Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: Kobus on April 12, 2009, 10:22:54 PM
-
Hi
I am biuybg a certificate for my SME server, can anybody tell me how to install it on my sme server installation please. Searching the forums and the FAQ does not produce anything useful.
Thanks
Kobus
-
The closest thing we have to a howto is http://wiki.contribs.org/Custom_CA_Certificate, although this only deals with cacert.org.
The one time I tried to trial a commercial certificate I found that because some authorities now insist on installing an intermediate certificate as well as your commercial one, the issues presented exceeded the scope of the above tutorial, and I gave up.
So my advice is twofold when selecting a commercial certificate:
1. Make sure that there are no intermediate certificates required. You should not have to install any certificate other than the one created specifically for your server.
2. Make sure that the seller offers full installation support AND money back if they can't make the certificate work. The better certifying authorities offer full support to get your certificate installed - and you may end up requiring it.
-
David,
Do these bugs help with the intermediate certificate issue?
http://bugs.contribs.org/show_bug.cgi?id=1779 (http://bugs.contribs.org/show_bug.cgi?id=1779)
http://bugs.contribs.org/show_bug.cgi?id=4450 (http://bugs.contribs.org/show_bug.cgi?id=4450)
-
I have managed to install a custom certificate (with intermediate certs, too!)
this outlines the basic procedure
First of all, generate the CSR and get it approved and get your .crt and .key from your CA. You also have to get the intermediate certificate "intermediate.crt"
once you get those, copy your .crt and your intermediate.crt to /home/e-smith/ssl.crt/ and your .key to /home/e-smith/ssl.key/
you can unencrypt your key so it doesn't ask for the passphrase on every boot with
openssl rsa -in yourkey.key -out unecryptedkey.key
then you have to
config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/intermediate.crt
config setprop modSSL crt /home/e-smith/ssl.crt/yourcert.crt
config setprop modSSL key /home/e-smith/ssl.key/yourkey.key
Now we have to modify the template to get the mail certificate right.
cp /etc/e-smith/templates/home/e-smith/ssl.pem/40crt /etc/e-smith/templates-custom/home/e-smith/ssl.pem/41intermediateCrt
nano /etc/e-smith/templates-custom/home/e-smith/ssl.pem/41intermediateCrt
Modify lines 5 and 8 so they look like this
5 my $crt = $modSSL{'CertificateChainFile'};
8 $crt = "/home/e-smith/ssl.crt/intermediate.crt";
now apply changes
# signal-event domain-modify
# signal-event email-update
this should not be needed, but just in case, here it is
if apache can't get the certs right, you have to create new templates (copy these files to /etc/e-smith/templates-custom and modify those copies) from
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCertificateChainFile
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCertificateFile
and modify the part that says
my $crt = $modSSL{'crt'} ||
"/home/e-smith/ssl.crt/${SystemName}.${DomainName}.crt";
my $key = $modSSL{'key'} ||
"/home/e-smith/ssl.key/${SystemName}.${DomainName}.key";
to look like:
my $crt = $modSSL{'crt'} ||
"/home/e-smith/ssl.crt/yourcert.crt";
my $key = $modSSL{'key'} ||
"/home/e-smith/ssl.key/yourkey.key";
-
Hi
Thanks for this, as soon as I get it i will definately give it a try.
Kobus
-
Did you ever see this bug: http://bugs.contribs.org/show_bug.cgi?id=1779 ? AFAIK this should be supported out of the box
-
trschober
Your suggested method of creating adjustments within the /etc/e-smith/templates tree, is a wrong thing to do, and promotes others to also do the wrong thing.
The idea is to leave existing templates unchanged, and make custom template versions in the /etc/e-smith/templates-custom tree, which will override the original templates when expanded.
If the fragment name is the same, then the fragment template in /etc/e-smith/templates-custom tree, will take precedence over the same fragment in the /etc/e-smith/templates tree.
You can easily return your server to default (and get yourself out of trouble) by deleting the custom templates in /etc/e-smith/templates-custom, plus of course expand templates & restart services.
Your instruction would better read:
cp /etc/e-smith/templates/home/e-smith/ssl.pem/40crt /etc/e-smith/templates-custom/home/e-smith/ssl.pem/41intermediateCrt
nano /etc/e-smith/templates-custom/home/e-smith/ssl.pem/41intermediateCrt
The same concept applies for other suggestions re editing templates.
Please change your original post to reflect this correct approach, so that others do not copy and perpetuate your "not recommended" approach.
Thanks
-
sure no problem, I will edit it now
-
sure no problem, I will edit it now
Also once a few report back that all is well consider adding a wiki page in the "How To" section..... Page Name suggested "Certificates Commercial".