Topic: SSL Certificate

[michelandre]

Hi all,

- I bought a SSL certificate from GoDaddy.com for just $5.99USD (big saving from $107.99...)

- My key and the CSR files
server.domain.org.key
server.domain.org.csr

- The certificate zip file contains 2 files
123456789abcdef2.crt
gd_bundle-g2-g1.crt

- I check where are the certificate and the key files
## cat /etc/httpd/conf/httpd.conf  | grep SSLCertificate
SSLCertificateFile /home/e-smith/ssl.crt/server.domain.org.crt
SSLCertificateKeyFile /home/e-smith/ssl.key/server.domain.org.key

- Just in case, I copy the original files to save them in /root/Certificate/
## cp  /home/e-smith/ssl.crt/server.domain.org.crt    /root/Certificate/
## cp  /home/e-smith/ssl.key/server.domain.org.key  /root/Certificate/

- I check the version of apache
## rpm -qa | grep apache
e-smith-apache-2.4.0-12.el6.sme.noarch

- From GoDaddy howto
- https://fr.godaddy.com/help/installation-dun-certificat-ssl-dans-apache-centos-5238
Apache version < 2.4.8
SSLCertificateFile  --  path to certificate file
SSLCertificateKeyFile  --  path to the key file
SSLCertificateChainFile  --  path for the bundle file

- I copy the certificate and the key files to their respective directory
## cp 123456789abcdef2.crt  /home/e-smith/ssl.crt/server.domain.org.crt
## cp server.domain.org.key  /home/e-smith/ssl.key/server.domain.org.key

- I copy the bundle file in the same directory as the crt file
## cp gd_bundle-g2-g1.crt  /home/e-smith/ssl.crt/gd_bundle-g2-g1.crt

- Updating the SME DataBase
-- Certificate
## config  setprop  modSSL  crt  /home/e-smith/ssl.crt/server.domain.org.crt

-- Private key
## config  setprop  modSSL  key  /home/e-smith/ssl.key/server.domain.org.key

-- Bundle
## config  setprop  modSSL  CertificateChainFile  /home/e-smith/ssl.crt/gd_bundle-g2-g1.crt

- I Signal the modifications
## signal-event domain-modify  ;  signal-event email-update

- Checking to see if everything is OK and should give
## config show modSSL
modSSL=service
    CertificateChainFile=/home/e-smith/ssl.crt/gd_bundle-g2-g1.crt
    TCPPort=443
    access=public
    crt=/home/e-smith/ssl.crt/server.domain.org.crt
    key=/home/e-smith/ssl.key/server.domain.org.key
    status=enabled

My goal: incorporate payments from Stripe, which require a certificate, in WooCommerce

Question:
Is that the proper and safe way to do?

Thank you all,

Michel-André

[janet]

michelandre

http://wiki.contribs.org/Certificate_Integration_GoDaddy_Certificate

There are a few other Certificate Howtos also, under C
http://wiki.contribs.org/Category:Howto

[michelandre]

Thank you Janet for your quick reply.

When I bought my first certificate from namecheap.com, I tried to follow the first link you indicate. There was one thing though that trouble me was the line saying "Copy the "gd bundle.crt" into /home/e-smith/ssl.crt ". I didn't understand why to put it in the file ssl.crt.

At the time I didn't know what I know now. I should have saw that it was a typo error. The "/" is missing at the end of the line and "gd bundle.crt" should be "gd_bundle.crt". Now I see it because the line "config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/gd_bundle.crt" shows that ssl.crt is a directory, not a file. Although a file can have the same name as its directory...

The other thing I didn't know was the "bundle" and what is was used for; it is the top cert of the chain.

I read again each line of the contribs scrupulously and found out that I missed to delete the pem file. There are quite a lot of pem files all over the server. I think that the pem file I have to delete is: "/home/e-smith/ssl.pem/server.domain.org.pem". Now I see it but before I didn't; a newbie in certificate is a newbie...

Question:
Can you confirm that this is the right pem file.

Also, I have Avast running on my station. When I used https to connect, the certificate say it is emitted by Avast and not by GoDaddy. To resolve that, I disconnected the network card from the station, delete all the previous certificates and cleared all the history of the browser and https again to the virtual clone server running with Host-Only NIC cards. Then this time the certificate offered was the one from GoDaddy.

Question:
Do you have a explanation for Avast offering the certificate?

Question:
Another thing that trouble me is why do I have to accept the certificate even when in the browser I put accept automatically?
Is it because I check the line that say to ask the OCSP to confirm the validity of the certificate? The server cannot communicate with the Internet but the station can. I uncheck the line and still the same behavior.

I am just afraid of doing a stupid error and loose my server...

Thank you all,

Michel-André

[DanB35]

Do you have a explanation for Avast offering the certificate?

