Forums

Cevin
Cevin
Offline
Resolved
0 votes
Hi all, well this time ive done it, even google cant solve my problems lol.

I am bussy installing a SSL certificate. And this did not completely succeed trough the management console of clearos 5.1 for some reason.

I got 2 files for the fodaddy SSL certificate, being:
:
gd_bundle.crt
mydomainname.crt

Now i thought it would be easy to upload something somewhere in the management console, and i got it this far so that it tells me my certificate is accepted, but every webpage i open from my own server gives me a errormessage claiming to use the old certificate (used before i bough this certificate) and it somehow refuses to update.

What i would like to know is where do these files need to be placed, and if needed, where do i update what file to get this thing working correctly. Ive now spend over 10 hours googeling, and ... feeling a dinky bit drustrated as my knowledge of linux equals the amount of hairs left on top of my head...

So, if anyone is willing to help me out here (step by step in plain english) TY in advance.
Friday, March 26 2010, 08:32 PM
Share this post:
Responses (5)
  • Accepted Answer

    Robert
    Robert
    Offline
    Saturday, March 11 2017, 10:35 AM - #Permalink
    Resolved
    0 votes
    Hello,

    Sorry, this was covered already multiple time is guess, but I cannot find the post.

    My self-signed ClearOS certificate expired and I just was to create a new self-signed one.

    What files to I need to rename to reset the certificate manager?

    Thank you.

    Best wishes,

    Robert
    The reply is currently minimized Show
  • Accepted Answer

    Shane
    Shane
    Offline
    Saturday, November 29 2014, 10:11 PM - #Permalink
    Resolved
    0 votes
    Im going to bring this post back to life as there seems to be some confusion on how to install a purchased SSL certificate in ClearOS. Its a very simple process once you know which file to edit. Traditionally in centos you would edit /etc/httpd/conf.d/ssl.conf to point to your SSL certificates but in ClearOS you need to edit /etc/httpd/conf.d/flex-443.conf.

    When you open this file it will look something like this.............

    #----------------------------------------------------------------
    # WARNING: This file is automatically created by webconfig.
    #----------------------------------------------------------------

    NameVirtualHost *:443

    # Authentication mechanism
    DefineExternalAuth pwauth pipe /usr/bin/pwauth
    DefineExternalGroup pwauth pipe /usr/bin/unixgroup

    # -----------------------------------------------#
    # Web Site
    # -----------------------------------------------#

    ServerName Localhost
    DocumentRoot /var/www/html
    ErrorLog /var/log/httpd/error_log
    CustomLog /var/log/httpd/access_log combined
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    # No weak export crypto allowed
    # SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!EXP:+eNULL
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0


    You need to edit it to look like the following......................

    #----------------------------------------------------------------
    # WARNING: This file is automatically created by webconfig.
    #----------------------------------------------------------------

    NameVirtualHost *:443

    # Authentication mechanism
    DefineExternalAuth pwauth pipe /usr/bin/pwauth
    DefineExternalGroup pwauth pipe /usr/bin/unixgroup

    # -----------------------------------------------#
    # Web Site
    # -----------------------------------------------#

    ServerName www.yourdomain.com
    DocumentRoot /var/www/html
    ErrorLog /var/log/httpd/error_log
    CustomLog /var/log/httpd/access_log combined
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/www.yourdomain.crt
    SSLCertificateKeyFile /etc/pki/tls/private/www.yourdomain.key
    SSLCertificateChainFile /etc/pki/tls/certs/bundle.crt
    # No weak export crypto allowed
    # SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!EXP:+eNULL
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

    Please note that the path to the cert file(s) is where I chose to keep my files you may choose a different structure if you wish.
    The reply is currently minimized Show
  • Accepted Answer

    Cevin
    Cevin
    Offline
    Tuesday, March 30 2010, 07:19 AM - #Permalink
    Resolved
    0 votes
    Thank you,

    I had to regenerate my SSL certificates becouse i screwed something up, but now everything works fine.

    What i have done is quite simple.
    First of all, you use the GUI (Graphical user interface) from clarkconnect to generate a SSL key. This is done in system / certificate manager. I have used the 4096 bit encryption method becouse its the strongest. For webpages you want to make a SECURE SERVER keyfile. (** the file you create is needed on your server, and clearos stores it in /etc/ssl/private/sys-0-key.pem **) You can view this key by clicking on the view button under unsigned certificates.
    The key starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----

    This little baby is verry inportant becouse you need it to request a certificate. I have used godaddy.com simply becouse they are the cheapiest party i could find, but their user assitance i have found to be CRAP. (and they did get feedback on that).

