In principle I don't see why it would not work in postfix too. The only difference is that you'll need to edit /etc/postfix/main.cf instead to point it to your new certificates. If you want it for pop/imap as well then you'll have to edit cyrus's configuration file and I can't remember its name. I presume there is an equivalent file if you use Zarafa. Note that you may want different certificates if you use different aliases for the various servers (e.g pop.example.com, smtp.example.com), even if they're on the same IP address.

[edit]
For cyrus the certificate configuration is in /etc/imapd.conf.
[/edit]

Would this solution work with the postfix too?

Peter Hermsen wrote:

A huge thank-you to David Loper in ClearCenter Support for this one. Here's what he sent me:

-------------

I recently helped a paying customer in support with this very thing. I'm happy to share his experience and give some suggestions.

It is important to note that if you mess up with this process that GoDaddy can always revoke a bad certificate for you and you can start over. So this process should be somewhat stress-free knowing that you can always start from scratch.

First you will need to generate a Certificate request (you may have already done this). From command line of ClearOS do the following:

cd /root
mkdir support
cd support
mkdir cert
cd cert

This will make a good 'staging' area to conduct your certificate operations. Next, you will need to match exactly the name that you will produce on the certificate. GoDaddy cares about a couple of thing and for a Certificate, you should provide accurate information. If your server was www.example.com then you will run the following from the cert directory:

openssl req -new -newkey rsa:2048 -nodes -keyout www.example.com.key -out www.example.com.csr

You will get a dialog and should fill out the fields bolded with accurate information:

Generating a 2048 bit RSA private key

............................................................................+++

...............................+++

writing new private key to 'www.example.com.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:US

State or Province Name (full name) []:California

Locality Name (eg, city) [Default City]:Someplace

Organization Name (eg, company) [Default Company Ltd]:Example Company Name

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:www.example.com

Email Address []:abe@example.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


Other fields are optional and can be left blank. There will be two files created a '.csr' and a '.key'. You should keep the '.key' file private and protected! The .csr you can give to GoDaddy.

GoDaddy is only interested in the text of the file and not the file itself. There are two ways you can get this as text. The easiest is if you are connected to your server with a terminal program from your workstation (like PuTTY for PC and 'Terminal' for Mac) then you can simply concatenate the file and copy and paste the information into the GoDaddy form.

cat /root/support/cert/www.example.com.csr

The second way (if you don't want to use a terminal application) is to use a program like WinSCP and copy the '.csr' file from the server or move the file to a fileshare to which you have access (mv www.example.com.csr /home/myuser/www.example.com.csr.txt).

In both cases, you can rename the file to be www.example.com.csr.txt for easy opening with your notepad editor on your computer.
GoDaddy will return to you a zip file. You will need to have an 'unzip' program installed on ClearOS to unzip this file. Run the following:

yum -y install unzip

Next, copy the file that GoDaddy gives you into the 'cert' directory. In my case, the file's name is: mn1ckv3yk9yy2l9qabcdeqoci1234gmu.zip

cd /root/support/cert/
unzip mn1ckv3yk9yy2l9qabcdeqoci1234gmu.zip

This will make two files. One with a random string of numbers (eg. cd34565a1234c76a.crt) and another named gd_bundle-g2-g1.crt

The certificate is the one with the random string of characters. We can now rename that file and copy these files to the proper directories: Perform the following:

cp cd34565a1234c76a.crt /etc/pki/tls/certs/www.example.com.crt
cp www.example.com.key /etc/pki/tls/private/www.example.com.key
chmod 600 /etc/pki/tls/certs/www.example.com.crt
chmod 600 /etc/pki/tls/private/www.example.com.key

Now your keys are in a good place but they are not used automatically by your system. For that, you will need to use those keys with the application framework that you want. Typically, this is for SSL under Apache on ClearOS for Website applications (ownCloud, Zarafa, Webconfig, or other web services).

