Koozali.org: home of the SME Server

Obsolete Releases => SME Server 9.x => Topic started by: ElFroggio on February 23, 2015, 05:04:08 PM

Title: Rapid SSL certificates
Post by: ElFroggio on February 23, 2015, 05:04:08 PM

Hi,

I need a certificate for the email only with the FQDN, no web required.

Is anybody using RapidSSL (they are cheap enough)

Thanks

/Syv

Title: Re: Rapid SSL certificates
Post by: crazybob on February 24, 2015, 03:28:22 AM

check startssl https://www.startssl.com/ (https://www.startssl.com/)
you will also find info at the how to page in the wiki http://wiki.contribs.org/Certificate_Integration_startssl.com_Server_Certificate (http://wiki.contribs.org/Certificate_Integration_startssl.com_Server_Certificate)

Title: Re: Rapid SSL certificates
Post by: ElFroggio on February 25, 2015, 03:45:21 AM

I bought the RapidSSL cerificate for the fully qualified domain. Here's some stuff I had to work through:

1. Before doing any certificate work, install: http://wiki.contribs.org/Certificate_ssl_management (http://wiki.contribs.org/Certificate_ssl_management). It will make it much easier.
2. If something goes wrong, the server will become unusable (web and email). Open a terminal session on your server, in case of problem and use:

Code: [Select]

signal-event certificate-revert to restore the previous state.
3. Generate both the private key (FQDN.key) and key request (FQDN.csr) with [FQDN: fully qualified domain name, the actual name of the server + the primary domain] and replace FQDN with yours:

Code: [Select]

openssl req -newkey rsa:2048 -keyout FQDN.key -out FQDN.csr for sha1
or

Code: [Select]

openssl req -newkey rsa:2048 -sha256 -keyout FQDN.key -out FQDN.csr

for sha2

4. When ordering, get the Apache + mod_ssl certificate
5. In the certificate ssl management panel:

• SSL certificate: the one sent by symantec/rapidssl. It starts with -----BEGIN CERTIFICATE-----
• SSL private Key: the one generated in step 3. It starts with -----BEGIN PRIVATE KEY-----
• SSL intermediate chain certificate: Go to rapidssl website and download the CA bundle. It starts with -----BEGIN CERTIFICATE----- It has both intermediaries and are in the correct order
6. Click on save, cross fingers, bow to the ssl gods... and close the web browser. Restart the web browse to guaranty the clearing of the cache and go back to the server-manager. If it worked then you can close the terminal session of step 2
7. Test your (or any) certificate at:

https://www.ssllabs.com/ssltest (https://www.ssllabs.com/ssltest)

Hopefully, this makes sense and will help somebody else

/Syv[/list]

Title: Re: Rapid SSL certificates
Post by: TerryF on February 25, 2015, 07:27:51 AM

Nice work ElFroggio, would be worth adding to wiki.

Title: Re: Rapid SSL certificates
Post by: Gary Douglas on February 25, 2015, 11:41:43 AM

Recently started using Namecheap, at the price of a positiveSSL for a domain validation certificate the cost outweighs the problem of self-signed certificates.

https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx

Title: Re: Rapid SSL certificates
Post by: vipermx2 on April 20, 2016, 10:00:22 PM

When I try the above steps, it breaks the web page and the console just repeatedly scrolls with:

Quote

Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server mail.domain.net:443 (RSA)
Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
**Stopped
Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server mail.domain.net:443 (RSA)
Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
**Stopped

Please help, I dont know what I am doing wrong.  The steps I perfromed SME 9.1 trying to use Rapid SSL FreeSSL (want to make sure it works before I purchase)

1.  Login to console as root
2.  type

Code: [Select]

openssl req -newkey rsa:2048 -sha256 -keyout mail.domain.net.key -out mail.domain.net.csr3.  fill out the request questions
4. 

Code: [Select]

nano mail.domain.net.csr5.  copy the code and submit it to Rapidssl
6.  open the Server-Manager webpage
7.  open manage SSL certificates webpage
8.  Paste new code from RapidSSL into the SSL certificate box
9.  from a putty console I

Code: [Select]

nano mail.adomain.net.key and copy the code from there and paste it into the SSL private Key box on the SSL Cert Man webpage
10. Then I navigated to RapidSSL Intermediate chain certificate and copy the RSA SHA-2 (under SHA-2 Root) SSL Certificates code and paste it in the SSL intermediate chain certificate box on the SSL Cert Man webpage
11.  Save
and that when the console goes nuts with the error and breaks the website and email.  and I have to do the

Code: [Select]

signal-event certificate-revert to get it working again.

What am I doing wrong or do I need to perform?
Thanks for your advise!

Title: Re: Rapid SSL certificates
Post by: DanB35 on April 20, 2016, 10:54:51 PM

If you aren't married to RapidSSL, consider using Let's Encrypt: https://wiki.contribs.org/Letsencrypt.  The instructions for setting up letsencrypt.sh should be complete and correct, and once it's set up, it will renew itself forever.  The certs are free, support up to 100 names apiece, and are trusted almost everywhere.

Title: Re: Rapid SSL certificates
Post by: vipermx2 on April 22, 2016, 05:54:25 PM

Quote from: DanB35 on April 20, 2016, 10:54:51 PM

If you aren't married to RapidSSL, consider using Let's Encrypt: https://wiki.contribs.org/Letsencrypt.  The instructions for setting up letsencrypt.sh should be complete and correct, and once it's set up, it will renew itself forever.  The certs are free, support up to 100 names apiece, and are trusted almost everywhere.

Thank You DanB35,

I will look into this.  Just to be certain,  It says multiple domains, so If I am only using the server for the one. I just put mail.domain.com correct? Do you reccomend installing the client or Just the Script.  Which one would be easier to manage?
Thanks Again!

Title: Re: Rapid SSL certificates
Post by: DanB35 on April 22, 2016, 06:04:35 PM

You can have as few as one, and as many as 100, hostnames on a single Let's Encrypt cert.  Those hostnames can be on a single domain, or on multiple domains.  Thus, you could get a cert for only yourdomain.tld.  Or you could get one for yourdomain.tld, www.yourdomain.tld, and mail.yourdomain.tld.  Or you could get yourdomain.tld, yourotherdomain.tld, and mail.thirddomain.tld.  As long as all the hostnames on that cert resolve to your SME server, it will work.

I think the letsencrypt.sh script is a better fit for the SME server at this point.  The official client works well, but requires a number of dependencies.  The instructions for letsencrypt.sh should be pretty thorough, but let me know if you run into any issues.

Title: Re: Rapid SSL certificates
Post by: holck on April 22, 2016, 08:00:39 PM

I use RapidSSL, and I'm quite satisfied. It took some effort to set it up, but their support was very helpful.

Title: Re: Rapid SSL certificates
Post by: michelandre on May 13, 2016, 01:22:35 AM

Hi vipermx2,

Quote

What am I doing wrong or do I need to perform?
Thanks for your advise!

It is because you enter a Pass Phrase when you created the CSR.

Michel-André