Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: nontrivial on July 18, 2012, 09:40:11 pm
-
Generating a CSR:
* This assumes the name of your mail server is same as the name of
your web server. If that isn't the case, then you will need two
different certificates: One for postfix and dovecot, and one for
apache. This also assumes you only want one apache vhost to be
SSL enabled, otherwise you will need a certificate for each vhost.
* You probably need to use sudo a lot below. I don't have time for that.
* In the following command, replace "host" with the desired server name.
* openssl req -new -nodes -keyout host.key -out host.csr -newkey rsa:2048
* Creates host.key and host.csr files. Keep host.key in a safe place.
* Submit host.csr to the certificate authority.
Get back host.crt and intermediate.crt, then:
* Turn on SSL for mail and imap in Zentyal console and save.
* cat host.crt > postfix.pem
* cat host.key >> postfix.pem
* cp /etc/postfix/sasl/postfix.pem /etc/postfix/sasl/postfix.pem.bak
* cp postfix.pem /etc/postfix/sasl/postfix.pem
* chmod 400 /etc/postfix/sasl/postfix.pem
* chown root:root /etc/postfix/sasl/postfix.pem
* cp /etc/dovecot/ssl/dovecot.pem /etc/dovecot/ssl/dovecot.pem.bak
* cp postfix.pem /etc/dovecot/ssl/dovecot.pem
* chmod 400 /etc/dovecot/ssl/dovecot.pem
* chown root:root /etc/dovecot/ssl/dovecot.pem
* cp host.key /etc/apache2/ssl/
* cp host.crt /etc/apache2/ssl/
* cp intermediate.crt /etc/apache2/ssl/
* chmod 400 /etc/apache2/ssl/*
* chown root:root /etc/apache2/ssl/*
* Comment out SSLCertificateFile line in the file
/usr/share/zentyal/stubs/webserver/vhost.mas
* Turn on SSL for vhost in Zentyal console and save.
* rm postfix.pem host.crt intermediate.crt
* Add custom config for vhost with SSL config:
SSLCertificateFile /etc/apache2/ssl/host.crt
SSLCertificateKeyFile /etc/apache2/ssl/host.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.key
#SSLCACertificateFile /etc/apache2/ssl/intermediate.key
* /etc/init.d/zentyal apache restart
* /etc/init.d/zentyal mail restart
This seems to work except that I went REALLY cheap on the certificate, and while the browser recognizes it, my mail client does not and I still get the warning. Oh well, live and learn. If you want to have a good result for postfix and dovecot (email and imap) then I suggest you get that certificate from one of the big certificate authorities like thawte, geotrust, or verisign.
-
Hi James,
Thanks a lot for this "Howto". This should help a lot admins trying to achieve similar behaviour.
This said, although this is already very helpful, I feel it deserves to move one (or two) steps further in order, for users playing in this area, to understand what it means to implement certificate issued from either you own CA or from "public" CA.
When client accesses server using certificate issued from "unknown" CA, behaviour is different depending on client.
All web browsers I know warn user that CA is unknown and allow you to trust such CA and therefore to access HTTPS web site.
For some other software, you may have to first download public part of CA key and store it in you list of "trusted CA" otherwise session is not established.
So what does it mean? If your web site is a public one, you may have a lot of clients you don't know, thus this is very difficult to ask them to either accept this unknown CA or to download and install first CA's public key. This is pretty obvious.
My point is more related to other servers (software) and protocols. Looking at IMAP, it's very likely that you manage or at least know all IMAP clients. deploying your own private CA here is much easier and cheaper than buy certificate from "well known company".
what I try to express is that, not totally in line with your last sentence that is to go for "well known CA"as much as possible, I would suggest to keep your money for certificates that really benefit from this, i.e. public web sites. For almost all other services, going for own CA is cheaper, more flexible and efinitely not less secure.
-
Cool!