In the case of Apache, comment out the default and add the following lines to the appropriate place in /etc/httpd/conf.d/ssl.conf:

# Server Certificate:

# Point SSLCertificateFile at a PEM encoded certificate. If

# the certificate is encrypted, then you will be prompted for a

# pass phrase. Note that a kill -HUP will prompt again. A new

# certificate can be generated using the genkey(1) command.

#SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt


# Server Private Key:

# If the key is not combined with the certificate, use this

# directive to point at the key file. Keep in mind that if

# you've both a RSA and a DSA private key you can configure

# both in parallel (to also allow the use of DSA ciphers, etc.)

#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key

Restart the service that uses the key:

service httpd restart

Make sure that the DNS for your hostname matches the hostname on the key and test it out.

--------------------

I followed his directions and still had an issue getting the certificate to take. I then edited my flex-443.conf file like this:


#----------------------------------------------------------------
# WARNING: This file is automatically created by webconfig.
#----------------------------------------------------------------

NameVirtualHost *:443

# Authentication mechanism
DefineExternalAuth pwauth pipe /usr/bin/pwauth
DefineExternalGroup pwauth pipe /usr/bin/unixgroup

# -----------------------------------------------#
# Web Site
# -----------------------------------------------#

<VirtualHost *:443>
#ServerName www.themeathouse.com
ServerName themeathouse.com
ServerAlias www
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log combined
SSLEngine on
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/themeathouse.com.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/private/themeathouse.com.key
SSLCACertificateFile /etc/ssl/certs/gd_bundle-g2-g1.crt
# No weak export crypto allowed
# SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!EXP:+eNULL
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>

BAM!!!!!!!! It worked. The last step is to edit the script that autogenerates the flex-443.conf file so the configuration doesn't get overwritten when the system reboots.

Good luck to everybody working with GoDaddy certs.

A huge thank-you to David Loper in ClearCenter Support for this one. Here's what he sent me:

-------------

I recently helped a paying customer in support with this very thing. I'm happy to share his experience and give some suggestions.

It is important to note that if you mess up with this process that GoDaddy can always revoke a bad certificate for you and you can start over. So this process should be somewhat stress-free knowing that you can always start from scratch.

First you will need to generate a Certificate request (you may have already done this). From command line of ClearOS do the following:

cd /root
mkdir support
cd support
mkdir cert
cd cert

This will make a good 'staging' area to conduct your certificate operations. Next, you will need to match exactly the name that you will produce on the certificate. GoDaddy cares about a couple of thing and for a Certificate, you should provide accurate information. If your server was www.example.com then you will run the following from the cert directory:

openssl req -new -newkey rsa:2048 -nodes -keyout www.example.com.key -out www.example.com.csr

You will get a dialog and should fill out the fields bolded with accurate information:

Generating a 2048 bit RSA private key

............................................................................+++

...............................+++

writing new private key to 'www.example.com.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:US

State or Province Name (full name) []:California

Locality Name (eg, city) [Default City]:Someplace

Organization Name (eg, company) [Default Company Ltd]:Example Company Name

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:www.example.com

Email Address []:abe@example.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


Other fields are optional and can be left blank. There will be two files created a '.csr' and a '.key'. You should keep the '.key' file private and protected! The .csr you can give to GoDaddy.

GoDaddy is only interested in the text of the file and not the file itself. There are two ways you can get this as text. The easiest is if you are connected to your server with a terminal program from your workstation (like PuTTY for PC and 'Terminal' for Mac) then you can simply concatenate the file and copy and paste the information into the GoDaddy form.

cat /root/support/cert/www.example.com.csr

The second way (if you don't want to use a terminal application) is to use a program like WinSCP and copy the '.csr' file from the server or move the file to a fileshare to which you have access (mv www.example.com.csr /home/myuser/www.example.com.csr.txt).

