Koozali.org: home of the SME Server

CA Certificate getting overwritten by self signed certificate on reboot

Offline edb

  • *
  • 543
  • +0/-0

I have installed my certificates on my new SME10x server in the same manner as when I was using SME9x however after a reboot the certificate is back to being a self signed certificate.
These are the commands that have always worked in the past:
Code: [Select]
config setprop modSSL crt /home/e-smith/ssl.crt/my.domain.ca.crt
config setprop modSSL key /home/e-smith/ssl.key/my.domain.ca.key
config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/my.intermediate.crt
I have copied the files to the indicated path and when I do a
Code: [Select]
systemctl restart httpd-e-smith.serviceeverything works great with the new DigiCert certificate until I do a reboot or do a
Code: [Select]
post-upgrade
reboot

This did not happen on my old SME9x server so I'm at a loss as to why it is overwriting with self-signed cert?
Is this something new in SME10x and how do I resolve this?

Thanks in advance
......

Offline mmccarn

  • *
  • 2,608
  • +9/-0
I think the self-signed certs are re-created by the 'console-save' event.

If you're using the default file names for your .crt and .key they would then be overwritten.

If your certificate filenames are the same as the default names, try renaming them and updating your settings for modSSL.

Offline edb

  • *
  • 543
  • +0/-0
I think the self-signed certs are re-created by the 'console-save' event.

If you're using the default file names for your .crt and .key they would then be overwritten.

If your certificate filenames are the same as the default names, try renaming them and updating your settings for modSSL.

That makes sense, I will give that a try and thank you for your input! Very helpful
......

Offline edb

  • *
  • 543
  • +0/-0
Just reporting back that the renaming of the certs worked perfectly now even through a
Code: [Select]
signal-event post-upgrade; signal-event reboot the proper certificate is displayed when the server comes back up. So problem solved.
Thanks again for that suggestion.
......

Offline Jean-Philippe Pialasse

  • *
  • 2,512
  • +10/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
please update to the last available rpms.

also please check that you do not have any ´ˋ ‘ o ' in any of the ldap field. 


also check you do not have any mismatch between the key and the cert you provides. 

every night certificates are checked for their validity and if not valid they are replaced by the self signed certificate.


also be aware that SME 10 does not  support elliptic certificates, as it will not work with the mail services. Check your providers gives you a rsa certificate and not an elliptic. This is also checked for.