Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: kelderek on February 13, 2015, 08:16:44 am

Title: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: kelderek on February 13, 2015, 08:16:44 am
This appears to be working for me but I take no responsibility if it messes up your system.  Always make sure you have a good backup first!

Since I couldn't find a way to import my StartSSL/StartCOM certificate into Zentyal via web admin, I tinkered around on the command line and it appears you can do it one of two ways.  The first way is to create a cert for the CN you want in the web admin then just overwrite the files for it, and the second is to just add it to the CA's list of certificates directly in the filesystem.  I have no idea which is better, but it seems to me that adding at the GUI then overwriting is the safer bet in case there is something going on somewhere I didn't find.

Sorry if the writing is a bit terse, it is pretty late when I am posting this.  If it is unclear please let me know and I will try to fix it.  Anyway, here we go!

First create a certificate in web administration under Certification Authority->General using your CN (not including top level domain.  e.g. for mail.domain.com just use mail).  Since we are going to overwrite it the days to expire field doesn't strictly matter, but you should set it so it shows your real cert's expiration day for your reference.

Once that is done we need to drop to the command line.  I will assume you are at an admin prompt or a lot of these will need sudo in front of them.  The first thing we need to do is go to /var/lib/zentyal/CA and look at the index.txt file.  Find the line with your CN on it and look at the second number on the line.  That is the serial number of the cert you will be overwriting.

Copy your cert file to /var/lib/zentyal/CA/certs and name it <serial number used in index.txt>.pem
Change the ownership and set the permissions to match the other certs:
Code: [Select]
chmod 666 <serial>.pem
chown ebox:ebox <serial>.pem
Note: Make sure your <serial>.pem file ends on an empty line.  The one I got from StartSSL/StartCOM did not and it caused trouble when Zentyal tried to assign it to services.

Copy your private key file to /var/lib/zentyal/CA/private
Change owner and permissions again then remove the password from it with this command:
Code: [Select]
chmod 666 <CN>.pem
chown ebox:ebox <CN>.pem
openssl rsa -in <your key>.key -out <CN>.pem

Generate a public key and put it in the right folder:
Code: [Select]
openssl rsa -in <CN>.pem -pubout > ../keys/<CN>.pem
cd ../keys folder
chmod 666 <CN>.pem
chown ebox:ebox <CN>.pem

Create the p12 version and put it where it belongs.  When prompted for the export password don't use one, just hit enter:
Code: [Select]
cd ../p12 folder
cat ../private/<CN>.pem ../certs/<serial>.pem > temp.pem
openssl pkcs12 -export -in temp.pem -out <CN>.p12
chown ebox:ebox <CN>.p12
rm temp.pem

You can now go back to web admin and assign the cert to your services under Certification Authority->Services Certificates.  Click the button in the action column to edit the service(s) you want and set the common name to the CN used at the beginning.  Check the enable box and click change, then save settings in the top right.  That should be it!

If you want to try adding directly from the command line and not overwriting a cert just add your own line to index.txt.  It seemed to work just as well and I didn't even have to restart any services.  That being said I will reiterate that it is probably a less safe way to go as it is more prone to error and might not do something else the web admin does when setting up a cert.

Hopefully this is helpful to someone and will save them hours I just had to spend ;)
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: SamE on February 13, 2015, 09:20:56 pm
Thank you! This looks promising!
Does it still work after a reboot?
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: kelderek on February 14, 2015, 03:17:52 am
Yes, it seems to survive the reboot.  I have certificates added with both methods I presented and I just ran some updates, rebooted and the certificates were still correct.  Just in case I tried reassigning the certificates to different services to make sure it wouldn't mess up when I did that.  There were no problems there, either.  Since we tricking the CA into thinking they are its own certificates I don't expect to have any trouble due to reboots or updates in the future. 

Clearly the renew button in the GUI won't work but that is a price I am willing to pay ;)
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: Monox on March 28, 2015, 06:23:30 am
Thanks, works great.
I tried to replace the certificate for the webmail on the same way, but it does not work. Is it even possible?
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: fraggle on April 06, 2015, 03:35:17 pm
sorry to be dense, I don't know much about this and am trying to learn.

