Koozali.org: home of the SME Server

Contribs.org Forums => Koozali SME Server 10.x => Topic started by: edb on March 15, 2023, 11:31:34 PM

Title: CA Certificate getting overwritten by self signed certificate on reboot
Post by: edb on March 15, 2023, 11:31:34 PM

I have installed my certificates on my new SME10x server in the same manner as when I was using SME9x however after a reboot the certificate is back to being a self signed certificate.
These are the commands that have always worked in the past:

Code: [Select]

config setprop modSSL crt /home/e-smith/ssl.crt/my.domain.ca.crt
config setprop modSSL key /home/e-smith/ssl.key/my.domain.ca.key
config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/my.intermediate.crtI have copied the files to the indicated path and when I do a

Code: [Select]

systemctl restart httpd-e-smith.serviceeverything works great with the new DigiCert certificate until I do a reboot or do a

Code: [Select]

post-upgrade
reboot
This did not happen on my old SME9x server so I'm at a loss as to why it is overwriting with self-signed cert?
Is this something new in SME10x and how do I resolve this?

Thanks in advance

Title: Re: CA Certificate getting overwritten by self signed certificate on reboot
Post by: mmccarn on March 16, 2023, 12:17:18 PM

I think the self-signed certs are re-created by the 'console-save' event.

If you're using the default file names for your .crt and .key they would then be overwritten.

If your certificate filenames are the same as the default names, try renaming them and updating your settings for modSSL.

Title: Re: CA Certificate getting overwritten by self signed certificate on reboot
Post by: edb on March 16, 2023, 03:50:27 PM

Quote from: mmccarn on March 16, 2023, 12:17:18 PM

I think the self-signed certs are re-created by the 'console-save' event.

If you're using the default file names for your .crt and .key they would then be overwritten.

If your certificate filenames are the same as the default names, try renaming them and updating your settings for modSSL.

That makes sense, I will give that a try and thank you for your input! Very helpful

Title: Re: CA Certificate getting overwritten by self signed certificate on reboot
Post by: edb on March 16, 2023, 04:33:51 PM

Just reporting back that the renaming of the certs worked perfectly now even through a

Code: [Select]

signal-event post-upgrade; signal-event reboot the proper certificate is displayed when the server comes back up. So problem solved.
Thanks again for that suggestion.

Title: Re: CA Certificate getting overwritten by self signed certificate on reboot
Post by: Jean-Philippe Pialasse on March 16, 2023, 09:52:51 PM

please update to the last available rpms.

also please check that you do not have any ´ˋ ‘ o ' in any of the ldap field. 


also check you do not have any mismatch between the key and the cert you provides. 

every night certificates are checked for their validity and if not valid they are replaced by the self signed certificate.


also be aware that SME 10 does not  support elliptic certificates, as it will not work with the mail services. Check your providers gives you a rsa certificate and not an elliptic. This is also checked for.