Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: slords on November 20, 2006, 06:32:42 PM
-
#!/usr/bin/perl
use strict;
use esmith::util;
use esmith::ConfigDB;
use esmith::DomainsDB;
my $config = esmith::ConfigDB->open;
my $domainsdb = esmith::DomainsDB->open_ro;
my $domain = $config->get('DomainName')->value;
my %domain_names = map { $_->{key} => 1 } grep { $_->key ne $domain } $domainsdb->domains;
my @domains = ($domain, keys %domain_names);
open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
print CONFIG "[ req ]\ndefault_bits = 1024\ndistinguished_name = req_distinguished_name\n";
print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n\n";
print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
print CONFIG "\n";
close(CONFIG) or die "Closing openssl config file reported: $!";
unless ( -f "$domains[0].key" )
{
open(KEY, ">$domains[0].key") or die "Can't open key file: $!";
unless (open(SSL,"-|"))
{
exec("/usr/bin/openssl",
qw(genrsa -rand),
join(':',
qw(
/proc/apm
/proc/cpuinfo
/proc/dma
/proc/filesystems
/proc/interrupts
/proc/ioports
/proc/bus/pci/devices
/proc/rtc
/proc/uptime
)),
'1024')
|| die "can't exec program: $!";
}
while (<SSL>)
{
print KEY $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(KEY) or die "Closing key file reported: $!";
}
open(CSR, ">$domains[0].csr") or die "Can't open csr $!";
unless (open(SSL,"-|"))
{
exec("/usr/bin/openssl",
qw(req -config), "$domains[0].config",
qw(-new -key), "$domains[0].key",
qw(-days 730 -set_serial), time())
|| die "can't exec program: $!";
}
while (<SSL>)
{
print CSR $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(CSR) or die "Closing csr file reported: $!";
As root do the following:
# mkdir ~/cacert
# cd ~/cacert
** download the above code and store it in ~/cacert/cacert_csr_request
# chmod u+x cacert_csr_request
# ./cacert_csr_request
# cat {domain}.csr
** paste the output into the cacert.org website and get your certificate. Save this in ~/cacert/{domain}.crt
# cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
# cp {domain}.key /home/e-smith/ssl.key/{domain}.key
# config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
# config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
# signal-event console-save
You will need to replace {domain} above with your primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.
Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.
-
Shad,
There are lines wraps in your displayed code above that will cause execution to fail if one simply cuts/pastes your displayed code. You might wish to post your cacert_csr_request file for download.
Darrell
-
[code]#!/usr/bin/perl
my $config = esmith::ConfigDB->open;
Shad,
Shouldn't this line be...
my $config = esmith::ConfigDB->open_ro;
? Thanks for the nice tool!
-
There are lines wraps in your displayed code above that will cause execution to fail if one simply cuts/pastes your displayed code. You might wish to post your cacert_csr_request file for download.
Darrell, I just managed to copy in a text file ok without line wraps, took it over to the test SME Server and could generate key with results of text file.
-
Certificate info reported by cacert.org
Please make sure the following details are correct before proceeding any further.
CommonName: magicwilly.info
subjectAltName: DNS:magicwilly.info
subjectAltName: DNS:*.magicwilly.info
subjectAltName: DNS:wally2.magicwilly.info
subjectAltName: DNS:*.wally2.magicwilly.info
subjectAltName: DNS:wally.magicwilly.info
subjectAltName: DNS:*.wally.magicwilly.info
subjectAltName: DNS:wally1.magicwilly.info
subjectAltName: DNS:*.wally1.magicwilly.info
No additional information will be included on certificates because it can not be automatically checked by the system.
This is for..
magicwilly.info
wally.magicwilly.info
wally1.magicwilly.info
wally2.magicwilly.info
-
I followed the instruction by slords and now have the following error displayed on the screen on my SME Server
Syntax error on line 138 of /etc/httpd/conf/httpd.conf
SSLCertificateKeyFile: file '/home/e-smith/ssl.crt.xxxxxx.xxx.key' does not exsist or is empty
Can anyone point me in the right direction? My web server has stopped working since this error appeared
-
Can anyone point me in the right direction? My web server has stopped working since this error appeared
You probably want to undo what you did then try again.