I have a starttls/startcom cery, but it gives me a crt file, a .key file a ca.pem and a sub.class1.server.ca.pem what do I do with the last 2 files?
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: nederlandlive on November 13, 2015, 12:56:01 pm
Hi All,

To fix this for postfix, dovecot, sogo and the webadmin page, i'm using the following hook (based on a solution mentioned elsewere on this forum.. but lost the link  :-\) in combination with sslmate and Zentyal 4.2.1
Put the following in /etc/zentyal/hooks/ca.postsetconf (replace 'example.com' with your domain) and make sure it's executable, e.g. #chmod +x /etc/zentyal/hooks/ca.postsetconf:

Code: [Select]
#!/bin/sh
rm /etc/dovecot/private/dovecot.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/dovecot/private/dovecot.pem
rm /etc/postfix/sasl/postfix.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/postfix/sasl/postfix.pem
rm /var/lib/zentyal/conf/ssl/ssl.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /var/lib/zentyal/conf/ssl/ssl.pem
rm /etc/ocsmanager/example.com.pem && ln -s /etc/sslmate/\*example..com.chained.key.crt /etc/ocsmanager/example.com.pem
exit 0

The crt consists of the full chain + the key (at the end).

Restart services:

Code: [Select]
#service zentyal ca restart
#service zentyal webadmin restart
#service zentyal mail restart
#service apache2 restart

Might be a good alternative to the above for someone (it works for me ;-)).

Cheers,
Joost
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: chriscarpenter12 on January 12, 2016, 12:51:38 am
@nederlandlive, Do you have anymore detail on this? I can't seem to get it to work, but I don't know if I have my cert in the proper order.

This is my order:

Cert
Intermediate
Root CA
Key
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: wvanelten on January 15, 2016, 11:24:12 am
Is there already a better way to do this?
These options do not work here with 4.2.1.3
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: wvanelten on January 18, 2016, 09:28:43 am
Hi All,

To fix this for postfix, dovecot, sogo and the webadmin page, i'm using the following hook (based on a solution mentioned elsewere on this forum.. but lost the link  :-\) in combination with sslmate and Zentyal 4.2.1
Put the following in /etc/zentyal/hooks/ca.postsetconf (replace 'example.com' with your domain) and make sure it's executable, e.g. #chmod +x /etc/zentyal/hooks/ca.postsetconf:

Code: [Select]
#!/bin/sh
rm /etc/dovecot/private/dovecot.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/dovecot/private/dovecot.pem
rm /etc/postfix/sasl/postfix.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/postfix/sasl/postfix.pem
rm /var/lib/zentyal/conf/ssl/ssl.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /var/lib/zentyal/conf/ssl/ssl.pem
rm /etc/ocsmanager/example.com.pem && ln -s /etc/sslmate/\*example..com.chained.key.crt /etc/ocsmanager/example.com.pem
exit 0

The crt consists of the full chain + the key (at the end).

Restart services:

Code: [Select]
#service zentyal ca restart
#service zentyal webadmin restart
#service zentyal mail restart
#service apache2 restart

Might be a good alternative to the above for someone (it works for me ;-)).

Cheers,
Joost

There is a typo in the ca.postsetconf.
that might be the problem if you didn't fix that.
it should be: (ocsmanager part is changed)
Code: [Select]
#!/bin/sh
rm /etc/dovecot/private/dovecot.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/dovecot/private/dovecot.pem
rm /etc/postfix/sasl/postfix.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/postfix/sasl/postfix.pem
rm /var/lib/zentyal/conf/ssl/ssl.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /var/lib/zentyal/conf/ssl/ssl.pem
rm /etc/ocsmanager/example.com.pem && ln -s /etc/sslmate/\*.example.com.chained.key.crt /etc/ocsmanager/example.com.pem
exit 0

also; owner sould be root:root
Code: [Select]
sudo chown root:root /etc/sslmate/\*.example.com.chained.key.crt
and:
/etc/dovecot/private/dovecot.pem should be chmod 400
/etc/postfix/sasl/postfix.pem should be chmod 400
/var/lib/zentyal/conf/ssl/ssl.pem should be chmod 600
/etc/ocsmanager/eltomation.com.pem should be chmod 644

So I recommend to cp instead of ln -s.
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: wvanelten on January 18, 2016, 01:09:57 pm
@nederlandlive, Do you have anymore detail on this? I can't seem to get it to work, but I don't know if I have my cert in the proper order.

