Author Topic: [HOWTO] How to install third party SSL certificates in Zentyal 4.0  (Read 14591 times)

kelderek

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +4/-0
    • View Profile
This appears to be working for me but I take no responsibility if it messes up your system.  Always make sure you have a good backup first!

Since I couldn't find a way to import my StartSSL/StartCOM certificate into Zentyal via web admin, I tinkered around on the command line and it appears you can do it one of two ways.  The first way is to create a cert for the CN you want in the web admin then just overwrite the files for it, and the second is to just add it to the CA's list of certificates directly in the filesystem.  I have no idea which is better, but it seems to me that adding at the GUI then overwriting is the safer bet in case there is something going on somewhere I didn't find.

Sorry if the writing is a bit terse, it is pretty late when I am posting this.  If it is unclear please let me know and I will try to fix it.  Anyway, here we go!

First create a certificate in web administration under Certification Authority->General using your CN (not including top level domain.  e.g. for mail.domain.com just use mail).  Since we are going to overwrite it the days to expire field doesn't strictly matter, but you should set it so it shows your real cert's expiration day for your reference.

Once that is done we need to drop to the command line.  I will assume you are at an admin prompt or a lot of these will need sudo in front of them.  The first thing we need to do is go to /var/lib/zentyal/CA and look at the index.txt file.  Find the line with your CN on it and look at the second number on the line.  That is the serial number of the cert you will be overwriting.

Copy your cert file to /var/lib/zentyal/CA/certs and name it <serial number used in index.txt>.pem
Change the ownership and set the permissions to match the other certs:
Code: [Select]
chmod 666 <serial>.pem
chown ebox:ebox <serial>.pem
Note: Make sure your <serial>.pem file ends on an empty line.  The one I got from StartSSL/StartCOM did not and it caused trouble when Zentyal tried to assign it to services.

Copy your private key file to /var/lib/zentyal/CA/private
Change owner and permissions again then remove the password from it with this command:
Code: [Select]
chmod 666 <CN>.pem
chown ebox:ebox <CN>.pem
openssl rsa -in <your key>.key -out <CN>.pem

Generate a public key and put it in the right folder:
Code: [Select]
openssl rsa -in <CN>.pem -pubout > ../keys/<CN>.pem
cd ../keys folder
chmod 666 <CN>.pem
chown ebox:ebox <CN>.pem

Create the p12 version and put it where it belongs.  When prompted for the export password don't use one, just hit enter:
Code: [Select]
cd ../p12 folder
cat ../private/<CN>.pem ../certs/<serial>.pem > temp.pem
openssl pkcs12 -export -in temp.pem -out <CN>.p12
chown ebox:ebox <CN>.p12
rm temp.pem

You can now go back to web admin and assign the cert to your services under Certification Authority->Services Certificates.  Click the button in the action column to edit the service(s) you want and set the common name to the CN used at the beginning.  Check the enable box and click change, then save settings in the top right.  That should be it!

If you want to try adding directly from the command line and not overwriting a cert just add your own line to index.txt.  It seemed to work just as well and I didn't even have to restart any services.  That being said I will reiterate that it is probably a less safe way to go as it is more prone to error and might not do something else the web admin does when setting up a cert.

Hopefully this is helpful to someone and will save them hours I just had to spend ;)

SamE

  • Zen Apprentice
  • *
  • Posts: 29
  • Karma: +1/-0
    • View Profile
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #1 on: February 13, 2015, 09:20:56 pm »
Thank you! This looks promising!
Does it still work after a reboot?

kelderek

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +4/-0
    • View Profile
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #2 on: February 14, 2015, 03:17:52 am »
Yes, it seems to survive the reboot.  I have certificates added with both methods I presented and I just ran some updates, rebooted and the certificates were still correct.  Just in case I tried reassigning the certificates to different services to make sure it wouldn't mess up when I did that.  There were no problems there, either.  Since we tricking the CA into thinking they are its own certificates I don't expect to have any trouble due to reboots or updates in the future. 

Clearly the renew button in the GUI won't work but that is a price I am willing to pay ;)

Monox

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #3 on: March 28, 2015, 06:23:30 am »
Thanks, works great.
I tried to replace the certificate for the webmail on the same way, but it does not work. Is it even possible?

fraggle

  • Zen Apprentice
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #4 on: April 06, 2015, 03:35:17 pm »
sorry to be dense, I don't know much about this and am trying to learn.

