Author Topic: HOWTO: Trusted Certificate  (Read 17551 times)

nontrivial

  • Zen Warrior
  • ***
  • Posts: 181
  • Karma: +16/-0
    • View Profile
HOWTO: Trusted Certificate
« on: July 18, 2012, 09:40:11 pm »
Generating a CSR:
 * This assumes the name of your mail server is same as the name of
   your web server. If that isn't the case, then you will need two
   different certificates: One for postfix and dovecot, and one for
   apache. This also assumes you only want one apache vhost to be
   SSL enabled, otherwise you will need a certificate for each vhost.
 * You probably need to use sudo a lot below. I don't have time for that.
 * In the following command, replace "host" with the desired server name.
 * openssl req -new -nodes -keyout host.key -out host.csr -newkey rsa:2048
 * Creates host.key and host.csr files. Keep host.key in a safe place.
 * Submit host.csr to the certificate authority.

Get back host.crt and intermediate.crt, then:
 * Turn on SSL for mail and imap in Zentyal console and save.
 * cat host.crt > postfix.pem
 * cat host.key >> postfix.pem
 * cp /etc/postfix/sasl/postfix.pem /etc/postfix/sasl/postfix.pem.bak
 * cp postfix.pem /etc/postfix/sasl/postfix.pem
 * chmod 400 /etc/postfix/sasl/postfix.pem
 * chown root:root /etc/postfix/sasl/postfix.pem
 * cp /etc/dovecot/ssl/dovecot.pem /etc/dovecot/ssl/dovecot.pem.bak
 * cp postfix.pem /etc/dovecot/ssl/dovecot.pem
 * chmod 400 /etc/dovecot/ssl/dovecot.pem
 * chown root:root /etc/dovecot/ssl/dovecot.pem
 * cp host.key /etc/apache2/ssl/
 * cp host.crt /etc/apache2/ssl/
 * cp intermediate.crt /etc/apache2/ssl/
 * chmod 400 /etc/apache2/ssl/*
 * chown root:root /etc/apache2/ssl/*
 * Comment out SSLCertificateFile line in the file
   /usr/share/zentyal/stubs/webserver/vhost.mas
 * Turn on SSL for vhost in Zentyal console and save.
 * rm postfix.pem host.crt intermediate.crt
 * Add custom config for vhost with SSL config:
  SSLCertificateFile /etc/apache2/ssl/host.crt
  SSLCertificateKeyFile /etc/apache2/ssl/host.key
  SSLCertificateChainFile /etc/apache2/ssl/intermediate.key
  #SSLCACertificateFile /etc/apache2/ssl/intermediate.key
 * /etc/init.d/zentyal apache restart
 * /etc/init.d/zentyal mail restart

This seems to work except that I went REALLY cheap on the certificate, and while the browser recognizes it, my mail client does not and I still get the warning. Oh well, live and learn. If you want to have a good result for postfix and dovecot (email and imap) then I suggest you get that certificate from one of the big certificate authorities like thawte, geotrust, or verisign.

christian

  • Guest
Re: HOWTO: Trusted Certificate
« Reply #1 on: July 19, 2012, 01:12:59 am »
Hi James,

Thanks a lot for this "Howto". This should help a lot admins trying to achieve similar behaviour.
This said, although this is already very helpful, I feel it deserves to move one (or two) steps further in order, for users playing in this area, to understand what it means to implement certificate issued from either you own CA or from "public" CA.

When client accesses server using certificate issued from "unknown" CA, behaviour is different depending on client.
All web browsers I know warn user that CA is unknown and allow you to trust such CA and therefore to access HTTPS web site.
For some other software, you may have to first download public part of CA key and store it in you list of "trusted CA" otherwise session is not established.
So what does it mean? If your web site is a public one, you may have a lot of clients you don't know, thus this is very difficult to ask them to either accept this unknown CA or to download and install first CA's public key. This is pretty obvious.
My point is more related to other servers (software) and protocols. Looking at IMAP, it's very likely that you manage or at least know all IMAP clients. deploying your own private CA here is much easier and cheaper than buy certificate from "well known company".

what I try to express is that, not totally in line with your last sentence that is to go for "well known CA"as much as possible, I would suggest to keep your money for certificates that really benefit from this, i.e. public web sites. For almost all other services, going for own CA is cheaper, more flexible and efinitely not less secure.

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
Re: HOWTO: Trusted Certificate
« Reply #2 on: July 20, 2012, 12:29:57 am »
Cool!

robb

  • Guest
Re: HOWTO: Trusted Certificate
« Reply #3 on: July 20, 2012, 10:48:36 am »
Jsalamero: is this cool enough to make it as a feature request so it can be done from Zentyal GUI?  :-*

christian

  • Guest
Re: HOWTO: Trusted Certificate
« Reply #4 on: July 20, 2012, 11:35:26 am »
+1 this has been asked already in the past  ;)

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
Re: HOWTO: Trusted Certificate
« Reply #5 on: July 23, 2012, 07:47:57 am »
robb, lets start with an article in the wiki and add it to the CA wishlist, yes.

ichat

  • Zen Hero
  • *****
  • Posts: 795
  • Karma: +28/-16
  • RTFM!
    • View Profile
Re: HOWTO: Trusted Certificate
« Reply #6 on: July 23, 2012, 07:30:20 pm »
if the original author allows this,  it would be a good idea to even included it (or references to it), in the official documentation. 

since its 'that important' for many users.
All tips hints and advices are based on my personal experience.
As I try my best to be as accurate as possible, following my advice is always at your own risk,
I claim absolutely NO responsibility in any way!

