Hi Taryck,
I've filed bug 15981. I suspect the person at Clearcenter will be Ben Chambers but I'm not sure. I'll try to ping him a message.

Ben is the right resource here. Taryk, any feedback or help you have on this please give it here and we will add it to the ticket. You've posted a lot of great information in the past so let us know if you want better access to the bug tracker moving forward.

News from letsencrypt.org : Wildcard Certificates Coming January 2018
Let’s Encrypt will begin issuing wildcard certificates in January of 2018.

So I have to wait until January...

I'm away at the moment, but as far as I recall. if you just use sites by dropping conf files into /etc/http/conf.d then apache uses the certificate from /etc/httpd/conf.d/ssl.conf. If you use the ClearOS webconfig for your default website then you need to use the certificates in flex-443.conf. Similarly, for any website in a Flexshare, if you set it up in the Webconfig, you have to use the flex-443.conf file.

re wildcard certificates. I can understand the requirement. I use Certbot for my Letsencrypt certificates and it can create a single certificate to cover, say, www.mydomain.com, server.mydomain.com, anysite.mydomain.com etc.I think it is also possible to add subdomains pretty much when you want. To a large extent this gets round the requirement for a wildcard certificate.

Hi Taryck,
Remember that if you edit flex-443.conf you may also need to set the immutable on the file otherwise changing any flexshare through the webconfig could overwrite you changes.

BTW, with all this certificate work you're doing, have you thought of looking at Letsencrypt certificates? I use them for my web server, but did not bother for the Webconfig. I believe there may also be an app under development for Letsencrypt. I did try cheating the Certificate Manager app by copying the Letsencrypt certificates to my desktop and importing them into the app, deleting the imported certificates and replacing them with symlinks to the Letsencrypt certificates in the /etc/letsencrypt/live folder, but it all failed. I hope the app will sort this out.

Hi Nick,

You right about flexshare.conf rebuild. But i've edited (I do not provide the info in my previous post that i Edit to add it) the file : /etc/httpd/conf.d/ssl.conf
which defined the whole ssl configuration for the default host. While flexshare define virutal host for <flexshare>.<hostname>.

I've heard of Letsencrypt but i did not try yet.

Most of access to my server if from know person who have to install to root CA once with a 25 years old CA and 10 years old server certificate...

I saw you were having problems posting and I've tidied up.

To fix the "wrong" webconfig usage I had to edit file /var/clearos/certificate_manager/state/webconfig.conf

{"app_description":"Webconfig","certs":{"Web-based administration":"xxxxxx-bensiali-net"}}

instead of :

{"app_description":"Webconfig","certs":{"Web-based administration":"sys-0-cert.pem"}}

Hi Taryck,

I'll be handling the issue in the tracker for the time being - Ben is not available. Please keep in mind, this needs to be triaged with the other 700+ open features & issues!

Also need to fix httpd for flexshare, because certificate selection only apply to virtualhost servername : <myshare>.host.domain.tld
Edited file : /etc/httpd/conf.d/ssl.conf

#   Server Certificate:

# Point SSLCertificateFile at a PEM encoded certificate.  If

# the certificate is encrypted, then you will be prompted for a

# pass phrase.  Note that a kill -HUP will prompt again.  A new

# certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#SSLCertificateFile /etc/clearos/certificate_manager.d/xxxx-bensiali-net.crt



#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

#SSLCertificateKeyFile /etc/clearos/certificate_manager.d/xxxxx-bensiali-net.key

by the way I do not understand why we've got 2 certifcates for the same host :

• /etc/pki/tls/certs/localhost.crt
  
• /etc/pki/CA/sys-0-cert.pem
  

I suggest to be able to set more than Server Name for web server apps

Thanks.
Here is my workaround with I hope is not so bad.

