Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: mophilly on July 22, 2008, 04:02:02 AM

Title: updating an expired certificate
Post by: mophilly on July 22, 2008, 04:02:02 AM

I am having trouble updating the certificate. I host three domains on this box, but only the primary site has need for a certificate. When this machine was running SME 6 I used the how-to from Swerts-Knudsen, and I wonder if I need to clean out the old cruft in order to straighten this out.

A search of the file system for ".crt" has a dozen hits. Some are in the "templates" tree so I assume they are supposed to be there. There are three in the "/etc/httpd/conf/" tree and one other in "usr/share/ssl/certs/". In addition, in the directories "/home/e-smith/ssl.crt" and "/home/e-smith/ssl.key" I have two entries in each:

server1.mydomain.com
mydomain.com

The "server1" cert and key are the more recent.

1. Do I need to delete some or all of these before attempting to recreate the certs?

2. Does SME 7.3 support more than one cert per IP address?

3. Do I need one cert for each top level domain?

4. Is there an update process I should follow?

TIA,

 - Mo

Title: Re: updating an expired certificate
Post by: CharlieBrady on July 22, 2008, 06:35:33 PM

Quote from: Mophilly on July 22, 2008, 04:02:02 AM

I am having trouble updating the certificate.

SME server automatically generates a new certificate before the old one expires. However, the new certificate isn't used until you restart some services (or reboot the system):

http://bugs.contribs.org/show_bug.cgi?id=2257

Quote

I host three domains on this box, but only the primary site has need for a certificate.

There's no way to use a certificate for some domains and not others (unless your visitors just don't happen to use https for the other domains).

Quote

When this machine was running SME 6 I used the how-to from Swerts-Knudsen, ...

That probably wasn't necessary.

Quote

and I wonder if I need to clean out the old cruft in order to straighten this out.

Possibly.

Quote

2. Does SME 7.3 support more than one cert per IP address?

SSL doesn't allow more than one cert per IP address, period.

Quote

3. Do I need one cert for each top level domain?

You can only use a different cert per domain if you have a different IP address per domain (and SME doesn't support that configuration).

Quote

4. Is there an update process I should follow?

This procedure will delete any existing certificates and generate new self-signed certificates for all services which use SSL. Use at your own risk (and backup first):

config delprop modSSL crt
config delprop modSSL key
config delprop modSSL CertificateChainFile
/bin/rm /home/e-smith/ssl*/*
signal-event post-upgrade
signal-event reboot

But reboot first - maybe you have a non-expired certificate and it's just not being used yet.

And secondly, report anything which doesn't "just work" via the bug tracker.

Title: Re: updating an expired certificate
Post by: mophilly on July 23, 2008, 01:47:52 AM

Thank you for the detailed reply. Very much appreciated.

I look forward to running the update process.

 - mo