Developers Documentation

×

Warning

0 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


Update Default Certificates to ClearOS Certificate Authority

By default, ClearOS will use a simple certificate for the the default web server and also for the Webconfig interface. This is a non-complex certificate that is designed for compatibility with older machines. It is self-signed which means that getting your browser to give you give you the secure page without a notice that the certificate has errors is a post-install process. This guide should be considered a post-install best practices guide and should be followed after each install in order to tighten your server's default configuration.

The reason why this process cannot be automated is that there are some steps required that involve 3rd party and offsite systems. This howto will cover those steps.

Getting the DNS in order

In order for a certificate to work properly, we need to set scope out and set up the DNS that we will be using on our certificate. This is an important step because when we craft the certificate and when we use the browser part of the validation checks of the browser is to match the domain used on the certificate. This means that even when we have completed the process that if you use the IP address for the server instead of the DNS name, you are STILL going to get a certificate error. For example, ping google from your command line:

DAVIDs-MBP-5:~ dloper$ ping -c 1 google.com
PING google.com (208.187.128.18): 56 data bytes
64 bytes from 208.187.128.18: icmp_seq=0 ttl=58 time=4.045 ms

--- google.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 4.045/4.045/4.045/0.000 ms

Then take whatever number you get and put it after 'https:'. I got 208.187.128.18 so I would go to 208.187.128.18

So even though Google has all their ducks in a row, I simply cannot use an IP address with a secure site and not have my browser complain. Nobody can.

Google IP with invalid Certificate when lacking hostname

This is why selecting the DNS name you will use with the box for purposes of management is vital. This is also why the self-signed certificate will not typically work for you since its common name is 'gateway.clearos.com' or something similar. We are going to change all that here. Moreover, it wasn't signed with a certificate authority that can be made to be trusted so even if you did specify a matching name, it would still give you problems.

The hostname that you use with ClearOS needs to be able to resolve when you are inside your network and outside your network. If ClearOS is your gateway, you will likely resolve the outside address to the public IP of ClearOS. If, however, your ClearOS server is behind another firewall, you will need to make sure that you employ some internal DNS resolution that will override the name resolution on the inside of the network so that the outside address is not supplied. If you are using ClearOS as a DNS cache for all your internal DNS resolution, you can simply add the hostname and the ip address to the DNS Server.

content/en_us/kb_update_default_clearos_certs_to_clearos_ca.txt · Last modified: 2016/09/09 10:04 by dloper

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Akb_update_default_clearos_certs_to_clearos_ca&1568839366