In both cases, you can rename the file to be www.example.com.csr.txt for easy opening with your notepad editor on your computer.
GoDaddy will return to you a zip file. You will need to have an 'unzip' program installed on ClearOS to unzip this file. Run the following:

yum -y install unzip

Next, copy the file that GoDaddy gives you into the 'cert' directory. In my case, the file's name is: mn1ckv3yk9yy2l9qabcdeqoci1234gmu.zip

cd /root/support/cert/
unzip mn1ckv3yk9yy2l9qabcdeqoci1234gmu.zip

This will make two files. One with a random string of numbers (eg. cd34565a1234c76a.crt) and another named gd_bundle-g2-g1.crt

The certificate is the one with the random string of characters. We can now rename that file and copy these files to the proper directories: Perform the following:

cp cd34565a1234c76a.crt /etc/pki/tls/certs/www.example.com.crt
cp www.example.com.key /etc/pki/tls/private/www.example.com.key
chmod 600 /etc/pki/tls/certs/www.example.com.crt
chmod 600 /etc/pki/tls/private/www.example.com.key

Now your keys are in a good place but they are not used automatically by your system. For that, you will need to use those keys with the application framework that you want. Typically, this is for SSL under Apache on ClearOS for Website applications (ownCloud, Zarafa, Webconfig, or other web services).

In the case of Apache, comment out the default and add the following lines to the appropriate place in /etc/httpd/conf.d/ssl.conf:

# Server Certificate:

# Point SSLCertificateFile at a PEM encoded certificate. If

# the certificate is encrypted, then you will be prompted for a

# pass phrase. Note that a kill -HUP will prompt again. A new

# certificate can be generated using the genkey(1) command.

#SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt


# Server Private Key:

# If the key is not combined with the certificate, use this

# directive to point at the key file. Keep in mind that if

# you've both a RSA and a DSA private key you can configure

# both in parallel (to also allow the use of DSA ciphers, etc.)

#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key

Restart the service that uses the key:

service httpd restart

Make sure that the DNS for your hostname matches the hostname on the key and test it out.

--------------------

I followed his directions and still had an issue getting the certificate to take. I then edited my flex-443.conf file like this:


#----------------------------------------------------------------
# WARNING: This file is automatically created by webconfig.
#----------------------------------------------------------------

NameVirtualHost *:443

# Authentication mechanism
DefineExternalAuth pwauth pipe /usr/bin/pwauth
DefineExternalGroup pwauth pipe /usr/bin/unixgroup

# -----------------------------------------------#
# Web Site
# -----------------------------------------------#

<VirtualHost *:443>
#ServerName www.themeathouse.com
ServerName themeathouse.com
ServerAlias www
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log combined
SSLEngine on
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/themeathouse.com.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/private/themeathouse.com.key
SSLCACertificateFile /etc/ssl/certs/gd_bundle-g2-g1.crt
# No weak export crypto allowed
# SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!EXP:+eNULL
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>

BAM!!!!!!!! It worked. The last step is to edit the script that autogenerates the flex-443.conf file so the configuration doesn't get overwritten when the system reboots.

Good luck to everybody working with GoDaddy certs.

I can't really help with certificates, I'm afraid. I dread them. I know I would like to change my Ca Cert but the process is not well documented for all the process certificates I would then need to create.

Hi Nick.

Thanks for that. I did try to change the /etc/httpd/conf.d/ssl.conf file as well, but to no avail. GoDaddy did not issue a key, only a cert and a bundle, so that's part of where my confusion lies. In the /etc/httpd/conf.d/ssl.conf, I put the cert path into the SSLCertificateFile directive and the bundle path into the SSLCACertificateFile directive. Still getting certs listed as follows on the management console:

Certificate Authority ca-cert.pem
Default Certificate sys-0-cert.pem

Thanks

I don't know much about this, but when I generated new certificates when I changed my host name (but kept the same CA Cert) I changes the entries in /etc/httpd/conf.d/ssl.conf to point to the new certificate and key.

Be wary of changing anything in /etc/httpd/conf.d/flex-443.conf as it gets overwritten every time you change a flexshare. You may need to change the immutable bit to stop this ("chattr +i /etc/httpd/conf.d/flex-443.conf") and un-set it if you need to make any changes. Messy.