Marcus

  • Forum Moderator
  • Zen Samurai
  • *****
  • Posts: 395
  • Karma: +12/-0
    • View Profile
    • Professional IT Service
Re: HOWTO: Trusted Certificate
« Reply #7 on: December 12, 2012, 04:58:09 pm »
Hello,

Small update (for Zentyal 3.0)
Quote
* Comment out SSLCertificateFile line in the file
   /usr/share/zentyal/stubs/webserver/vhost.mas

It is now /usr/share/zentyal/stubs/webserver/vhostHttps.mas (for the webserver module).

Nota Bene;
It would be better to copy the vhostHttps.mas file to /etc/zentyal/stubs/webserver folder first and then modifying it (at the new location) but it doesn't seem to work right now...

Best,

Marcus
« Last Edit: December 12, 2012, 05:00:08 pm by Marcus »

cheesyking

  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +1/-0
    • View Profile
Re: HOWTO: Trusted Certificate
« Reply #8 on: February 26, 2013, 04:11:39 pm »
Quote
This seems to work except that I went REALLY cheap on the certificate, and while the browser recognizes it, my mail client does not and I still get the warning.

Is the reason you're still getting the warning in your mail client because you didn't include the intermediate certificate in your postfix.pem and dovecot.pem
I'm far, far, FAR! from an expert at this kind of thing but I don't think it'll work without them.

You included them in your apache config hence the cert is recognised by web browsers.

christian

  • Guest
Re: HOWTO: Trusted Certificate
« Reply #9 on: February 26, 2013, 04:22:49 pm »
You're perhaps not an expert but you're right.
There is a warning, if application allows it, or it could even fail if (and here you are almost correct with the intermediate certificate) your application, which relies on repository to store trusted CA, doesn't know (and therefore doesn't trust) CA from which certificate is issued.

So from technical standpoint, goal is not that much to add intermediate certificate but to add (trust) CA (even the root one if you want).
The point is that all applications do not look at the same place to check list of trusted CA.

You can compare IE and Mozilla on your PC, I think they are different (not so sure, they may have converged)
Java uses another repository.

As I explained in my previous post on this topic, if you don't have hundreds of external clients accessing your service, there is no strong need to buy external certificate. What you can do is to expose public part of your CA via web based application so that clients can download it (this for applications no prompting for CA trust).

rholighaus

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +6/-0
    • View Profile
Re: HOWTO: Trusted Certificate
« Reply #10 on: July 31, 2013, 11:36:22 am »
One more problem I came across and had to solve: The private key stored in postfix.pem for postfix configuration needs to have the password removed, otherwise your TLS setup for postfix won't work and you see the following lines in /var/log/mail.log:

Jul 31 11:22:23 nimbus postfix/smtpd[31178]: warning: cannot get RSA private key from file /etc/postfix/sasl/postfix.pem: disabling TLS support
Jul 31 11:22:23 nimbus postfix/smtpd[31178]: warning: TLS library problem: 31178:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:111:
Jul 31 11:22:23 nimbus postfix/smtpd[31178]: warning: TLS library problem: 31178:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:454:
Jul 31 11:22:23 nimbus postfix/smtpd[31178]: warning: TLS library problem: 31178:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:


You can fix this with these commands:

# openssl rsa -in <yourhost>.key -out <yourhost>.key_no_pwd

and then create your postfix.pem file like using the private key w/o password:

# cat <yourhost>.crt > postfix.pem
# cat <yourhost>.key_no_pwd >> postfix.pem
# cp postfix.pem /etc/postfix/sasl/
# chmod 400 /etc/postfix/sasl/postfix.pem
# chown root:root /etc/postfix/sasl/postfix.pem
# /etc/init.d/zentyal mail restart[/font]


Just in case somebody encounters the same problem as me.
Ralf.

axxo1

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: HOWTO: Trusted Certificate
« Reply #11 on: September 17, 2013, 02:30:11 pm »
This is awesome. Thank you all, I am not very good when it comes to SSL certificates.

ray-ven

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: HOWTO: Trusted Certificate
« Reply #12 on: April 14, 2014, 11:55:04 am »
Hey Folks,

i don't see an SSLCertificateFile option in zentyal 3.4 anymore... Any hints?

Thank you
Ray

ray-ven

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: HOWTO: Trusted Certificate
« Reply #13 on: April 16, 2014, 09:24:51 am »
I'm quite sure changes have to be made here:
/var/lib/zentyal/conf/haproxy.cfg

but don't know how??

Please help me out!

Ray

ff8jake

  • Zen Apprentice
  • *
  • Posts: 23
  • Karma: +4/-0
    • View Profile
Re: HOWTO: Trusted Certificate
« Reply #14 on: April 23, 2014, 05:18:47 pm »
I'm quite sure changes have to be made here:
/var/lib/zentyal/conf/haproxy.cfg

but don't know how??

Please help me out!

Ray

If you'd like to edit how haproxy.cfg is generated, you will need to edit its stub. The stub is located in /usr/share/zentyal/stubs/core/haproxy.cfg.mas. You can view the file contents here: https://github.com/Zentyal/zentyal/blob/3.4/main/core/stubs/haproxy.cfg.mas

My fix was editing line 63 to point directly to my PEM file; however, this looks like it is some type of loop so this may not work for you. It worked fine for me because I wanted to use the same trusted SSL cert for the admin panel, webmail, etc.