Topic: purchased SSL cert, installed it, now web is down

[CharlieBrady]

Has this been done yet?

Yes (the bug has been resolved, verified, then closed, as you can see)

Does this apply to purchased SSL certs or just self signed certs?

Just to self-signed certs.

[janet]

rshiras

Code: [Select]

config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
config setprop modSSL CertificateChainFile /usr/share/ssl/certs/gd_intermediate_bundle.crt
Yes they are the db commands in the link referred to, but follow them with
signal-event post-upgrade
signal-event reboot

You would copy the Godaddy issued certificate files to the locations specified first, replacing {domain} with the name of your domain that matches the certificate file.

[rshiras]

Here is a rough draft of a how-to on entering a UCC SSL certificate into SME 7.4.  I am quite sure I have too many steps here so I implore the experts to help me to turn this into a slimmed down how-to.


Run these commands (do not use the des3 parameter suggested by GoDaddy):
openssl genrsa -out yourdomain.key 2048
openssl req -new -key yourdomain.key -out yourdomain.csr

copy contents of yourdomain.csr to the re-key dialog at godaddy to re-key the cert
Download the ssl zip file from godaddy to your PC
Make a folder /home/e-smith/signedssl
copy the zip file from your pc to /home/e-smith/signedssl
unzip it with these commands:
cd /home/e-smith/signedssl
unzip yourdomain.zip

make a backup copy of these files:
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf/httpd.conf
Un-comment and edit these lines:
SSLCertificateFile      /etc/httpd/conf/signedssl/yourdomain.crt
SSLCertificateKeyFile   /etc/httpd/conf/signedssl/yourdomain.key
SSLCertificateChainFile /etc/httpd/conf/signedssl/gd_bundle.crt

Run these commands:
config setprop modSSL CommonName yourdomain
config setprop modSSL crt /home/e-smith/signedssl/yourdomain.crt
config setprop modSSL key /home/e-smith/signedssl/yourdomain.key
config setprop modSSL CertificateChainFile /home/e-smith/signedssl/gd_bundle.crt
expand-template /etc/httpd/conf/httpd.conf
signal-event console-save
httpd -k graceful
service httpd-admin restart
signal-event post-upgrade
signal-event reboot

Run these checks:
db configuration show modSSL
grep Certificate /etc/httpd/conf.d/ssl.conf  /etc/httpd/conf/httpd.conf |grep -v \#
/etc/init.d/httpd status

Generate a PEM:
cd /home/e-smith/signedssl
openssl x509 -in yourdomain.crt -out input.der -outform DER
openssl x509 -in input.der -inform DER -out yourdomain.pem -outform PEM
rm input.der

Copy your crt and pem files to your primary ibay html folder to make them available to users.

[CharlieBrady]

Here is a rough draft of a how-to on entering a UCC SSL certificate into SME 7.4.  I am quite sure I have too many steps here so I implore the experts to help me to turn this into a slimmed down how-to.

If you want to play that game, the wiki is the place to do it.

make a backup copy of these files:
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf/httpd.conf
Un-comment and edit these lines:
SSLCertificateFile      /etc/httpd/conf/signedssl/yourdomain.crt
SSLCertificateKeyFile   /etc/httpd/conf/signedssl/yourdomain.key
SSLCertificateChainFile /etc/httpd/conf/signedssl/gd_bundle.crt

Above is definitely wrong advice. I'd advise you to read the developers guide and other documentation, and understand the templating system.

Was this not clear enough for you?

Code: [Select]

#              !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/


[rshiras]

Sorry Charlie.
I knew that would get your attention.
I put these lines in because they are suggested on the GoDaddy help page for installing certs.  I wanted to make a point of this. 
So obviously we want to take out the line to edit httpd.conf.
What about /etc/httpd/conf.d/ssl.conf?  Is that also not needed?  The DO NOT MODIFY warning is not at the top of this file, and I wanted to be sure to include everything that might be needed.
I'm glad you jumped in here, because I have seen by your many great posts that you really know SME.
Is there anything else that should be added or deleted to make this how-to valuable to others?
I would like to handle this without a lot of back and forth, and avoid flaming and RTFM.
I will place my final draft in the wiki as you suggest.

[CharlieBrady]

I will place my final draft in the wiki as you suggest.

Wiki is the place for the first draft.

Over and out.