-
Jsalamero: is this cool enough to make it as a feature request so it can be done from Zentyal GUI? :-*
-
+1 this has been asked already in the past ;)
-
robb, lets start with an article in the wiki and add it to the CA wishlist, yes.
-
if the original author allows this, it would be a good idea to even included it (or references to it), in the official documentation.
since its 'that important' for many users.
-
Hello,
Small update (for Zentyal 3.0)
* Comment out SSLCertificateFile line in the file
/usr/share/zentyal/stubs/webserver/vhost.mas
It is now /usr/share/zentyal/stubs/webserver/vhostHttps.mas (for the webserver module).
Nota Bene;
It would be better to copy the vhostHttps.mas file to /etc/zentyal/stubs/webserver folder first and then modifying it (at the new location) but it doesn't seem to work right now...
Best,
Marcus
-
This seems to work except that I went REALLY cheap on the certificate, and while the browser recognizes it, my mail client does not and I still get the warning.
Is the reason you're still getting the warning in your mail client because you didn't include the intermediate certificate in your postfix.pem and dovecot.pem
I'm far, far, FAR! from an expert at this kind of thing but I don't think it'll work without them.
You included them in your apache config hence the cert is recognised by web browsers.
-
You're perhaps not an expert but you're right.
There is a warning, if application allows it, or it could even fail if (and here you are almost correct with the intermediate certificate) your application, which relies on repository to store trusted CA, doesn't know (and therefore doesn't trust) CA from which certificate is issued.
So from technical standpoint, goal is not that much to add intermediate certificate but to add (trust) CA (even the root one if you want).
The point is that all applications do not look at the same place to check list of trusted CA.
You can compare IE and Mozilla on your PC, I think they are different (not so sure, they may have converged)
Java uses another repository.
As I explained in my previous post on this topic, if you don't have hundreds of external clients accessing your service, there is no strong need to buy external certificate. What you can do is to expose public part of your CA via web based application so that clients can download it (this for applications no prompting for CA trust).
-
One more problem I came across and had to solve: The private key stored in postfix.pem for postfix configuration needs to have the password removed, otherwise your TLS setup for postfix won't work and you see the following lines in /var/log/mail.log:
Jul 31 11:22:23 nimbus postfix/smtpd[31178]: warning: cannot get RSA private key from file /etc/postfix/sasl/postfix.pem: disabling TLS support
Jul 31 11:22:23 nimbus postfix/smtpd[31178]: warning: TLS library problem: 31178:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:111:
Jul 31 11:22:23 nimbus postfix/smtpd[31178]: warning: TLS library problem: 31178:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:454:
Jul 31 11:22:23 nimbus postfix/smtpd[31178]: warning: TLS library problem: 31178:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
You can fix this with these commands:
# openssl rsa -in <yourhost>.key -out <yourhost>.key_no_pwd
and then create your postfix.pem file like using the private key w/o password:
# cat <yourhost>.crt > postfix.pem
# cat <yourhost>.key_no_pwd >> postfix.pem
# cp postfix.pem /etc/postfix/sasl/
# chmod 400 /etc/postfix/sasl/postfix.pem
# chown root:root /etc/postfix/sasl/postfix.pem
# /etc/init.d/zentyal mail restart[/font]
Just in case somebody encounters the same problem as me.
Ralf.
-
This is awesome. Thank you all, I am not very good when it comes to SSL certificates.
-
Hey Folks,
i don't see an SSLCertificateFile option in zentyal 3.4 anymore... Any hints?
Thank you
Ray
-
I'm quite sure changes have to be made here:
/var/lib/zentyal/conf/haproxy.cfg
but don't know how??
Please help me out!
Ray
-
I'm quite sure changes have to be made here:
/var/lib/zentyal/conf/haproxy.cfg
but don't know how??
Please help me out!