I have a starttls/startcom cery, but it gives me a crt file, a .key file a ca.pem and a sub.class1.server.ca.pem what do I do with the last 2 files?

nederlandlive

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +1/-0
    • View Profile
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #5 on: November 13, 2015, 12:56:01 pm »
Hi All,

To fix this for postfix, dovecot, sogo and the webadmin page, i'm using the following hook (based on a solution mentioned elsewere on this forum.. but lost the link  :-\) in combination with sslmate and Zentyal 4.2.1
Put the following in /etc/zentyal/hooks/ca.postsetconf (replace 'example.com' with your domain) and make sure it's executable, e.g. #chmod +x /etc/zentyal/hooks/ca.postsetconf:

Code: [Select]
#!/bin/sh
rm /etc/dovecot/private/dovecot.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/dovecot/private/dovecot.pem
rm /etc/postfix/sasl/postfix.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/postfix/sasl/postfix.pem
rm /var/lib/zentyal/conf/ssl/ssl.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /var/lib/zentyal/conf/ssl/ssl.pem
rm /etc/ocsmanager/example.com.pem && ln -s /etc/sslmate/\*example..com.chained.key.crt /etc/ocsmanager/example.com.pem
exit 0

The crt consists of the full chain + the key (at the end).

Restart services:

Code: [Select]
#service zentyal ca restart
#service zentyal webadmin restart
#service zentyal mail restart
#service apache2 restart

Might be a good alternative to the above for someone (it works for me ;-)).

Cheers,
Joost
« Last Edit: November 13, 2015, 01:04:46 pm by nederlandlive »

chriscarpenter12

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #6 on: January 12, 2016, 12:51:38 am »
@nederlandlive, Do you have anymore detail on this? I can't seem to get it to work, but I don't know if I have my cert in the proper order.

This is my order:

Cert
Intermediate
Root CA
Key

wvanelten

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +3/-0
    • View Profile
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #7 on: January 15, 2016, 11:24:12 am »
Is there already a better way to do this?
These options do not work here with 4.2.1.3

wvanelten

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +3/-0
    • View Profile
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #8 on: January 18, 2016, 09:28:43 am »
Hi All,

To fix this for postfix, dovecot, sogo and the webadmin page, i'm using the following hook (based on a solution mentioned elsewere on this forum.. but lost the link  :-\) in combination with sslmate and Zentyal 4.2.1
Put the following in /etc/zentyal/hooks/ca.postsetconf (replace 'example.com' with your domain) and make sure it's executable, e.g. #chmod +x /etc/zentyal/hooks/ca.postsetconf:

Code: [Select]
#!/bin/sh
rm /etc/dovecot/private/dovecot.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/dovecot/private/dovecot.pem
rm /etc/postfix/sasl/postfix.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/postfix/sasl/postfix.pem
rm /var/lib/zentyal/conf/ssl/ssl.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /var/lib/zentyal/conf/ssl/ssl.pem
rm /etc/ocsmanager/example.com.pem && ln -s /etc/sslmate/\*example..com.chained.key.crt /etc/ocsmanager/example.com.pem
exit 0

The crt consists of the full chain + the key (at the end).

Restart services:

Code: [Select]
#service zentyal ca restart
#service zentyal webadmin restart
#service zentyal mail restart
#service apache2 restart

Might be a good alternative to the above for someone (it works for me ;-)).

Cheers,
Joost

There is a typo in the ca.postsetconf.
that might be the problem if you didn't fix that.
it should be: (ocsmanager part is changed)
Code: [Select]
#!/bin/sh
rm /etc/dovecot/private/dovecot.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/dovecot/private/dovecot.pem
rm /etc/postfix/sasl/postfix.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/postfix/sasl/postfix.pem
rm /var/lib/zentyal/conf/ssl/ssl.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /var/lib/zentyal/conf/ssl/ssl.pem
rm /etc/ocsmanager/example.com.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/ocsmanager/example.com.pem
exit 0

also; owner sould be root:root
Code: [Select]
sudo chown root:root /etc/sslmate/\*.example.com.chained.key.crt
and:
/etc/dovecot/private/dovecot.pem should be chmod 400
/etc/postfix/sasl/postfix.pem should be chmod 400
/var/lib/zentyal/conf/ssl/ssl.pem should be chmod 600
/etc/ocsmanager/eltomation.com.pem should be chmod 644

So I recommend to cp instead of ln -s.
« Last Edit: January 18, 2016, 09:46:20 am by wvanelten »

wvanelten

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +3/-0
    • View Profile
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #9 on: January 18, 2016, 01:09:57 pm »
@nederlandlive, Do you have anymore detail on this? I can't seem to get it to work, but I don't know if I have my cert in the proper order.

This is my order:

Cert
Intermediate
Root CA
Key

according to Novell it should be:
Key
Cert
Intermediat-chain

source: https://www.novell.com/support/kb/doc.php?id=7013103

jniemand

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #10 on: May 02, 2016, 12:53:27 pm »
@Kelderek - Thanks!
Your suggestion to replace an "untrusted" Zentyal certificate in the CA with a trusted one is by far the best & safest solution, and it works 100%  (Tested on & running 4.2).
I have also managed to get the same trusted certificate to work in the OpenChange module (after a lot of digging!)


