Importing an official ssl certificate

[corona]

Hello,
I'm in the process of migrating my company's server to ebox, and so far it's going great. It's being set up in conjunction with eGroupware to be a fully integrated groupware suite, and is looking like it'll be a very easy to manage system.

My main question is we've already got a certificate for our main website, sunseekerenergy.com The certificate is a wildcard one, so it gets used for www.sunseekerenergy.com and mail.sunseekerenergy.com and anything else we need, as all services are hosted on the one physical machine ( We don't need redundancy yet ).

So can I import the certificate into ebox and use it for all the services? (ie https webserver, postfix for smtp, vpn?) I would love to be able to import it into the ca to sign vpn certificates, don't know if it that's possible or not.

And as far as the https server goes, can I import the certificate into the server that ebox uses for administration, and then use that same https server to host all the https requirements (ie add more web pages to the server that already has /ebox on it)

Thanks all,
Andrew

[Javier Amor Garcia]

Hi,
  the eBox's administration page certificate, the mail certificate and the CA certificate are independent so we will look upon the issues one after other:

- you cannot export your certificate in the CA module because you need a CA certificate to be able to issue other certificates

- to use your certificate as the certificate for web administration, you must:
  1) put the certificate in the file /var/lib/ebox/conf/ssl.crt/ebox.cert
 2) put the certficate key file in the file /var/lib/ebox/conf/ssl.key/ebox.key
  3)create the pem file concatening the two previous files, lke this:

   cat  /var/lib/ebox/conf/ssl.crt/ebox.cert /var/lib/ebox/conf/ssl.key/ebox.key > /var/lib/ebox/conf/ssl.pem/ebox.pem
  chmod 0400 /var/lib/ebox/conf/ssl.pem/ebox.pem

 4) restart the webserver with:
  /etc/init.d/ebox apache restart

- to use your certficate in the mail server you need to proceed similarly:
    1) put the certificate in the file /etc/postfix/sasl/smtpd.pem
 2) put the certficate key file in the file /etc/postfix/sasl/smptd-key.pem
  3)create the pem file concatenating the two previous files, lke this:

   cat  /etc/postfix/sasl/smtpd.pem /etc/postfix/sasl/smtpd-key.pem > /etc/postfix/sasl/smtp.pem
  chmod 0400 /etc/postfix/sasl/smtp.pem

 4) restart the mail system with:
  /etc/init.d/ebox mail restart



Cheers,
  Javier

[corona]

Thanks a lot for that Javier, looks good. I really didn't know if it would be possible to sign the vpn certificates with anything chained to the official cert, but I don't think it will really matter either way. Obviously the web and mail ones are most important.

So the only other thing is can I use the https server that hosts the /ebox admin to host other secure stuff as well? Either that or how can I set up a secure virtual host from ebox? I know how to set up a virtual host usually, but if I do it manually ebox will want to overwrite it I assume?

Thanks,
Andrew

[sixstone]

eBox launches a separate instance for apache process, so it doesn't override any apache configuration in usual locations (/etc/apache2/sites-available). However, take into account, change the listening port for your secure websites or eBox administration port in Web UI ("System => General").

Best regards,

[Javier Amor Garcia]

Just one thing more; in case you want a regular HTTP web server (no-ssl) you can use the eBox's webserver module

[corona]

Thanks for that both of you. Yeah I'd already found the webserver module, have it working no worries as it is.
I guess it makes sense that ebox wont write over a new file in sites-available that it doesn't already know about, so anything put in there that isn't originally made by the webserver module should sit there untouched.

I'll have to make myself a nice new site file, been a while since I've rolled one of them by hand. Wont be a problem though. Thanks for all your help.

Andrew

[corona]

I think they're installed fine in web and postfix, and I just realised the other place I need the certificate, in the courier popd.pem and imapd.pem files. Checking out the standard procedure for installing into the courier pem, I need both the .pem file with crt and key in it, and the trusted root file added into the TLS_TRUSTCERTS= directive in /etc/courier/imapd-ssl

This is going to be a problem, surely ebox is going to want to rewrite the /etc/courier/imapd-ssl file any time I change ssl settings in ebox admin (ie some time in future when I forget about this change)?

Any suggestions to get it working?

Thanks,
Andrew

[corona]

Ok, so I figured out one way to do it, but please let me know if there's a neater way.

I found and edited /usr/share/ebox/stubs/mail/imapd-ssl.mas and /usr/share/ebox/stubs/mail/pop3d-ssl.mas and added the TLS_TRUSTCERTS= directive in there. Once I made a change in ebox that modified the web server files, the changes got copied across.

Cheers,
Andrew

[Javier Amor Garcia]

Oh, I forgot about imap nd pop stuff.
As you say the original configuration doesn't use the TLS_TRUSTCERTS directives because it uses a self-signed certfifcate.
The method of changing the tamplate file is correct and neat but remember that any update of the ubuntu package would overwrite it!.
So in each upgrade you will need to copy it again.

Cheers,
  Javier

[corona]

cool thanks.
I probably shouldn't be hijacking my own thread, but I can't find any way to change the email user quota's, nor any way for users to change their password for email and the like. Is there any built in way to do this?

Cheers,
Andrew

[Javier Amor Garcia]

The password for email is the same than the user password , we try to use the same password in all user's services.

The thread for the user's password is:
http://forum.eboxplatform.com/index.php?topic=624.0