Topic: Rapid SSL certificates

[ElFroggio]

Hi,

I need a certificate for the email only with the FQDN, no web required.

Is anybody using RapidSSL (they are cheap enough)

Thanks

/Syv

[crazybob]

check startssl https://www.startssl.com/
you will also find info at the how to page in the wiki http://wiki.contribs.org/Certificate_Integration_startssl.com_Server_Certificate

[ElFroggio]

I bought the RapidSSL cerificate for the fully qualified domain. Here's some stuff I had to work through:

1. Before doing any certificate work, install: http://wiki.contribs.org/Certificate_ssl_management. It will make it much easier.
2. If something goes wrong, the server will become unusable (web and email). Open a terminal session on your server, in case of problem and use:

Code: [Select]

signal-event certificate-revert to restore the previous state.
3. Generate both the private key (FQDN.key) and key request (FQDN.csr) with [FQDN: fully qualified domain name, the actual name of the server + the primary domain] and replace FQDN with yours:

Code: [Select]

openssl req -newkey rsa:2048 -keyout FQDN.key -out FQDN.csr for sha1
or

Code: [Select]

openssl req -newkey rsa:2048 -sha256 -keyout FQDN.key -out FQDN.csr

for sha2

4. When ordering, get the Apache + mod_ssl certificate
5. In the certificate ssl management panel:

• SSL certificate: the one sent by symantec/rapidssl. It starts with -----BEGIN CERTIFICATE-----
• SSL private Key: the one generated in step 3. It starts with -----BEGIN PRIVATE KEY-----
• SSL intermediate chain certificate: Go to rapidssl website and download the CA bundle. It starts with -----BEGIN CERTIFICATE----- It has both intermediaries and are in the correct order
6. Click on save, cross fingers, bow to the ssl gods... and close the web browser. Restart the web browse to guaranty the clearing of the cache and go back to the server-manager. If it worked then you can close the terminal session of step 2
7. Test your (or any) certificate at:

https://www.ssllabs.com/ssltest

Hopefully, this makes sense and will help somebody else

/Syv[/list]

[TerryF]

Nice work ElFroggio, would be worth adding to wiki.

[Gary Douglas]

Recently started using Namecheap, at the price of a positiveSSL for a domain validation certificate the cost outweighs the problem of self-signed certificates.

https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx

[vipermx2]

When I try the above steps, it breaks the web page and the console just repeatedly scrolls with:

Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server mail.domain.net:443 (RSA)
Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
**Stopped
Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server mail.domain.net:443 (RSA)
Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
**Stopped

Please help, I dont know what I am doing wrong.  The steps I perfromed SME 9.1 trying to use Rapid SSL FreeSSL (want to make sure it works before I purchase)

1.  Login to console as root
2.  type

Code: [Select]

openssl req -newkey rsa:2048 -sha256 -keyout mail.domain.net.key -out mail.domain.net.csr3.  fill out the request questions
4. 

Code: [Select]

nano mail.domain.net.csr5.  copy the code and submit it to Rapidssl
6.  open the Server-Manager webpage
7.  open manage SSL certificates webpage
8.  Paste new code from RapidSSL into the SSL certificate box
9.  from a putty console I

Code: [Select]

nano mail.adomain.net.key and copy the code from there and paste it into the SSL private Key box on the SSL Cert Man webpage
10. Then I navigated to RapidSSL Intermediate chain certificate and copy the RSA SHA-2 (under SHA-2 Root) SSL Certificates code and paste it in the SSL intermediate chain certificate box on the SSL Cert Man webpage
11.  Save
and that when the console goes nuts with the error and breaks the website and email.  and I have to do the

Code: [Select]

signal-event certificate-revert to get it working again.

What am I doing wrong or do I need to perform?
Thanks for your advise!

[DanB35]

If you aren't married to RapidSSL, consider using Let's Encrypt: https://wiki.contribs.org/Letsencrypt.  The instructions for setting up letsencrypt.sh should be complete and correct, and once it's set up, it will renew itself forever.  The certs are free, support up to 100 names apiece, and are trusted almost everywhere.

[vipermx2]

If you aren't married to RapidSSL, consider using Let's Encrypt: https://wiki.contribs.org/Letsencrypt.  The instructions for setting up letsencrypt.sh should be complete and correct, and once it's set up, it will renew itself forever.  The certs are free, support up to 100 names apiece, and are trusted almost everywhere.

Thank You DanB35,

I will look into this.  Just to be certain,  It says multiple domains, so If I am only using the server for the one. I just put mail.domain.com correct? Do you reccomend installing the client or Just the Script.  Which one would be easier to manage?
Thanks Again!

[DanB35]

You can have as few as one, and as many as 100, hostnames on a single Let's Encrypt cert.  Those hostnames can be on a single domain, or on multiple domains.  Thus, you could get a cert for only yourdomain.tld.  Or you could get one for yourdomain.tld, www.yourdomain.tld, and mail.yourdomain.tld.  Or you could get yourdomain.tld, yourotherdomain.tld, and mail.thirddomain.tld.  As long as all the hostnames on that cert resolve to your SME server, it will work.

I think the letsencrypt.sh script is a better fit for the SME server at this point.  The official client works well, but requires a number of dependencies.  The instructions for letsencrypt.sh should be pretty thorough, but let me know if you run into any issues.

[holck]

I use RapidSSL, and I'm quite satisfied. It took some effort to set it up, but their support was very helpful.

[michelandre]

Hi vipermx2,

What am I doing wrong or do I need to perform?
Thanks for your advise!

It is because you enter a Pass Phrase when you created the CSR.

Michel-André