• I use the CA as an external CA
  
• I use Certificate Manager => External Certificates : to generate request & key pair
  
• I use my own script to use ClearOS CA to sign the certificate
  
• I'm extracting the domain information from the request
  
• I use CleaOS openssl.cnf file but I add the required Google Chrome requierements
  
• My script locate the certificate as expected by the "import certificate" button on External Certificates table
  

I've switch certificate used by webconfig by editing /usr/clearos/sandbox/etc/httpd/conf.d/certs.conf

#SSLCertificateFile /etc/pki/CA/sys-0-cert.pem

#SSLCertificateKeyFile /etc/pki/CA/private/sys-0-key.pem

SSLCertificateFile /etc/clearos/certificate_manager.d/xxxxxx-bensiali-net.crt

SSLCertificateKeyFile /etc/clearos/certificate_manager.d/xxxxxx-bensiali-net.key

restart webconfig
And now it's OK for Google Chrome.

however, the certiciate usage list is not updated.

• sys-0-cert.pem is still displayed as the certificate for webconfig
  
• my external certificate xxxxxx-bensiali-net has no usage
  

It's not a big problem, but if anyone could provide my a way to fix this...

Here is my script :

#!/bin/sh

base_file=/Taryck/major_files/Certificates/subjectAlternativeName.base.ext

openssl_config=/etc/pki/CA/openssl.cnf



request=$1

if [ "$request" = "" ]; then

	echo "provide a request fle name !"

	exit 1

fi

if [ "$2" != "" ]; then

        echo "provide only one parameter"

        exit 1

fi

if [ ! -f $request ]; then

        echo "Request File not found : $request !"

        exit 2

fi

if [ ! -r $request ]; then

        echo "can't read Request File : $request !"

        exit 2

fi



cert_file="${request%.*}"'.crt'

if [ -f $cert_file ]; then

        echo "Target Certificate file : $cert_file already exists !"

        exit 3

fi



domain=`openssl req -noout -text -in $request | grep ".*Subject:.*CN=.*" | sed 's/.*, CN=\(.*\)\/emailAddress.*/\1/g'`

echo "Request's domain : $domain"

read -p "Confirmez vous (Y/N) ? " -n 1 -r reponse

echo  							# (optional) move to a new line

if ! [[ "$reponse" =~ ^[Yy]$ ]]; then

 	exit 4

fi

echo



ext_file=`/Taryck/scripts/timestamp.sh`

ext_file='/tmp/subjectAlternativeName.ext.'"$domain"'.'"$ext_file"

if [ -f $ext_file ]; then

        echo "Temps file : $ext_file already exists !"

        exit 5

fi

cat $base_file | sed "s/#\(.*\)<domain>/\1$domain/g" > $ext_file

if [ ! -f $ext_file ]; then

        echo "Error generating Domain directive File : $ext_file !"

        exit 5

fi

if [ ! -r $ext_file ]; then

        echo "Can't read Domain directive File : $ext_file !"

        exit 5

fi



echo "EXECUTE :"

echo "openssl ca -config $openssl_config -days 1825 -notext -md sha256 "

echo "-in      $request "

echo "-out     $cert_file "

echo "-extfile $ext_file"

echo

read -p "Confirmez vous (Y/N) ? " -n 1 -r reponse

echo    # (optional) move to a new line

if ! [[ $reponse =~ ^[Yy]$ ]]; then

        exit 6

fi

openssl ca -config $openssl_config -days 1825 -notext -md sha256 -in $request -out $cert_file -extfile $ext_file

if [ ! -r $cert_file ]; then

        echo "Failed to create certificate file : $cert_file !"

        exit 5

fi

The script use an extension config file (/Taryck/major_files/Certificates/subjectAlternativeName.base.ext) that looks like this :

# Fichier : subjectAltName.ext

# Source : http://wiki.cacert.org/FAQ/subjectAltName



basicConstraints = CA:FALSE

nsCertType = server

nsComment = "OpenSSL Generated Server Certificate"

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer:always

#keyUsage = nonRepudiation, digitalSignature, keyEncipherment

#keyUsage = critical, digitalSignature, keyEncipherment

keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment

extendedKeyUsage = serverAuth

#Chrome issue : Impossible de vérifier que ce serveur est bien xx, car son certificat de sécurité provient du domaine [missing_subjectAltName]

subjectAltName = @alternate_names



[alternate_names]