I can't really address the rest of your questions, but this is how Avast manages to scan HTTPS pages for things it considers threats.  It's also a giant man-in-the-middle attack.

[michelandre]

Hi DanB35,

You are absolutely right calling Avast "a giant man-in-the-middle attack". It really surprised me.

I deactivated Avast Online Security and Avast SafePrice modules, deleted GoDaddy certificate, cleared the history of FireFox and visited https://domain.org and I was prompted to accept the certificate. I looked at the certificate's emitter and this time it was GoDaddy.com. The certificate got installed again with the right name.

Also, I have Avast running on my station. When I used https to connect, the certificate say it is emitted by Avast and not by GoDaddy. To resolve that, I disconnected the network card from the station, delete all the previous certificates and cleared all the history of the browser and https again to the virtual clone server running with Host-Only NIC cards. Then this time the certificate offered was the one from GoDaddy.

In the above, Avast modules were running but the GoDaddy certificate got installed. I guess that before emitting its certificate, Avast must talk with its headquarter before emitting the certificate and with the NIC cable disconnected he was not able to do so.

Best of all, now the little lock is green without a triangular warning.

Question:
In Firefox, for the certificate I checked "Automatically select", why is it still asking if I accept the certificate?

Thank you again.

Michel-André

[janet]

michelandre

....found out that I missed to delete the pem file. There are quite a lot of pem files all over the server. I think that the pem file I have to delete is: "/home/e-smith/ssl.pem/server.domain.org.pem"
Can you confirm that this is the right pem file.

It would be the pem file with the name of your old domain that used the old (I assume) self signed certificate.
Really you would delete all pem files associated with old or no longer existing domains that are/were on your server.

[michelandre]

Hi Janet,

Thank you again for your reply.

There is only one pem file with the name of the domain:
/home/e-smith/ssl.pem/domain.pem

I deleted it and it got recreated when signalling:
signal-event domain-modify  ;  signal-event email-update

Now, I am confident enough to try it on the real server and see what will happen...

I will post the results.

Thank you all, 

Michel-André

[michelandre]

Hi all,

In the contribs page: http://wiki.contribs.org/Certificate_Integration_GoDaddy_Certificate

Copy  the file  gd_bundle.crt into the folder  /home/e-smith/ssl.crt/

config  setprop  modSSL CertificateChainFile  /home/e-smith/ssl.crt/gd_bundle.crt

config show modSSL;
modSSL=service
   CertificateChainFile=/home/e-smith/ssl.chainfile/gd_bundle-g2-g1.crt
   CommonName=*.abcompany.com
   TCPPort=443
   access=public
   crt=/home/e-smith/ssl.crt/27dd606e9133e8.crt
   key=/home/e-smith/ssl.key/abcompany_com.key
   status=enabled

Is it possible that there is a typo?

Michel-André

[Stefano]

Is it possible that there is a typo?

yes, sure, it might be possible.. if so, please, log in the wiki and amend the content

Thank you

[raem]

michelandre

I made some typo corrections http://wiki.contribs.org/Certificate_Integration_GoDaddy_Certificate

Be careful editing, I think it depends what files you get from GoDaddy depending on how you generated & requested a certificate.

 

CertificateChainFile=/home/e-smith/ssl.chainfile/gd_bundle-g2-g1.crt
   crt=/home/e-smith/ssl.crt/27dd606e9133e8.crt
   key=/home/e-smith/ssl.key/abcompany_com.key
Is it possible that there is a typo?

As mentioned Wiki is a work in progress

Mophilly did some wiki article amendments
Here is the source of original article & forum posts re subsequent issues.

http://forums.contribs.org/index.php/topic,50591.msg254933.html#msg254933
https://bssennoga.wordpress.com/2011/11/22/how-to-install-an-ssl-certificate-from-godaddy-onto-your-sme-server/

Mophilly added
 http://forums.contribs.org/index.php/topic,50783.msg256324.html#msg256324
 http://forums.contribs.org/index.php/topic,51556.msg262344.html#msg262344

Jader comments
 http://forums.contribs.org/index.php/topic,50106.msg251403.html#msg251403
Also refers to
 http://wiki.contribs.org/Custom_CA_Certificate

[michelandre]

Hi all, sorry for my encyclical long post,

Acording to: https://ca.godaddy.com/fr/help/installation-dun-certificat-ssl-dans-apache-centos-5238, If Apache version < 2.4.8 then you need SSLCertificateChainFile

My server is 9.1 fully patched and it gives:
# rpm -qa | grep apache
e-smith-apache-2.4.0-12.el6.sme.noarch
#

So, I would say that: https://bssennoga.wordpress.com/2011/11/22/how-to-install-an-ssl-certificate-from-godaddy-onto-your-sme-server/ is definitely missing something.

According to: https://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html

SSLCertificateChainFile is deprecated
SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file

So because SME-9.1 uses apacher-2.4.0 then it is lower than 2.4.8 and SME-9.1 should use SSLCertificateChainFile.