You have to undo this bit...# cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
# cp {domain}.key /home/e-smith/ssl.key/{domain}.key
# config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
# config setprop modSSL key /home/e-smith/ssl.crt/{domain}.key
Try..
# config delprop modSSL crt
# config delprop modSSL key
Then delete everything in
/home/e-smith/ssl.crt/ and /home/e-smith/ssl.key/
Then..
signal-event console-save
signal-event post-upgrade
signal-event reboot
-
I followed the instruction by slords and now have the following error displayed on the screen on my SME Server
Syntax error on line 138 of /etc/httpd/conf/httpd.conf
SSLCertificateKeyFile: file '/home/e-smith/ssl.crt.teviot.net.key' does not exsist or is empty
Can anyone point me in the right direction? My web server has stopped working since this error appeared
config setprop modSSL key /home/e-smith/ssl.crt/{domain}.key
Did you replace a / with a . just before {domain} ??
config printprop modSSL key will show what you typed.
-
Hi
Thanks again william_syd.
This i managed to fix it myself. What I did was to copy the missing file to the correct directory and everything is working again. It even stopped internet access which was most disturbing.
Thanks again for your help. But as I didn't have net access I didn't get your response until I copied the file across.
-
It even stopped internet access which was most disturbing.
Thats why my firewall/router is a different box that I never touch (mostly).
-
I got this error
./cacert_csr_request
4196 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...++++++
..++++++
e is 65537 (0x10001)
error on line 7 of xx-xxxx.dk.config
10301:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported: at ./cacert_csr_request line 74.
xx-xxxx.dk is my primary domain
-
When generating the certificate I receive this error:
error on line 7 of {domain}.com.config
4404:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported: at ./cacert_csr_request line 74.
This is a fresh install of sme 7.0
-
error on line 7 of sitbs.com.config
4404:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported: at ./cacert_csr_request line 74
Please post the output of the sitbs.com.config file.
-
I understand that I should copy the key file to ssl.key folder
but why
config setprop modSSL key /home/e-smith/ssl.crt/{domian).key
should this be ... /ssl.key/{domain}.key
i only ask because I have tried both ways and your doesn't change the cert when I check with my browser
When I try it my way I can't access my webpage at all.
The advise about delprop modSSL key/crt works thanks
Any advice as to what is going on>
-
should this be ... /ssl.key/{domain}.key
Any advice as to what is going on>
Has the original post been corrected ?
-
Shad,
This is brilliant work, I've been trying for ages to get this working - I even bought a cheap SSL certificate (which I couldn't work out how to use). Your instructions worked like a dream and now I don't get those annoying warnings anymore. Thanks heaps.
There are lines wraps in your displayed code
I came across this as well but I think it's more to do with how you copy the code - not the code itself. I'm not sure, but I just used dos2unix to strip out the carriage returns and all was well.
#dos2unix cacert_csr_request
Lloyd
-
should we be deleting the old crts and keys before we
signal-event config-console
Maybe this is why it is not working for me...
-
I have recently re-installed SME 7....posting the contents is not possible.
There is so much information in the contribs about ssl certificates it's hard
to know which one's work in which situations.
Thanks for the reply
-
Because of errors in IE7 with webmail. I'm wanting to get my SSL certs sorted out. Is it possible for some one who has done this successfully to put it into a how to on the Wikki? it's a little confusing atm and for what it seems different people came out with different solutions. I have a test box here that I'm willing to test it on if some one is able to write up the how to.
Thanks.
-
Ignore all other methods, this is the definitive guide
the only area this howto could be clarified are the steps you should take at cacert.org, shad did mention what you need to achieve just not how you do it
<snip>
> Also you will need to have all domains registered with your cacert.org account.
each howto needn't go into how to edit files or set db values
-
Because of errors in IE7 with webmail. I'm wanting to get my SSL certs sorted out. Is it possible for some one who has done this successfully to put it into a how to on the Wikki? it's a little confusing atm and for what it seems different people came out with different solutions. I have a test box here that I'm willing to test it on if some one is able to write up the how to.
