Forums

Chris
Chris
Offline
Resolved
0 votes
Ran into a heap of issues trying to install a digital certificate on ClearOS 7 and get webconfig working, so herewith is a guide that hopefully will help. Remember ClearOS 7.X has some different scripts and file locations than earlier versions!

For normal webserver HTTPS the process is more or less the same but done in /etc/httpd. I'll amend this document when I get round to doing my standard webservers.

The major issue I faced was thanks to a colleague registering the certificate (CSR) except the KEY he saved was off a different CSR. It took a lot of finding to work out exactly what was going wrong as I never thought to check as the key and certs he stored in the same IT engineering directory on the server! Doh!

I did my install using a shell rather than the GUI which I found didn't update webconfig.

So generate the key

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Upload to your certificate provider. When issued copy to the server say... /root/digitalcerts (you might want to rename the supplied CRT file to match say 'secure.crt')

Remember you will require additional server names to be added to the CRT for multiple servers. The server names in the CRT MUST match the FQDN server (CN) name or you will get an error.

I recommend you first check the KEY and CRT match!

You can check whether the certificate matches the private key using the following openssl commands:

openssl x509 -in /path/to/certificate.crt -noout -modulus | openssl sha1
openssl rsa -in /path/to/private.key -noout -modulus | openssl sha1


Rename the provided CRT and the KEY files to something simple like secure.key & secure.crt Note: The certificate manager GUI requires a simple name such as 'Securecert1'

Copy the files to /etc/clearos/certificate-manager.d

Chown root:root secure.*

Chmod 600 secure.*

cp secure.* /usr/clearos/sandbox/etc/httpd/conf/

cd /usr/clearos/sandbox/etc/httpd/conf/

chown webconfig:webconfig secure.*

cd ../config.d/

nano (vi) ssl.conf

Change

SSLCertificateFile /usr/clearos/sandbox/etc/httpd/conf/server.crt to
SSLCertificateFile /usr/clearos/sandbox/etc/httpd/conf/secure.crt


SSLCertificateKeyFile /usr/clearos/sandbox/etc/httpd/conf/server.key to
SSLCertificatekeyFile /usr/clearos/sandbox/etc/httpd/conf/secure.key

Dave Lopers input:...... One thing that many browsers require with modern certificate providers is the intermediate certificate chain. For example, Comodo's certificates really need the intermediate chain for it to register without complaint in mode browsers. So you can/should add this line as well to:

SSLCertificateChainFile /etc/pki/tls/certs/comodo_intermediate.crt


nano (vi) certs.conf

Change

# SSLCertificateFile /etc/clearos/certificate_manager.d/server.crt
# SSLCertificateKeyFile /etc/clearos/certificate_manager.d/server.key

to

SSLCertificateFile /etc/clearos/certificate_manager.d/secure.crt
SSLCertificateKeyFile /etc/clearos/certificate_manager.d/secure.key

SSLCertificateChainFile /etc/pki/tls/certs/comodo_intermediate.crt

service webconfig restart

If all is OK you will be able to log in normally. Any issues you can change back to the default files 'server.crt & server.key'

/var/logs/webconfig contain a raft of useful info in case of problems.

Ensure the file permissions are correct for the crt and key files or webconfig will fail.

Please feel free to share any amendments and suggestions so this document can be updated.
Monday, January 08 2018, 10:49 PM
Share this post:
Responses (5)
  • Accepted Answer

    Tuesday, January 09 2018, 08:31 PM - #Permalink
    Resolved
    0 votes
    A couple more things to add.
    1 - If you have created your default web server through the webconfig, then, for normal https, the config file pointing to the certificates is /etc/httpd/conf.d/flex-443.conf. Use /etc/httpd/conf.d/ssl.conf only you you have not configured the default web server.
    2 - Once you have your certificates imported, the Webconfig can be configured to use them via Webconfig > System > Settings > General Settings
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Chris
    Chris
    Offline
    Tuesday, January 09 2018, 09:37 AM - #Permalink
    Resolved
    0 votes
    Nick's GUI 'normal' method is fine unless it turns pear shaped as in my recent cert install. Then understanding the underlying process is essential to resolve the issues and discover the cause of the problem. To much reliance is placed on the GUI sadly these days. In so many cases it requires extensive research to nut out the problem as a result. My post was written to explain the underlying process and I encourage readers to post cribs such as mine when they discover a method or solution to a specific problem.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, January 09 2018, 07:55 AM - #Permalink
    Resolved
    0 votes
    Can I suggest a different approach to stay closer to the ClearOS way of working?

    Once you have your certificate, chain/intermediate certificate and key files, download them onto your desktop. Then you can import them through the ClearOS Certificate Manager, giving them a simple name there. Once imported through the certificate manager, in the Webconfig Web Server App you can assign them to your web sites and I forget where so I'll check later, you can also assign them to the Webconfig. Overall this will be much simpler and lower risk than playing round with the underlying files and their permissions.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, January 09 2018, 01:49 AM - #Permalink
    Resolved
    0 votes
    Thanks Chris for taking the time to improve ClearOS and to share your work!!!

    One thing that many browsers require with modern certificate providers is the intermediate certificate chain. For example, Comodo's certificates really need the intermediate chain for it to register without complaint in mode browsers. So you can/should add this line as well:

    SSLCertificateChainFile /etc/pki/tls/certs/comodo.crt

    You can put it right next to your other lines you suggest:

    SSLCertificateFile /etc/clearos/certificate_manager.d/secure.crt
    SSLCertificateKeyFile /etc/clearos/certificate_manager.d/secure.key
    SSLCertificateChainFile /etc/pki/tls/certs/comodo_intermediate.crt
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Monday, January 08 2018, 11:39 PM - #Permalink
    Resolved
    0 votes
    This is helpful. Thanks @Chris.
    I have had some "fun" with these certificates over the past months as I've tried to get my email, webserver & domain certificates sorted. It was really easy with COS5.2 if you were doing self signed certificates but is a real bear for COS7. Now I'm trying a mix of self signed for email & Let's Encrypt for webserver.
    I suspect that I've completely screwed it up and was just looking for posts on the site with certificate in the title when I found yours. There aren't too many.
    Would you be able to suggest a link to a good newbie overview of certificates in Centos/Redhat? I've found it a challenge to find.
    Thanks again for posting!
    The reply is currently minimized Show
Your Reply