- - - - - - - - - - - - - - - - - -

Another question:
According to:  http://wiki.contribs.org/Certificate_Integration_GoDaddy_Certificate, in the command output of config show modSSL; there is a CommonName which I don't have if I do this command after I applied the certificate. But I gave the FQDN of my server when doing the CSR: my-server-name.my-domain.org

# config show modSSL
modSSL=service
    CertificateChainFile=/home/e-smith/ssl.crt/gd_bundle-g2-g1.crt
    TCPPort=443
    access=public
    crt=/home/e-smith/ssl.crt/my-domain.crt
    key=/home/e-smith/ssl.key/my-domain.key
    status=enabled
#

- - - - - - - - - - - - - - - - - -

I installed the certificate in my virtual server running in VirtualBox with Host-Only Nic cards. The addresses of this server are different from my real server that I used to generate the CSR. Beside the addresses and PPPoE mode, all of the virtual server is a perfect clone of my real server.

Google Chrome:
Doesn't want to accept https, it always give error and stay in http.

Internet Explorer in a Win-8.1 station:
Gives an error and says that the address is not the one from the certificate but stay in https. Does that means that IE is the best browser? 

FireFox:
Give a green lock with a dark triangle meaning that there is something not right but it stays in https.

I installed a boutique with another complete WordPress in a sundirectory of my main WordPress web site. In the boutique, I installed an extension to always gives all pages with https. If I go the boutique, Firefox is happy and give a solid green lock and says everything is secure.

Tonight at 03h00, my server will generate a backup. Tomorrow I would like to try the certificate in my real server...

I am still confused but on a higher and deeper level than yesterday,

Michel-André

PS for raem: I will not edit http://wiki.contribs.org/Certificate_Integration_GoDaddy_Certificate

[janet]

michelandre

According to:  http://wiki.contribs.org/Certificate_Integration_GoDaddy_Certificate, in the command output of config show modSSL; there is a CommonName which I don't have if I do this command after I applied the certificate. But I gave the FQDN of my server when doing the CSR: my-server-name.my-domain.org

There is discussion/recommendations here
http://wiki.contribs.org/index.php?title=Email_-_Setting_up_E-mail_clients_for_SME_8.0&diff=29111&oldid=29110
about preferred use of CommonName db setting & use of that CommonName for certificates you generate (done in the correct order/sequence).

Personally I agree that using the CommonName is the way to go.

Tonight at 03h00, my server will generate a backup. Tomorrow I would like to try the certificate in my real server...

Changing the certificate is no server killer, although I agree if you do something wrong it can stop certain functionality (temporarily) & appear to be a server killer.
It is easily correctable by deleting & reconfiguring & regenerating the certificate, refer to Howtos eg
http://wiki.contribs.org/Certificates_Concepts

Just make sure you copy the certificate files to a safe place if you use commercial certificates.

This is what is so good about SME server, the db, template & custom template structure, lets you make changes, & if they are problematic on the next reboot, then the changes can easily be reversed (revert or delete changes, reconfigure (post-upgrade), reboot).
In the case of certificates, just delete the files, reconfigure & reboot & you have a new self signed certificate. Start again installing your commercial certificate & hopefully the second time you get it right.

Re editing wiki articles, if you find obviously wrong information or procedural steps,  at least report it here & someone can correct it.

[michelandre]

Hi all,

Dear Janet, thank you so much for your good advices.

In the boutique site, on the real server, I finally have everything working properly with the "www", the "CommonName", and the "CertificateChainFile". It works fine with FireFox and Google Chrome with both having a solid green lock.

IE is still getting the avast certificate. The lock is solid black. I de-activate the Avast module, cleared the cache, played in mmc but to no avail. I never used IE so maybe I will leave it like that.

Accessing the boutique or the main site, Tor is complaining "This website (www.micronator.org) attempted to extract HTML5 canvas images data, which may be used to identify you computer. Should the browser allow this website to extract canvas images data?". I think that this is due to WordPress or Awstats...

Firefox is giving a warning in the main web site saying some images are not secure. Google Chrome is giving the warning that the site is trying to load some script from non-authentified  source. But this is only in the main site and the boutique site (in a sub-directory of the main site) is all OK. As I wrote before, in WordPress of the boutique, I have the extension "WordPress HTTPS" which says "WordPress HTTPS is intended to be an all-in-one solution to using SSL on WordPress sites." and it forces all pages to use https.

Anyone have a clue to resolve that small warning which is not related to the certificate?

Thank you all,

Michel-André

[michelandre]

Hi all,

I made a documentation, in French, on how to make the CSR, install the certificate, etc...

http://www.micronator.org/PDF/SME/SME_Certificats_SSL/RF-232_SME-9.1_Certificat-SSL.pdf

Thank you all,

Michel-André