Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / Re: HOWTO: Trusted Certificate
« on: May 09, 2016, 06:31:45 pm »
There's a great solution for using trusted certificates in Zentyal 4.2+ (by installing them into the Zentyal CA) here: https://forum.zentyal.org/index.php/topic,24513.msg101014.html
2
Installation and Upgrades / Re: [HOWTO] How to install third party SSL certificates in Zentyal 4.0
« on: May 02, 2016, 12:53:27 pm »
@Kelderek - Thanks!
Your suggestion to replace an "untrusted" Zentyal certificate in the CA with a trusted one is by far the best & safest solution, and it works 100% (Tested on & running 4.2).
I have also managed to get the same trusted certificate to work in the OpenChange module (after a lot of digging!)
Here's a short how-to:
1. Zentyal Setup
2. Get a trusted Certificate (http://www.startssl.com gives free trusted certificates, but anyone will do).
The certificate requirements are (this is important):
3. Assign your trusted certificate to your services:
4. Now, to make OpenChange play nice with your new certificate...
Zentyal's OpenChange has code that checks to see if a certificate meets all the requirements for OpenChange (explained in step 2 above) that forces you to use the certificate from the internal CA for some reason. This will hopefully be changed to accommodate trusted & chained certs in future versions, but for now you need to trick the system to pass these checks.
5. Is this solution permanent?
I think Zentyal should consider adding the following 2 items in their next major release:
That will ensure that users on domain pc's never encounter the SSL security warnings (in or out the office) while giving admins an easy way to make their Zentyal setup trusted globally.
The 1st suggestion should already be in Zentyal by default as it is a standard feature of the Windows Domain Controllers for domains. (Zentyal devs - I'd be happy to give you the the 2-line script for doing this during samba provisioning
)
I hope this helps a few of you, as according to me, this is the biggest of very few Zentyal shortfalls.
PS. An option for making the DHCP server authoritative (and perhaps - later - compatible with the Windows Remote Admin Tools) would be my last wish before Zentyal is a complete MS Server replacement like no other.
J
Your suggestion to replace an "untrusted" Zentyal certificate in the CA with a trusted one is by far the best & safest solution, and it works 100% (Tested on & running 4.2).
I have also managed to get the same trusted certificate to work in the OpenChange module (after a lot of digging!)
Here's a short how-to:
1. Zentyal Setup
- Set up your CA in Zentyal
- Generate the certificate for OpenChange in the web admin by using the Zentyal CA
2. Get a trusted Certificate (http://www.startssl.com gives free trusted certificates, but anyone will do).
The certificate requirements are (this is important):
- The Common Name MUST be the root of the virtual mail domain (eg. yourdomain.com)
- The certificate has to have AT LEAST the following 2 additional subdomains added:
- Your mail server's full DNS address for the virtual domain (eg. yourserver.yourdomain.com)
- An additional subdomain called "autodiscover" (eg autodiscover.yourdomain.com)
- After those, you can add extra subdomains if you want - a wildcard (*) is even better here if possible!
- Once you download your trusted certificate, you have to combine your certificate with it's root bundle (if it comes with one).
Open the certificate & bundle files in plaintext editor, copy & paste the certificate's contents 1st & the content's of the bundle directly below it - making sure your file has an empty line at the end, not anywhere else. Save it as yourdomain.com.crt - Follow the steps in the original post by @Kelderek (at the top of this page). Replace the certificate for your root domain in the Zentyal CA (eg. yourdomain.com) - afterwards, it will automatically be valid for all the subdomains you added on the trusted certificate...
3. Assign your trusted certificate to your services:
- In the Zentyal Admin, go to CERTIFICATION AUTHORITY > SERVICES CERTIFICATES
- Add a certificate for each service (or edit the existing ones) - MAKE SURE THE COMMON NAME for each service's certificate is the same as your root domain only (eg. yourdomain.com) - as set in your trusted certificate's CN.
4. Now, to make OpenChange play nice with your new certificate...
Zentyal's OpenChange has code that checks to see if a certificate meets all the requirements for OpenChange (explained in step 2 above) that forces you to use the certificate from the internal CA for some reason. This will hopefully be changed to accommodate trusted & chained certs in future versions, but for now you need to trick the system to pass these checks.
- SSH into your server and type "su" to get root access
- Edit this file:
Code: [Select]
/usr/share/perl5/EBox/OpenChange/Model/VDomains.pm- Find the following lines:
Code: [Select]
if ($metadata->{state} eq 'V') {
my $rpcProxyAltName = 0;
my $autodiscoverAltName = 0;
- and replace them with the following:
Code: [Select]
if ($metadata->{state} eq 'V') {
# HACK to make trusted certs work in OpenChange -set the two variables below to 1 instead of 0
my $rpcProxyAltName = 1;
my $autodiscoverAltName = 1;
- Save the changes and restart the OpenChange Module:
Code: [Select]
service zentyal openchange restart
- In the web admin, go to MAIL > OPENCHANGE and enable the now-trusted SSL services you want.
- Remember to add public DNS entries for your server's FQDN and for the "autodiscover" subdomain on your domain's public DNS to enable access from anywhere. They are already set on the internal Zentyal DNS server.
5. Is this solution permanent?
- When your trusted certificate expires, you can just "renew" it in the Zentyal CA (edit the CA index.txt file and remove the old one prefixed with an E from that file after you renew the cert and restart the CA, otherwise the new one won't be used by zentyal). Then just repeat @Kelderek's steps to replace the new certificate in your CA with a new trusted one (make sure it covers the requirements).
- The trusted certificate remains and works after restarting - and even after you restore backed-up system config files if you have to (if saved after the changes on this page were made)
- This *should* also remain working after system updates, until the OpenChange module itself is updated. If you do update OpenChange, edit the "VDomains.pm" file and change the variables to = 1 again. Restart the OpenChange module and everything should be back to "normal".
I think Zentyal should consider adding the following 2 items in their next major release:
- Automatically create a domain group policy to add the Zentyal CA certificate to the "trusted roots" store on all pc's joined to the domain (using the netlogon shares) - and update that CA certificate copy when changes are made to the CA in the web admin.
- Add a "TRUSTED SSL" section to the Zentyal CA gui that generates CSR requests to obtain trusted certs easily - and a part that imports trusted certificates & intermediary bundles into Zentyal, which automatically overrides the "untrusted" certificates only where necessary.
That will ensure that users on domain pc's never encounter the SSL security warnings (in or out the office) while giving admins an easy way to make their Zentyal setup trusted globally.
The 1st suggestion should already be in Zentyal by default as it is a standard feature of the Windows Domain Controllers for domains. (Zentyal devs - I'd be happy to give you the the 2-line script for doing this during samba provisioning
)I hope this helps a few of you, as according to me, this is the biggest of very few Zentyal shortfalls.
PS. An option for making the DHCP server authoritative (and perhaps - later - compatible with the Windows Remote Admin Tools) would be my last wish before Zentyal is a complete MS Server replacement like no other.
J
Pages: [1]