This is my order:

Cert
Intermediate
Root CA
Key

according to Novell it should be:
Key
Cert
Intermediat-chain

source: https://www.novell.com/support/kb/doc.php?id=7013103
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: jniemand on May 02, 2016, 12:53:27 pm
@Kelderek - Thanks!
Your suggestion to replace an "untrusted" Zentyal certificate in the CA with a trusted one is by far the best & safest solution, and it works 100%  (Tested on & running 4.2).
I have also managed to get the same trusted certificate to work in the OpenChange module (after a lot of digging!)


Here's a short how-to:

1. Zentyal Setup

2. Get a trusted Certificate (http://www.startssl.com (http://www.startssl.com) gives free trusted certificates, but anyone will do).

The certificate requirements are (this is important):

3. Assign your trusted certificate to your services:

4. Now, to make OpenChange play nice with your new certificate...

Zentyal's OpenChange has code that checks to see if a certificate meets all the requirements for OpenChange (explained in step 2 above) that forces you to use the certificate from the internal CA for some reason. This will hopefully be changed to accommodate trusted & chained certs in future versions, but for now you need to trick the system to pass these checks.
Code: [Select]
/usr/share/perl5/EBox/OpenChange/Model/VDomains.pm
Code: [Select]
        if ($metadata->{state} eq 'V') {
            my $rpcProxyAltName = 0;
            my $autodiscoverAltName = 0;
Code: [Select]
        if ($metadata->{state} eq 'V') {
# HACK to make trusted certs work in OpenChange -set the two variables below to 1 instead of 0
            my $rpcProxyAltName = 1;
            my $autodiscoverAltName = 1;
Code: [Select]
service zentyal openchange restart

5. Is this solution permanent?


I think Zentyal should consider adding the following 2 items in their next major release:

That will ensure that users on domain pc's never encounter the SSL security warnings (in or out the office) while giving admins an easy way to make their Zentyal setup trusted globally.

The 1st suggestion should already be in Zentyal by default as it is a standard feature of the Windows Domain Controllers for domains. (Zentyal devs - I'd be happy to give you the the 2-line script for doing this during samba provisioning  ;))


I hope this helps a few of you, as according to me, this is the biggest of very few Zentyal shortfalls.

PS. An option for making the DHCP server authoritative (and perhaps - later - compatible with the Windows Remote Admin Tools) would be my last wish before Zentyal is a complete MS Server replacement like no other.

J
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: dumarjo on June 07, 2016, 02:15:35 pm
Hi,

i'm new with zentyal and I would like to use letsencrypt for my server. Does anyone here have been able to use the letsencrypt certificate to work with zentyal ?

regards

Jonathan
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: trysomething on June 09, 2016, 01:16:50 am
Although this works it will NOT survive an upgrade.  Not to mention there is actually a much easier solution.
sign into any shell or ssh and give yourself sudo root by issuing:
sudo su
make 2 directories:
mkdir -p /etc/Zentyal/stubs
mkdir -p /etc/Zentyal/stubs/openchange

Now copy the system generated stub file into the openchange directory
copy /usr/share/Zentyal/stubs/openchange/apache-ocsmanager.conf.mas /etc/Zentyal/stubs/openchange/

Now edit the copied stub:
nano /etc/Zentyal/stubs/openchange/apache-ocsmanager.conf.mas

*if you hate nano use something else, I'm a nano fan myself :P
Scroll down to the part about the SSL Certificate and I just comment out the line that says:
SSLCertificateFile <% $cert %> (or something really like that
Then create the following 3 lines:
SSLCertificateFile /etc/apache2/ssl/certificate.crt
SSLCertificateKeyFile /etc/apache2/keyfile.key
SSLCACertificateFile /etc/apache2/ssl/certificate.ca-bundle

Then I save and close it, create the directory mentioned above:
mkdir -p /etc/apache2/ssl

and upload my cert, my key file and my bundle file.

