Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: tstokovaz on March 27, 2009, 10:46:32 PM

Title: SSL - How to reset all SSL related items - Help
Post by: tstokovaz on March 27, 2009, 10:46:32 PM

I've spent 5 hours trying to figure it out. I tried to install a Godaddy SSL certificate to replace the self generated one we were using. I read all I could and tried to follow the instructions. I did the make genkey and created and created the csr.  Got the gb_bundle.crt and our cert back. When I tried to install as instructed it broke the self generated key and no one can get to our website OR webmail. I was told that it is as if no ssl cert is installed.

I tried several things and all fail. Is there a way to reset this? I would just like to set up a self generated ssl cert and get it running again.

Title: Re: SSL - How to reset all SSL related items - Help
Post by: cactus on March 28, 2009, 09:44:39 AM

Quote from: tstokovaz on March 27, 2009, 10:46:32 PM

I've spent 5 hours trying to figure it out. I tried to install a Godaddy SSL certificate to replace the self generated one we were using. I read all I could and tried to follow the instructions. I did the make genkey and created and created the csr.  Got the gb_bundle.crt and our cert back. When I tried to install as instructed it broke the self generated key and no one can get to our website OR webmail. I was told that it is as if no ssl cert is installed.

I tried several things and all fail. Is there a way to reset this? I would just like to set up a self generated ssl cert and get it running again.

What is the output of:

Code: [Select]

db configuration show modSSL
It should list a crt and a key file. Are the files listed there present on your system? You can check by using

Code: [Select]

ls -la /path/to/crt

Title: Re: SSL - How to reset all SSL related items - Help
Post by: tstokovaz on March 28, 2009, 04:34:35 PM

This is what shows
[root@mail ~]# db configuration show modSSL
modSSL=service
    CertificateChainFile=/home/e-smith/gd_bundle.crt
    CipherSuite=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
    TCPPort=443
    access=public
    crt=/home/e-smith/ssl.crt/www.turningpnt.org.crt
    key=/home/e-smith/ssl.key/server.key
    status=enabled
[root@mail ~]#

And the output shows they are there.

 [root@mail ~]# ls -la /home/e-smith/ssl.crt/
total 3516
drwx------   3 root  root     4096 Mar 27 21:46 .
drwxr-xr-x  13 admin admin    4096 Mar 27 23:14 ..
-rw-r--r--   1 root  root     1842 Mar 27 16:16 mail.turningpnt.org.crt
-rw-r--r--   1 root  root     1318 Oct  6  2003 secure.turningpnt.org.crt.old
drwxr-xr-x   7 root  root     4096 Nov 18  2006 sg3
-rw-r--r--   1 root  root     1436 Sep  4  2004 shieldsserver.turningpnt.org.crt.old
-rw-r--r--   1 root  root  3560323 Jun 29  2004 squidguard3.2.tar.gz
-rw-r--r--   1 root  root     1842 Mar 27 16:16 ssl.crtOLD
-rw-r--r--   1 root  root     1842 Mar 27 16:16 www.turningpnt.org.crt
[root@mail ~]# ls -la /home/e-smith/ssl.key
total 20
drwx------   2 root  root  4096 Mar 27 17:37 .
drwxr-xr-x  13 admin admin 4096 Mar 27 23:14 ..
-rw-r--r--   1 root  root   887 Oct  6  2003 secure.turningpnt.org.key.old
-rw-r--r--   1 root  root   891 Mar 27 22:40 server.key
-rw-r--r--   1 root  root   887 Sep  4  2004 shieldsserver.turningpnt.org.key.old
[root@mail ~]#

What I don't see is the path to the bundled chain.  Is that the factor? And how to I fix that if it is?

I can't get to the admin web page and even on the server it doesn't let me go to server-manager. I CAN use putty and WinSCP to access, see files, do CL items, etc. I just don't know what is keeping the ssl from working.  I AM continuing to read, research, etc. I'm also making a back up and will set up a second system and try to restore. Not sure how that will work. But I've got to get it working. I appreciate any help. Sadly, I have a debian box that needs its SSL certificate replaced by Tuesday and I'm not feeling positive about that.

Title: Re: SSL - How to reset all SSL related items - Help
Post by: cactus on March 28, 2009, 05:58:53 PM

That looks pretty OK, sure your cetificate file (/home/e-smith/gd_bundle.crt) is also at the proper location?

Are the proper certificates in your webserver configuration file:

Code: [Select]

grep -nh \
-e 'CertificateChainFile' \
-e 'SSLCertificateFile' \
-e 'SSLCertificateKeyFile'\
 /etc/httpd/conf/httpd.conf
N.B. One other peace of advice, clean up the folders a bit as I see some files that should not be in there such as squidguard3.2.tar.gz.

Title: Re: SSL - How to reset all SSL related items - Help
Post by: tstokovaz on March 28, 2009, 09:55:03 PM

Thanks to those who offered suggestions. Turns out the GoDaddy certificate was incorrectly formatted (their error) and we had to do several steps listed in a couple of other posts. I will try to document the process (pulling together the various steps we had to take) and submit it for future use.

Title: Re: SSL - How to reset all SSL related items - Help
Post by: chris burnat on April 28, 2009, 08:00:34 AM

Reply #6 has been split to a separate topic:
http://forums.contribs.org/index.php/topic,43960.msg210499.html#msg210499