#DNS.1 = <domain>

#DNS.2 = *.<domain>

You'll have to adapt config file location because "/Taryck/major_files/Certificates/subjectAlternativeName.base.ext" is a little bit too egocentric, I guess. But it helps me reminding that all that is in "/Taryck" doesn't comes from any package...

and output look like this :

[root@xxxxx Certificates]# ./sign-request.sh /etc/clearos/certificate_manager.d/xxxxx-bensiali-net.req

Request's domain : xxxxx.bensiali.net

Confirmez vous (Y/N) ? y



EXECUTE :

openssl ca -config /etc/pki/CA/openssl.cnf -days 1825 -notext -md sha256

-in      /etc/clearos/certificate_manager.d/xxxxx-bensiali-net.req

-out     /etc/clearos/certificate_manager.d/xxxxx-bensiali-net.pem

-extfile /tmp/subjectAlternativeName.ext.xxxxx.bensiali.net.2017-08-05-16-09-08



Confirmez vous (Y/N) ? y

Using configuration from /etc/pki/CA/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 2097154 (0x200002)

        Validity

            Not Before: Aug  5 14:11:43 2017 GMT

            Not After : Aug  4 14:11:43 2022 GMT

        Subject:

            countryName               = FR

            stateOrProvinceName       = IdF

            localityName              = xxxxx

            organizationName          = ClearOS

            organizationName          = bensiali.net

            organizationalUnitName    = xxxxx

            commonName                = xxxxx.bensiali.net

            emailAddress              = security@xxxxx.bensiali.net

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Cert Type:

                SSL Server

            Netscape Comment:

                OpenSSL Generated Server Certificate

            X509v3 Subject Key Identifier:

                DF:....:53

            X509v3 Authority Key Identifier:

                keyid:75:....:A7

                DirName:/C=FR/L=xxxxx/O=ClearOS/OU=xxxxx/CN=ca.xxxxx.bensiali.net/emailAddress=security@xxxxx.bensiali.net/O=bensiali.net/ST=IdF

                serial:B4:...:A1



            X509v3 Key Usage: critical

                Digital Signature, Non Repudiation, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web Server Authentication

            X509v3 Subject Alternative Name:

                DNS:xxxxx.bensiali.net, DNS:*.xxxxx.bensiali.net

Certificate is to be certified until Aug  4 14:11:43 2022 GMT (1825 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

I appolgize but both in script and config file you'll find french text. I use french to diferentiante stuff that come from internet to stuff I've done by my own.

Feel free to ask question if it's not clear...
PS: Can't find the way to attach script and config file so added URL

I can not find anything about Chrome requirements for Certificate requiring Subject Alternate Names only? Now indeed I think SAN where introduced part of the X.509 V3 certificates specifications but is it a requirement for Chrome?

The issue with creating self-signed certificates using the Webconfig ClearOS app for Chrome could be entirely another problem. I think I also tried to use the app but at the time it was creating X.509 V1 certificates that I had to manually change to be V3, this might not be the case anymore.

This is certainly a complicated subject and I am no expert. Looking at 'Taryck BENSIALI' configuration, a Wildcard DNS within a Subject Alternate Names (SANs) is an approach the I never thought of. Also note Wildcard Certificates can be useful but will only secure a specific subdomain level.

Looking at the bug, it was downgraded from "minor" to "tweak" and is targeted for 7.4 Beta 1 which hopefully should be in the testing repo fairly soon. A number of my bugs have been bumped from 7.4 Beta 1 to 7.4 updates but this one has not so I have fingers my crossed.

A basic fix will be available for the upcoming ClearOS 7.4 release. The first "Subject Alternative Name" will be set to the "common name" for now.

[ req_distinguished_name ]

commonName                     = clearos.example.com



... snip ...



[ alt_names ]

DNS.1                          = clearos.example.com

I'll add a feature request to add support for multiple Subject Alternative Names, but this fix will resolve the Chrome support issue.