Profile Details

Toggle Sidebar
Recent updates
  • Augustynr
    Augustynr started a new discussion, How to move to new hardware?

    How to move to new hardware?

    Hi, I am planning to move existing server (6.5) to a new hardware and under XenServer.
    What is the best way of doing it?
    Thanks.

  • Augustynr

    Would this solution work with the postfix too?

    Peter Hermsen wrote:

    A huge thank-you to David Loper in ClearCenter Support for this one. Here's what he sent me:

    -------------

    I recently helped a paying customer in support with this very thing. I'm happy to share his experience and give some suggestions.

    It is important to note that if you mess up with this process that GoDaddy can always revoke a bad certificate for you and you can start over. So this process should be somewhat stress-free knowing that you can always start from scratch.

    First you will need to generate a Certificate request (you may have already done this). From command line of ClearOS do the following:

    cd /root
    mkdir support
    cd support
    mkdir cert
    cd cert

    This will make a good 'staging' area to conduct your certificate operations. Next, you will need to match exactly the name that you will produce on the certificate. GoDaddy cares about a couple of thing and for a Certificate, you should provide accurate information. If your server was www.example.com then you will run the following from the cert directory:

    openssl req -new -newkey rsa:2048 -nodes -keyout www.example.com.key -out www.example.com.csr

    You will get a dialog and should fill out the fields bolded with accurate information:

    Generating a 2048 bit RSA private key

    ............................................................................+++

    ...............................+++

    writing new private key to 'www.example.com.key'

    -----

    You are about to be asked to enter information that will be incorporated

    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [XX]:US

    State or Province Name (full name) []:California

    Locality Name (eg, city) [Default City]:Someplace

    Organization Name (eg, company) [Default Company Ltd]:Example Company Name

    Organizational Unit Name (eg, section) []:

    Common Name (eg, your name or your server's hostname) []:www.example.com

    Email Address []:abe@example.com


    Please enter the following 'extra' attributes

    to be sent with your certificate request

    A challenge password []:

    An optional company name []:


    Other fields are optional and can be left blank. There will be two files created a '.csr' and a '.key'. You should keep the '.key' file private and protected! The .csr you can give to GoDaddy.

    GoDaddy is only interested in the text of the file and not the file itself. There are two ways you can get this as text. The easiest is if you are connected to your server with a terminal program from your workstation (like PuTTY for PC and 'Terminal' for Mac) then you can simply concatenate the file and copy and paste the information into the GoDaddy form.

    cat /root/support/cert/www.example.com.csr

    The second way (if you don't want to use a terminal application) is to use a program like WinSCP and copy the '.csr' file from the server or move the file to a fileshare to which you have access (mv www.example.com.csr /home/myuser/www.example.com.csr.txt).

    In both cases, you can rename the file to be www.example.com.csr.txt for easy opening with your notepad editor on your computer.
    GoDaddy will return to you a zip file. You will need to have an 'unzip' program installed on ClearOS to unzip this file. Run the following:

    yum -y install unzip

    Next, copy the file that GoDaddy gives you into the 'cert' directory. In my case, the file's name is: mn1ckv3yk9yy2l9qabcdeqoci1234gmu.zip

    cd /root/support/cert/
    unzip mn1ckv3yk9yy2l9qabcdeqoci1234gmu.zip

    This will make two files. One with a random string of numbers (eg. cd34565a1234c76a.crt) and another named gd_bundle-g2-g1.crt

    The certificate is the one with the random string of characters. We can now rename that file and copy these files to the proper directories: Perform the following:

    cp cd34565a1234c76a.crt /etc/pki/tls/certs/www.example.com.crt
    cp www.example.com.key /etc/pki/tls/private/www.example.com.key
    chmod 600 /etc/pki/tls/certs/www.example.com.crt
    chmod 600 /etc/pki/tls/private/www.example.com.key

    Now your keys are in a good place but they are not used automatically by your system. For that, you will need to use those keys with the application framework that you want. Typically, this is for SSL under Apache on ClearOS for Website applications (ownCloud, Zarafa, Webconfig, or other web services).

    In the case of Apache, comment out the default and add the following lines to the appropriate place in /etc/httpd/conf.d/ssl.conf:

    # Server Certificate:

    # Point SSLCertificateFile at a PEM encoded certificate. If

    # the certificate is encrypted, then you will be prompted for a

    # pass phrase. Note that a kill -HUP will prompt again. A new

    # certificate can be generated using the genkey(1) command.

    #SSLCertificateFile /etc/pki/tls/certs/localhost.crt

    SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt


    # Server Private Key:

    # If the key is not combined with the certificate, use this

    # directive to point at the key file. Keep in mind that if

    # you've both a RSA and a DSA private key you can configure

    # both in parallel (to also allow the use of DSA ciphers, etc.)

    #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

    SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key

    Restart the service that uses the key:

    service httpd restart

    Make sure that the DNS for your hostname matches the hostname on the key and test it out.

    --------------------

    I followed his directions and still had an issue getting the certificate to take. I then edited my flex-443.conf file like this:


    #----------------------------------------------------------------
    # WARNING: This file is automatically created by webconfig.
    #----------------------------------------------------------------

    NameVirtualHost *:443

    # Authentication mechanism
    DefineExternalAuth pwauth pipe /usr/bin/pwauth
    DefineExternalGroup pwauth pipe /usr/bin/unixgroup

    # -----------------------------------------------#
    # Web Site
    # -----------------------------------------------#

    <VirtualHost *:443>
    #ServerName www.themeathouse.com
    ServerName themeathouse.com
    ServerAlias www
    DocumentRoot /var/www/html
    ErrorLog /var/log/httpd/error_log
    CustomLog /var/log/httpd/access_log combined
    SSLEngine on
    #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateFile /etc/pki/tls/certs/themeathouse.com.crt
    #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    SSLCertificateKeyFile /etc/pki/tls/private/themeathouse.com.key
    SSLCACertificateFile /etc/ssl/certs/gd_bundle-g2-g1.crt
    # No weak export crypto allowed
    # SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!EXP:+eNULL
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    </VirtualHost>

    BAM!!!!!!!! It worked. The last step is to edit the script that autogenerates the flex-443.conf file so the configuration doesn't get overwritten when the system reboots.

    Good luck to everybody working with GoDaddy certs.

  • Augustynr
    Augustynr joined the group Canada