Thanks.
The howto is in the first post.
Register you domains at Cacert first.
-
I have finally figured out how to install these certs and get everything working. When I open Safari and Firefox it does not ask me to look at the certificates any more.
However I am using imap ssl and smtp ssl
mail.app is still asking for me to look at the old certs ie: sme.domain.com instead of domain.com
Then once I rebooted everythings was ok
I thought I would put this in for everyone else
-
error on line 7 of sitbs.com.config
4404:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported: at ./cacert_csr_request line 74
Please post the output of the sitbs.com.config file.
I got this exact same error. DId you ever manage to find out what caused it?
-
The config file was never posted so it was never fixed. Post your config file and lets see what the issue is.
-
Slords, I create a page in the wiki HowTo. Check if are all ok, and thank you to your contrib.
-
error on line 7 of sitbs.com.config
4404:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported: at ./cacert_csr_request line 74
Please post the output of the sitbs.com.config file.
I got this exact same error. DId you ever manage to find out what caused it?
This error is from your not correcting any line wraps in the script. Look at the script. Lines must not wrap.
CJensen
-
Sorry, I wasn't watching the thread like I should have.
[root@~]# cat /root/cacert/domain.com.config
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
CN = domain.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation,digitalSignature,keyEncipherment
subjectAltName = critical,DNS:domain.com,DNS:*.domain.com
hope this helps.......
-
I have upgraded to the current version and now I can access https:// only from inside the network not from the outside. Could this have anything to do with these certs? I can still access my imaps from outside.
any ideas where to look?
edit just found this post about certs being reset
http://forums.contribs.org/index.php?topic=36334.0
-
trying the process from this thread but after running the script
(which doesn't ask for input):?
i have the script and 3 files - all for my primary domain.
i assume i am wanting the .key, .csr and .config for the other domains on my server, so if there are 4 virtual domains i would be expecting 12 other files.
anyone know if this process is still valid? running 7.1.3
or more likely i'm doing something wrong...
WHICH I WAS!!!
"This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com."
Have noted the "a certificate"
My beef.... sorry :oops:
-
After install a new CA Certificate I can no longer connect to webmail. In logs i have:
May 20 22:46:34 main HORDE[4221]: [imp] FAILED LOGIN 85.186.x.x to localhost:143[imap/notls] as cosmin [on line 258 of "/home/httpd/html/horde/imp/lib/Auth/imp.php"]
2007-05-20 22:46:34.731791500 imapfront-auth[7672]: * OK imapfront ready.
2007-05-20 22:46:34.734150500 2007.05.20 19:46:34 LOG5[7671:3086706368]: Using 'imap' as tcpwrapper service name
2007-05-20 22:46:34.738671500 2007.05.20 19:46:34 LOG3[7671:3086706368]: Error reading certificate file: imapd.pem
2007-05-20 22:46:34.738792500 2007.05.20 19:46:34 LOG3[7671:3086706368]: SSL_CTX_use_certificate_chain_file: error:0906D066:PEM routines:PEM_read_bio:bad end line
2007-05-20 22:46:34.758962500 tcpsvd: info: end 7671 exit 1
2007-05-20 22:46:34.758969500 tcpsvd: info: status 0/400
What I must do to make it work? For now I have delete the .crt and .key files and remove them from config too and webmail works again (but it keep say that certificate is wrong)
Thanks
-
#!/usr/bin/perl
use strict;
use esmith::util;
use esmith::ConfigDB;
use esmith::DomainsDB;
my $config = esmith::ConfigDB->open;
my $domainsdb = esmith::DomainsDB->open_ro;
my $domain = $config->get('DomainName')->value;
my %domain_names = map { $_->{key} => 1 } grep { $_->key ne $domain } $domainsdb->domains;
my @domains = ($domain, keys %domain_names);
open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