After that all you do is restart openchange:
service Zentyal openchange restart

If it says OK then you're good, if it throws an error then you'll have to restart Apache to find out where exactly the problem is:
service apache2 restart

I'm typing those 3 lines out of memory and it could be a little off.  It's the same as what is in the default SSL virtual host file in Apache2, so you can check in ther:
nano /etc/apache2/sites-available/default-ssl.conf

scroll down and find the lines for certificate file, certificate key and the root CA or the CA bundle depending on which one you've got.  Also, if your cert has a .pem extension or .cer then use that instead of .crt.
This method will survive a reboot, an upgrade of Zentyal and if you just can't get it to work then you just delete the stubb file you are editing and start over.  No system generated files are messed with, no bricking your machine and most of all it's easy as heck to remember what you put where!
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: dumarjo on June 09, 2016, 01:59:04 pm
Thanx for the Info,

I have done something on the server righ now and it's look like it works. I have changed the .mas file (the original one) this will probably be lost when an upgrade will be done. I will look into you post and try it too.

Regards

Jonathan
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: trysomething on June 09, 2016, 09:26:32 pm
Since you've already updated the original .mas (called stub) you can simply copy it over to /etc/Zentyal/stubs/openchange and then it will absolutely survive an upgrade.
The original stubs are all generated during Zentyal initial configuration, so the entire system is dependent upon them.  When upgrading from version to version (i.e. 4.0 to 4.2 or 3.5 to 4.0) your stub files in /usr/share/Zentyal/stubs can and will be overwritten.  If you have spent the time to customize things, and trust me now that you know about stubs you will LoL, it makes sense to just have a second location to house custom stubs.  The directories and files under /etc/Zentyal/stubs will NOT be altered, removed or altered during an upgrade.
Furthermore it is REALLY easy to do a file comparison to see what has changed between versions and find out if you even need to keep the custom stub or not.  Even more important though is that when upgrading versions - if the custom stub breaks the system you can just rename it and restart that service and the problem is fixed in 2 minutes instead of trying to find notes on what you did a long time ago, or how to recreate whatever was lost and troubleshooting for hours and hours.
Stability, connectivity and ease of use are REALLY well done in the stub file idea with Zentyal.
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: dumarjo on June 10, 2016, 02:15:26 pm
hi,

The path is good ?

mkdir -p /etc/Zentyal/stubs
mkdir -p /etc/Zentyal/stubs/openchange

or should be

mkdir -p /etc/zentyal/stubs
mkdir -p /etc/zentyal/stubs/openchange

regards

Jonathan
Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: trysomething on June 15, 2016, 12:37:10 am
I've just always done it all lower case:
mkdir -p /etc/Zentyal/stubs
mkdir -p /etc/Zentyal/stubs/openchange

Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: ommesh.amit on June 27, 2016, 06:41:26 pm
Hello Guys,

Thanks for the several advice around here.

I have renewed my SSL certificate and I have put the intermediate key as well as the CRT key in the correct directory. ie /etc/ssl/mycompany.

I have restarted APACHE and restarted ca services i.e service zentyal ca restart

I am still getting HTTPS errors while accessing to Webmin and Webmail.

What am I missing ?

Can you people help please ?

My best,

Amit

Title: Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
Post by: Neustradamus on January 18, 2021, 06:21:57 am
Since my first ticket for Let's Encrypt support: https://github.com/zentyal/zentyal/issues/1836 (it has been closed by Zentyal Team).

I have created a second ticket for Let's Encrypt support which has been closed by Zentyal Team too.

I have created a third ticket for Let's Encrypt support, can you like, comment on it?
- https://github.com/zentyal/zentyal/issues/2015