    I bought a standard SSL certificate for € 20,- a year (for 3 years) so it was not that costy at all, and i use it for a webshops secure pages.

    The next thing i have done, thanks to the verry quick and nice feedback above, is the following:

    (Do NOT forget to backup all these files)
    I have edited the file as stated above in
    / /etc/httpd/conf.d/ssl.conf (trough the program called Winsgp.exe you can remotely acces the filesystem on your server using either a VPN connection or your own private network)
    I have copied the 2 files godaddy returned to me to /etc/ssl/ as they are.
    Combined with the keyfile mentioned earlier this gives you the 3 files you need to inplement your SSL into your system.
    In the configfile that you hsve opened (as stated earlier) you change the following lines:

    - Set SSLCertificateFile to /etc/ssl/mydomainname.something.pem
    (This file you recieved)
    - Set SSLCertificateKeyFile to /etc/ssl/private/sys-0-key.pem
    (This is your GENERATED keyfile by the userconsole)
    - Set SSLCACertificateFile to /etc/ssl/gd_bundle.crt
    (This is the bundle file you have recieved from your provider, godaddy in my case)

    in the commandline (you can use the little program called putty.exe, trough the earlier described VPN) to give the following command:
    HTTPD restart

    If you have done everything correctly the console replies OK. If you have done something wrong, it tell you where the error should be (wich line it is, and sometimes what you screwed up on)

    Then you can retest your website by going to https://mydomain.something/ and clicking on a link there. Then you should see the key simbol behind the website adress and you can verify your key.

    Good luck, and Thanks earlier for the feedback.
    The reply is currently minimized Show
  • Accepted Answer

    Beltane
    Beltane
    Offline
    Saturday, March 27 2010, 09:22 PM - #Permalink
    Resolved
    0 votes
    One more thing...

    This solved my security risk warnings for browsers and my web site. Unfortunately, it only changed the problem ever so slightly for Outlook. Certificates have specified uses and whatever Outlook is doing when using a secure POP3 isn't listed in my certificate, so I get some warning about "unable to validate all uses" or something equally cryptic.

    Miles
    The reply is currently minimized Show
  • Accepted Answer

    Beltane
    Beltane
    Offline
    Saturday, March 27 2010, 09:17 PM - #Permalink
    Resolved
    0 votes
    Like you, I was tired of always getting the error message from the browser when connecting to my own computer and instead telling all of the browsers that my ClearOS box was a certificate authority, I got a free SSL certificate from startssl.com. (I found this from an Ars Technica article, http://arstechnica.com/security/news/2009/12/how-to-get-set-with-a-secure-sertificate-for-free.ars)

    Then, I wanted to upload my new certificates into ClearOS. Unfortunately, I was not able to find out how to do this. I don't have an upload option. I have install (which is to install it into my browser), download (which I guess is to back it up), renew, delete, and update.

    Happily, the webconfig tool tells me the file righ at the top: System -> Certificate Manager -> System Certificate View -> Miscellaneous -> File

    Keep in mind that I am an amature and you should back up your system before trying anything crazy I might have done. I'm sure someone with much more experience will eventually post here.

    - I then SSH'd into the server, switched to root, and cd'd to: /etc/ssl
    - I copied the existing sys-0-cert.pem to a backup file, in case I made a mistake.
    - I then copied my domain certificate to /etc/ssl and renamed it to sys-0-cert.pem.
    - I also copied startssl's certificate (in your case gd_bundle.crt) into /etc/ssl.
    - In /etc/ssl/private I decrypted the encrypted certificate I received from startssl, because I'm lazy and don't want to type in the key's password every time I start apache. I used openssl rsa -in ssl.key -out sys-0-key.pem. Obviously, you'll need to use your own file names.
    - Next, I figured out that the apache ssl settings are in /etc/httpd/conf.d/ssl.conf
    - I backed up ssl.conf, so I could recover from inevitable mistakes.
    - Set SSLCertificateFile to /etc/sll/sys-0-cert.pem
    - Set SSLCertificateKeyFile to /etc/ssl/private/sys-0-key.pem
    - Set SSLCACertificateFile to /etc/ssl/ca.pem (In your case gd_bundle.crt)

    I then restarted apache from the command line. You can do this from webconfig, but if there are errors, it just won't start, but you won't be told why. So I ran /etc/init.d/httpd start. I made some typos and it failed, but it told me which key in ssl.conf I broke.

    Good luck.

    Miles
    The reply is currently minimized Show
Your Reply