print CONFIG "[ req ]\ndefault_bits = 1024\ndistinguished_name = req_distinguished_name\n";
print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n\n";
print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
print CONFIG "\n";
close(CONFIG) or die "Closing openssl config file reported: $!";
unless ( -f "$domains[0].key" )
{
open(KEY, ">$domains[0].key") or die "Can't open key file: $!";
unless (open(SSL,"-|"))
{
exec("/usr/bin/openssl",
qw(genrsa -rand),
join(':',
qw(
/proc/apm
/proc/cpuinfo
/proc/dma
/proc/filesystems
/proc/interrupts
/proc/ioports
/proc/bus/pci/devices
/proc/rtc
/proc/uptime
)),
'1024')
|| die "can't exec program: $!";
}
while (<SSL>)
{
print KEY $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(KEY) or die "Closing key file reported: $!";
}
open(CSR, ">$domains[0].csr") or die "Can't open csr $!";
unless (open(SSL,"-|"))
{
exec("/usr/bin/openssl",
qw(req -config), "$domains[0].config",
qw(-new -key), "$domains[0].key",
qw(-days 730 -set_serial), time())
|| die "can't exec program: $!";
}
while (<SSL>)
{
print CSR $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(CSR) or die "Closing csr file reported: $!";
As root do the following:
# mkdir ~/cacert
# cd ~/cacert
** download the above code and store it in ~/cacert/cacert_csr_request
# chmod u+x cacert_csr_request
# ./cacert_csr_request
# cat {domain}.csr
** paste the output into the cacert.org website and get your certificate. Save this in ~/cacert/{domain}.crt
# cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
# cp {domain}.key /home/e-smith/ssl.key/{domain}.key
# config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
# config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
# signal-event console-save
You will need to replace {domain} above with your primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.
Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.
plz help me
[root@rogs cacert]# ./cacert_csr_request
": No existe el fichero o el directorio.
Use -S to search $PATH for it.
-
After I paste into the CSR window on CAcert.org's site, I get the following error...
CommonName field was blank. This is usually caused by entering your own name when openssl prompt's you for 'YOUR NAME', or if you try to issue certificates for domains you haven't already verified, as such this process can't continue.
I have all the domains on my SME box verified on their web site, and they all show up in my generated config file from the script. Also the .csr file 'looks' correct ...Here is my .config
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
CN = danoshome.dyndns.org
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation,digitalSignature,keyEncipherment
subjectAltName = critical,DNS:danoshome.dyndns.org,DNS:*.danoshome.dyndns.org,DNS:northcoastcs.com,DNS:*.northcoastcs.com,DNS:jankowski.kicks-ass.net,DNS:*.jankowski.kicks-ass.net,DNS:jankoshome.dyndns.org,DNS:*.jankoshome.dyndns.org,DNS:copperfoots.com,DNS:*.copperfoots.com,DNS:copperfoot.com,DNS:*.copperfoot.com
Does CAcert have issues with dynamic hosts? Any thoughts would be helpful...thanks.
-
I tried this how to and when I went to purchase the certificate it failed saying that the CSR was created with an invalid two-letter country code. I guess it should be US in my case, but I am not sure how to create the CSR with the valid country code.
Any ideas?
Thanks!
-
I was able to successfully install the CAcert signed certificate, but after that I got the following message repeatedly in my /var/log/messages file three times in 10 seconds:
Aug 25 17:45:29 homer dhcpd: Internet Systems Consortium DHCP Server V3.0.1
Aug 25 17:45:29 homer dhcpd: Copyright 2004 Internet Systems Consortium.
Aug 25 17:45:29 homer dhcpd: All rights reserved.
Aug 25 17:45:29 homer dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Aug 25 17:45:29 homer dhcpd: Wrote 0 deleted host decls to leases file.
Aug 25 17:45:29 homer dhcpd: Wrote 0 new dynamic host decls to leases file.
Aug 25 17:45:29 homer dhcpd: Wrote 4 leases to leases file.
