 1, 2005.  

Is there no way I can use the Thawte cert and display its seal?  

Right now I have a few lines on rc.local that overwrite the self-generated cert with a backup copy of the Thawte cert and restart Apache, but that's such an embarrassing kludge that I figured there had to be a more elegant way.

If I'm totally missing the point, please let me know.

Thanks,
tarball

Offline raem

  • *
  • 3,972
  • +4/-0
Re: Transplanting an existing ssl cert to SME7.x
« Reply #4 on: July 02, 2007, 04:18:20 PM »
tarball

> If I'm totally missing the point, please let me know.

I was suggesting you follow the example given in the Howto, to tell sme about your Thawte certificate. At present sme doesn't know about it, so it keeps replacing it with the default self signed certificate.
Use the db commands given to tell sme about your actual Thawte certificate name.
Replace {domain} with your actual certificate name (the ones you copied from sme6).

config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key

Make sense now ?
...

Offline raem

  • *
  • 3,972
  • +4/-0
Re: Transplanting an existing ssl cert to SME7.x
« Reply #5 on: July 02, 2007, 04:22:25 PM »
tarball

> config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
> config setprop modSSL key /home/e-smith/ssl.key/{domain}.key

Remember to follow the above commands with a
signal-event console-save
...

tarball

Re: Transplanting an existing ssl cert to SME7.x
« Reply #6 on: July 04, 2007, 03:46:30 AM »
Quote from: "RayMitchell"
tarball

> config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
> config setprop modSSL key /home/e-smith/ssl.key/{domain}.key

Remember to follow the above commands with a
signal-event console-save


What happened was william_syd's post and mine "crossed in the mail," and his suggestion was there to be read by the time I posted mine above.  Changing the location of the cert seemed to make sense, so I tried it on a test server here at home and it seemed to work.  So, encouraged, I made a folder inside ssl.crt and ssl.key, moved the files inside them, and ran the above commands, except that I mistyped the path (first mistake).  Then I ran signal-event post-upgrade ; signal-event reboot instead of your suggestion (second mostake), knocking a production server off line from home at 10pm. No one ever accused me of being a genius.

Yesterday morning (unusually early) I logged in locally and entered the correct paths and rebooted.  http and https are working OK, but now that I read your subsequent post I realize that I never did do signal-event console-save.  

Is it OK to do it a day later?  

Also, am I correct in understanding that as long as I run those commands it is unnecessary to move the cert and key to a non-standard location?  I'll move them back and rerun the commands (all of them this time) if so.

The httpd error logs are telling me that "mail.blah.blah.jp does NOT match server name!" even though that info is actually correct, so it seems that I've still got something wrong.

Thanks for the responses.

tarball

Offline raem

  • *
  • 3,972
  • +4/-0
Re: Transplanting an existing ssl cert to SME7.x
« Reply #7 on: July 04, 2007, 06:18:43 AM »
tarball

The references that william pointed you too say essentially the same thing as the references I pointed you to.

The signal-event console-save will be done when you do a signal-event post-upgrade, so no need to repeat it (for the first set of changes you made), but....

You then go on to say...

> Yesterday morning ... I logged in locally and entered the correct paths and rebooted.

You only mention a reboot, when you made further changes you needed to do either
signal-event post-upgrade
reboot
or
signal-event console-save


> ...am I correct in understanding that as long as I run those commands
> it is unnecessary to move the cert and key to a non-standard location?  

You can put the cert files wherever you want, as long you as you specify the correct location(s) in the db command. The standard location referred to is OK.

Personally I would delete any old cert files (ie the original self signed sme certificates) to clean things up.


> The httpd error logs are telling me that "mail.blah.blah.jp does
> NOT match server name!" even though that info is actually correct...

I suggest you re-run the procedures advised earlier correctly & completely, and also delete any old certificates in your sme & in your web browser, and install the new certificate (into your browser) that sme issues out the first time you try to connect.

Then see what happens.
...

tarball

Transplanting an existing ssl cert to SME7.x
« Reply #8 on: July 10, 2007, 11:04:43 AM »
Sorry for taking so long to respond.

I ran the commands, and Apache has stopped overwriting the ssl cert now, so thank you very much!

I found that the reason I am getting the "name and cert don't match" messages is because httpd.conf has the host name as "www." I have no clue as to how this could have happened, as I named it "mail" on install and bought a cert for "mail."  However, if the worst that happens is I get messages in the httpd error logs, I'll just look the other way for now.

Anyway, thanks again Ray and William for taking the time to help me through this.  I really appreciate it.

tarball

Offline william_syd

  • ****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
Transplanting an existing ssl cert to SME7.x
« Reply #9 on: July 10, 2007, 01:39:42 PM »
Have a look in

/etc/e-smith/templates/etc/httpd/conf/httpd.conf/45ServerName

You may want to make a copy in templates-custom and change the www to what you think will work for you.

Don't forget to expand the template and restart the httpd server.
Regards,
William

IF I give advise.. It's only if it was me....