Ray
If you'd like to edit how haproxy.cfg is generated, you will need to edit its stub. The stub is located in /usr/share/zentyal/stubs/core/haproxy.cfg.mas. You can view the file contents here: https://github.com/Zentyal/zentyal/blob/3.4/main/core/stubs/haproxy.cfg.mas
My fix was editing line 63 to point directly to my PEM file; however, this looks like it is some type of loop so this may not work for you. It worked fine for me because I wanted to use the same trusted SSL cert for the admin panel, webmail, etc.
-
Hmm, i tried to work around the problem. I've generated a cert via zentyal and took it for validation at commodo. They sent me som .crt files... But what now?!
Thank you, Ray
-
Well, imho there's no difference between .crt or .pem files. Pem can contain multiple certificates though (according to https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1426 (https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1426))
I actually don't know how to change /usr/share/zentyal/stubs/core/haproxy.cfg.mas correctly (I want one cert for everything as well), and - I cannot figure out how to put all crt files in the correct order into the pem, as they have different names than in the commodo howto (COMODORSAAddTrustCA.crt, COMODORSADomainValidationSecureServerCA.crt, AddTrustExternalCARoot.crt, my_domain.crt, and my private key is in /var/lib/zentyal/CA/private, I think).
Anyway - wouldn't it be possible to overwrite files in /var/lib/zentyal/CA with the trusted cert files?
I really cannot understand why importing certs isn't part of zentyal, or why this procedure is that complicated! It looks to me, as if we just have to point to a bunch of files, and that's it! But this may be another thread...
Please help me out! I'm really lost with this stuff
-
It would be enough to know how to change /usr/share/zentyal/stubs/core/haproxy.cfg.mas
and what the .pem should contain.
Please help me out with this
-
It would be enough to know how to change /usr/share/zentyal/stubs/core/haproxy.cfg.mas
and what the .pem should contain.
Please help me out with this
This is the change I made, and it will apply your .pem to pretty much every part of the server (admin, webmail, etc). It will need to be a .pem file including the cert, any intermediate/chain certs, and the key in my experience.
In line 63 of haproxy.cfg.mas (https://github.com/Zentyal/zentyal/blob/3.4/main/core/stubs/haproxy.cfg.mas) you have the following:
% my $newCrt = 'crt ' . $service->{pathSSLCert};
which I have changed to this:
% my $newCrt = 'crt /path/to/my/certificate.pem';
After the change I restarted just to ensure the config files everywhere were regenerated. Hope this helps.
-
It would be enough to know how to change /usr/share/zentyal/stubs/core/haproxy.cfg.mas
and what the .pem should contain.
Please help me out with this
This is the change I made, and it will apply your .pem to pretty much every part of the server (admin, webmail, etc). It will need to be a .pem file including the cert, any intermediate/chain certs, and the key in my experience.
In line 63 of haproxy.cfg.mas (https://github.com/Zentyal/zentyal/blob/3.4/main/core/stubs/haproxy.cfg.mas) you have the following:
% my $newCrt = 'crt ' . $service->{pathSSLCert};
which I have changed to this:
% my $newCrt = 'crt /path/to/my/certificate.pem';
After the change I restarted just to ensure the config files everywhere were regenerated. Hope this helps.
thank you for this ff8jake 8) it works very well!
-
Yay!!! Thank you very very very much!
But why the hell isn't this a standard procedure in zentyal?! Whyyyyy?
-
I am running version 4 , I don't even have /usr/share/zentyal/stubs/core/haproxy.cfg.mas
Does anyone know the new path ?
-
Hi,
I am also using zentyal 4. can't find /usr/share/zentyal/stubs/core/haproxy.cfg.mas.
Can any one help me out that what is the file in zentyal 4 we need to modify for trusted certificates.
Regards
Ilesh
-
There's a great solution for using trusted certificates in Zentyal 4.2+ (by installing them into the Zentyal CA) here: https://forum.zentyal.org/index.php/topic,24513.msg101014.html (https://forum.zentyal.org/index.php/topic,24513.msg101014.html)