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: No subnet declaration for eth0 (0.0.0.0).
Aug 25 17:45:30 homer dhcpd: ** Ignoring requests on eth0. If this is not what
Aug 25 17:45:30 homer dhcpd: you want, please write a subnet declaration
Aug 25 17:45:30 homer dhcpd: in your dhcpd.conf file for the network segment
Aug 25 17:45:30 homer dhcpd: to which interface eth0 is attached. **
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: Not configured to listen on any interfaces!
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: If you did not get this software from ftp.isc.org, please
Aug 25 17:45:30 homer dhcpd: get the latest from ftp.isc.org and install that before
Aug 25 17:45:30 homer dhcpd: requesting help.
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: If you did get this software from ftp.isc.org and have not
Aug 25 17:45:30 homer dhcpd: yet read the README, please read it before requesting help.
Aug 25 17:45:30 homer dhcpd: If you intend to request help from the dhcp-server@isc.org
Aug 25 17:45:30 homer dhcpd: mailing list, please read the section on the README about
Aug 25 17:45:30 homer dhcpd: submitting bug reports and requests for help.
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: Please do not under any circumstances send requests for
Aug 25 17:45:30 homer dhcpd: help directly to the authors of this software - please
Aug 25 17:45:30 homer dhcpd: send them to the appropriate mailing list as described in
Aug 25 17:45:30 homer dhcpd: the README file.
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: exiting.
I was able to solve it by issuing the following command restarting my NIC:
ifdown eth0; ifup eth0
I get the idea that it might have to do something with the smeserver-openvpn-bridge as this is the message I get after reloading the NIC:
Aug 25 20:44:35 homer dhcpd: Internet Systems Consortium DHCP Server V3.0.1
Aug 25 20:44:35 homer dhcpd: Copyright 2004 Internet Systems Consortium.
Aug 25 20:44:35 homer dhcpd: All rights reserved.
Aug 25 20:44:35 homer dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Aug 25 20:44:35 homer dhcpd: Wrote 0 deleted host decls to leases file.
Aug 25 20:44:35 homer dhcpd: Wrote 0 new dynamic host decls to leases file.
Aug 25 20:44:35 homer dhcpd: Wrote 4 leases to leases file.
Aug 25 20:44:35 homer dhcpd: Multiple interfaces match the same subnet: eth0 br0
Aug 25 20:44:35 homer dhcpd: Multiple interfaces match the same shared network: eth0 br0
Aug 25 20:44:35 homer dhcpd: Listening on LPF/eth0/00:10:a7:0b:e7:a9/192.168.55/24
Aug 25 20:44:35 homer dhcpd: Sending on LPF/eth0/00:10:a7:0b:e7:a9/192.168.55/24
Aug 25 20:44:35 homer dhcpd: Sending on Socket/fallback/fallback-net
Aug 25 20:44:45 homer kernel: br0: topology change detected, propagating
Aug 25 20:44:45 homer kernel: br0: port 1(eth0) entering forwarding state
Perhaps this might benefit others.
-
Great work Shad! I was trying to work this out sometime ago but gave up. The how-to worked perfectly.
:pint:
-
I am also getting the CommonName field empty error. Any solutions?
-
[code]Running 7.3 fully updated
I recon this is a problem that others have had.
[code]
[root@box cacert]# ./cacert_csr_request
4762 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
......................................................++++++
...............++++++
e is 65537 (0x10001)
error on line 7 of domain.com.config
15992:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported: at ./cacert_csr_request line 74.
domain.com.csr is EMPTY
domain.com.key contains a RSA key
content of domain.com.config:
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
default_bits = 1024
distinguished_name =
req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
CN = dreijer.dk
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage =
nonRepudiation,digitalSignature,keyEncipherment
subjectAltName = critical,DNS:domain.com,DNS:*.domain.com,DNS:domain2.com,DNS:*. domain2.com,DNS:m.y.i.p,DNS:*.m.y.i.p
I've had the sme-certificate contrib installed previously, but its long gone now.