Here's a short how-to:

1. Zentyal Setup
  • Set up your CA in Zentyal
  • Generate the certificate for OpenChange in the web admin by using the Zentyal CA

2. Get a trusted Certificate (http://www.startssl.com gives free trusted certificates, but anyone will do).

The certificate requirements are (this is important):
  • The Common Name MUST be the root of the virtual mail domain (eg. yourdomain.com)
  • The certificate has to have AT LEAST the following 2 additional subdomains added:
    • Your mail server's full DNS address for the virtual domain (eg. yourserver.yourdomain.com)
    • An additional subdomain called "autodiscover" (eg autodiscover.yourdomain.com)
    • After those, you can add extra subdomains if you want - a wildcard (*) is even better here if possible!
  • Once you download your trusted certificate, you have to combine your certificate with it's root bundle (if it comes with one).
    Open the certificate & bundle files in plaintext editor, copy & paste the certificate's contents 1st & the content's of the bundle directly below it - making sure your file has an empty line at the end, not anywhere else. Save it as yourdomain.com.crt
  • Follow the steps in the original post by @Kelderek (at the top of this page). Replace the certificate for your root domain in the Zentyal CA (eg. yourdomain.com) - afterwards, it will automatically be valid for all the subdomains you added on the trusted certificate...

3. Assign your trusted certificate to your services:
  • In the Zentyal Admin, go to CERTIFICATION AUTHORITY > SERVICES CERTIFICATES
  • Add a certificate for each service (or edit the existing ones) - MAKE SURE THE COMMON NAME for each service's certificate is the same as your root domain only (eg. yourdomain.com) - as set in your trusted certificate's CN.

4. Now, to make OpenChange play nice with your new certificate...

Zentyal's OpenChange has code that checks to see if a certificate meets all the requirements for OpenChange (explained in step 2 above) that forces you to use the certificate from the internal CA for some reason. This will hopefully be changed to accommodate trusted & chained certs in future versions, but for now you need to trick the system to pass these checks.
  • SSH into your server and type "su" to get root access
  • Edit this file:
Code: [Select]
/usr/share/perl5/EBox/OpenChange/Model/VDomains.pm
  • Find the following lines:
Code: [Select]
        if ($metadata->{state} eq 'V') {
            my $rpcProxyAltName = 0;
            my $autodiscoverAltName = 0;
  • and replace them with the following:
Code: [Select]
        if ($metadata->{state} eq 'V') {
# HACK to make trusted certs work in OpenChange -set the two variables below to 1 instead of 0
            my $rpcProxyAltName = 1;
            my $autodiscoverAltName = 1;
  • Save the changes and restart the OpenChange Module:
Code: [Select]
service zentyal openchange restart
  • In the web admin, go to MAIL > OPENCHANGE and enable the now-trusted SSL services you want.
  • Remember to add public DNS entries for your server's FQDN and for the "autodiscover" subdomain on your domain's public DNS to enable access from anywhere. They are already set on the internal Zentyal DNS server.

5. Is this solution permanent?
  • When your trusted certificate expires, you can just "renew" it in the Zentyal CA (or revoke it and create a new one). Then just repeat @Kelderek's steps to replace the new certificate in your CA with a new trusted one (make sure it covers the requirements).
  • The trusted certificate remains and works after restarting - and even after you restore  backed-up system config files if you have to (if saved after the changes on this page were made)
  • This *should* also remain working after system updates, until the OpenChange module itself is updated. If you do update OpenChange, edit the "VDomains.pm" file and change the variables to = 1 again. Restart the OpenChange module and everything should be back to "normal".


I think Zentyal should consider adding the following 2 items in their next major release:
  • Automatically create a domain group policy to add the Zentyal CA certificate to the "trusted roots" store on all pc's joined to the domain (using the netlogon shares) - and update that CA certificate copy when changes are made to the CA in the web admin.
  • Add a "TRUSTED SSL" section to the Zentyal CA gui that generates CSR requests to obtain trusted certs easily - and a part that imports trusted certificates & intermediary bundles into Zentyal, which automatically overrides the "untrusted" certificates only where necessary.

That will ensure that users on domain pc's never encounter the SSL security warnings (in or out the office) while giving admins an easy way to make their Zentyal setup trusted globally.

The 1st suggestion should already be in Zentyal by default as it is a standard feature of the Windows Domain Controllers for domains. (Zentyal devs - I'd be happy to give you the the 2-line script for doing this during samba provisioning  ;))


I hope this helps a few of you, as according to me, this is the biggest of very few Zentyal shortfalls.

PS. An option for making the DHCP server authoritative (and perhaps - later - compatible with the Windows Remote Admin Tools) would be my last wish before Zentyal is a complete MS Server replacement like no other.

J
« Last Edit: May 02, 2016, 12:57:25 pm by jniemand »

dumarjo

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #11 on: June 07, 2016, 02:15:35 pm »
Hi,

i'm new with zentyal and I would like to use letsencrypt for my server. Does anyone here have been able to use the letsencrypt certificate to work with zentyal ?

regards

Jonathan

trysomething

  • Zen Warrior
  • ***
  • Posts: 119
  • Karma: +5/-0
  • Founder of The Tiki Lab
    • View Profile
    • The Tiki Lab | Bridging the gap between technology and vision impairment!
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #12 on: June 09, 2016, 01:16:50 am »
Although this works it will NOT survive an upgrade.  Not to mention there is actually a much easier solution.
sign into any shell or ssh and give yourself sudo root by issuing:
sudo su
make 2 directories:
mkdir -p /etc/Zentyal/stubs
mkdir -p /etc/Zentyal/stubs/openchange

Now copy the system generated stub file into the openchange directory
copy /usr/share/Zentyal/stubs/openchange/apache-ocsmanager.conf.mas /etc/Zentyal/stubs/openchange/

Now edit the copied stub:
nano /etc/Zentyal/stubs/openchange/apache-ocsmanager.conf.mas

*if you hate nano use something else, I'm a nano fan myself :P
Scroll down to the part about the SSL Certificate and I just comment out the line that says:
SSLCertificateFile <% $cert %> (or something really like that
Then create the following 3 lines:
SSLCertificateFile /etc/apache2/ssl/certificate.crt
SSLCertificateKeyFile /etc/apache2/keyfile.key
SSLCACertificateFile /etc/apache2/ssl/certificate.ca-bundle

Then I save and close it, create the directory mentioned above:
mkdir -p /etc/apache2/ssl

and upload my cert, my key file and my bundle file.

After that all you do is restart openchange:
service Zentyal openchange restart

If it says OK then you're good, if it throws an error then you'll have to restart Apache to find out where exactly the problem is:
service apache2 restart

I'm typing those 3 lines out of memory and it could be a little off.  It's the same as what is in the default SSL virtual host file in Apache2, so you can check in ther:
nano /etc/apache2/sites-available/default-ssl.conf

scroll down and find the lines for certificate file, certificate key and the root CA or the CA bundle depending on which one you've got.  Also, if your cert has a .pem extension or .cer then use that instead of .crt.
This method will survive a reboot, an upgrade of Zentyal and if you just can't get it to work then you just delete the stubb file you are editing and start over.  No system generated files are messed with, no bricking your machine and most of all it's easy as heck to remember what you put where!
You will have to excuse my posts not having actual links in them.  I'm blind and can never find that insert hyperlink button LoL.  If you, or someone you know has vision problems check out The Tiki Lab.

dumarjo

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #13 on: June 09, 2016, 01:59:04 pm »
Thanx for the Info,

I have done something on the server righ now and it's look like it works. I have changed the .mas file (the original one) this will probably be lost when an upgrade will be done. I will look into you post and try it too.

Regards

Jonathan

trysomething

  • Zen Warrior
  • ***
  • Posts: 119
  • Karma: +5/-0
  • Founder of The Tiki Lab
    • View Profile
    • The Tiki Lab | Bridging the gap between technology and vision impairment!
Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« Reply #14 on: June 09, 2016, 09:26:32 pm »
Since you've already updated the original .mas (called stub) you can simply copy it over to /etc/Zentyal/stubs/openchange and then it will absolutely survive an upgrade.
The original stubs are all generated during Zentyal initial configuration, so the entire system is dependent upon them.  When upgrading from version to version (i.e. 4.0 to 4.2 or 3.5 to 4.0) your stub files in /usr/share/Zentyal/stubs can and will be overwritten.  If you have spent the time to customize things, and trust me now that you know about stubs you will LoL, it makes sense to just have a second location to house custom stubs.  The directories and files under /etc/Zentyal/stubs will NOT be altered, removed or altered during an upgrade.
Furthermore it is REALLY easy to do a file comparison to see what has changed between versions and find out if you even need to keep the custom stub or not.  Even more important though is that when upgrading versions - if the custom stub breaks the system you can just rename it and restart that service and the problem is fixed in 2 minutes instead of trying to find notes on what you did a long time ago, or how to recreate whatever was lost and troubleshooting for hours and hours.
Stability, connectivity and ease of use are REALLY well done in the stub file idea with Zentyal.
You will have to excuse my posts not having actual links in them.  I'm blind and can never find that insert hyperlink button LoL.  If you, or someone you know has vision problems check out The Tiki Lab.