Any tips?[/code][/code]
-
Check and fix any line wraps that may have occured when you created the cacert_csr_request script.
Jon
-
Check and fix any line wraps that may have occured when you created the cacert_csr_request script.
Jon
I had to do a weird workaround for copy/pasting (not even sure that did the trick, but apparently it works now - need to check with cacerts before I have an absolute positive). I've uploaded the script to my server so you guys can wget it if you run into the same trouble.
http://dreijer.dk/cacert_csr_request
Cheers
EDIT: IT WORKS! :D
-
Made the installation according to the first post at the very top.
Had some minor bugs, but these was traced down to be just my own fingertrouble.
After some practise and learning about the issuing and installation of ssl sertificates it all worked - from the internet side.
(I am for the moment running a Centos host system plus a virtual Smoothwall plus a Virtual SME 7.3 server-only. This should work equally like an ordinary lan server behind a ordinary Smoothwall gateway.)
First Webmail and etc did not work propably from the lan side. Just fixed this (on the XP workstation) by editing the file C:\WINDOWS\system32\drivers\etc , adding a text something like this "10.0.0.2 mydomain.com" (I guess that this dns bug could have been fixed via the firewall as well.)
Then everything worked - from the internet outside and from the lan inside.
Great post at the top and interesting tread and a lot of interresting info :)
-
got thir error..?
/root/cacert/cacert_csr_request: line 5: use: command not found
/root/cacert/cacert_csr_request: line 6: use: command not found
/root/cacert/cacert_csr_request: line 7: use: command not found
/root/cacert/cacert_csr_request: line 8: use: command not found
/root/cacert/cacert_csr_request: line 10: my: command not found
/root/cacert/cacert_csr_request: line 11: my: command not found
/root/cacert/cacert_csr_request: line 13: syntax error near unexpected token `('
/root/cacert/cacert_csr_request: line 13: `my $domain = $config->get('DomainName')->value;'
-
Moving this topic to the SME 7.x contribs forum, it is more appropriate there. Thanks!
-
Guys, go here http://cert.startcom.org/ follow the steps and get your free certificate then replace in the script 1024 wit 2048 in 2 places and uncomment the line with #print CONFIG "default_md = sha1\n"; and get your cert. Just did this myself and everything works perfectly.
Ofcourse, root cert is well known in IE and firefox so no need to import it, might be worth mentioning in WIKI.
-
Anyone work out how to deal with the renewal of the cert in this scenario?
Should I issue a new CSR input it at CAcert.org and get an all new cert?
Or do I simply replace the /home/e-smith/{domain}.crt with the new one issued by CAcert.org after I've renewed it on their site, what about the key?
-
arnoldob
IIRC I did the first option, but that just leads to the ongoing annoyance factor of having to renew the certificate every 6 months (totally free version). I stopped using cacert free certificates after that, ie the benefits were less than the time spent reissuing certificates, as users still had to update the root certificate in their browser each time, leading to more annoyance.
You would be better off getting a cheap certificate from godaddy etc.
-
Yeah I ended up just doing a new CSR request as well. I'll check into godaddy option, it is a bit of a pain to fussy with twice a year. Any other suggestion for a cheap widely accepted cert?
-
arnoldob
it is a bit of a pain to fussy with twice a year. Any other suggestion for a cheap widely accepted cert?
There is the cacert possibility of a 2 year certificate for free, but you have to physically meet someone in your area who is an authorised cacert approver (I forget their exact terminology).
It's their way of establishing trust "on the cheap" ie 2 humans doing a handshake. Check the cacert website for further details.
There are many cheap certificate providers now, do a google search or search these forums as some names have been mentioned a few times. I think someone like godaddy (AU$50 per year for 2 yrs or longer for a single domain) is cheap but reliable. The same cannot necessarily be said for other unknown or little known certificate providers, so it's really a trade off between reliability of security and cost. Your organisation's requirements may call for a much more expensive brand of certificate or a higher spec'd godaddy certificate ie the Premium offerings.