Ran into a heap of issues trying to install a digital certificate on ClearOS 7 and get webconfig working, so herewith is a guide that hopefully will help. Remember ClearOS 7.X has some different scripts and file locations than earlier versions!
For normal webserver HTTPS the process is more or less the same but done in /etc/httpd. I'll amend this document when I get round to doing my standard webservers.
The major issue I faced was thanks to a colleague registering the certificate (CSR) except the KEY he saved was off a different CSR. It took a lot of finding to work out exactly what was going wrong as I never thought to check as the key and certs he stored in the same IT engineering directory on the server! Doh!
I did my install using a shell rather than the GUI which I found didn't update webconfig.
So generate the key
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
Upload to your certificate provider. When issued copy to the server say... /root/digitalcerts (you might want to rename the supplied CRT file to match say 'secure.crt')
Remember you will require additional server names to be added to the CRT for multiple servers. The server names in the CRT MUST match the FQDN server (CN) name or you will get an error.
I recommend you first check the KEY and CRT match!
You can check whether the certificate matches the private key using the following openssl commands:
openssl x509 -in /path/to/certificate.crt -noout -modulus | openssl sha1
openssl rsa -in /path/to/private.key -noout -modulus | openssl sha1
Rename the provided CRT and the KEY files to something simple like secure.key & secure.crt Note: The certificate manager GUI requires a simple name such as 'Securecert1'
Copy the files to /etc/clearos/certificate-manager.d
Chown root:root secure.*
Chmod 600 secure.*
cp secure.* /usr/clearos/sandbox/etc/httpd/conf/
cd /usr/clearos/sandbox/etc/httpd/conf/
chown webconfig:webconfig secure.*
cd ../config.d/
nano (vi) ssl.conf
Change
SSLCertificateFile /usr/clearos/sandbox/etc/httpd/conf/server.crt to
SSLCertificateFile /usr/clearos/sandbox/etc/httpd/conf/secure.crt
SSLCertificateKeyFile /usr/clearos/sandbox/etc/httpd/conf/server.key to
SSLCertificatekeyFile /usr/clearos/sandbox/etc/httpd/conf/secure.key
Dave Lopers input:...... One thing that many browsers require with modern certificate providers is the intermediate certificate chain. For example, Comodo's certificates really need the intermediate chain for it to register without complaint in mode browsers. So you can/should add this line as well to:
SSLCertificateChainFile /etc/pki/tls/certs/comodo_intermediate.crt
nano (vi) certs.conf
Change
# SSLCertificateFile /etc/clearos/certificate_manager.d/server.crt
# SSLCertificateKeyFile /etc/clearos/certificate_manager.d/server.key
to
SSLCertificateFile /etc/clearos/certificate_manager.d/secure.crt
SSLCertificateKeyFile /etc/clearos/certificate_manager.d/secure.key
SSLCertificateChainFile /etc/pki/tls/certs/comodo_intermediate.crt
service webconfig restart
If all is OK you will be able to log in normally. Any issues you can change back to the default files 'server.crt & server.key'
/var/logs/webconfig contain a raft of useful info in case of problems.
Ensure the file permissions are correct for the crt and key files or webconfig will fail.
Please feel free to share any amendments and suggestions so this document can be updated.
For normal webserver HTTPS the process is more or less the same but done in /etc/httpd. I'll amend this document when I get round to doing my standard webservers.
The major issue I faced was thanks to a colleague registering the certificate (CSR) except the KEY he saved was off a different CSR. It took a lot of finding to work out exactly what was going wrong as I never thought to check as the key and certs he stored in the same IT engineering directory on the server! Doh!
I did my install using a shell rather than the GUI which I found didn't update webconfig.
So generate the key
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
Upload to your certificate provider. When issued copy to the server say... /root/digitalcerts (you might want to rename the supplied CRT file to match say 'secure.crt')
Remember you will require additional server names to be added to the CRT for multiple servers. The server names in the CRT MUST match the FQDN server (CN) name or you will get an error.
I recommend you first check the KEY and CRT match!
You can check whether the certificate matches the private key using the following openssl commands:
openssl x509 -in /path/to/certificate.crt -noout -modulus | openssl sha1
openssl rsa -in /path/to/private.key -noout -modulus | openssl sha1
Rename the provided CRT and the KEY files to something simple like secure.key & secure.crt Note: The certificate manager GUI requires a simple name such as 'Securecert1'
Copy the files to /etc/clearos/certificate-manager.d
Chown root:root secure.*
Chmod 600 secure.*
cp secure.* /usr/clearos/sandbox/etc/httpd/conf/
cd /usr/clearos/sandbox/etc/httpd/conf/
chown webconfig:webconfig secure.*
cd ../config.d/
nano (vi) ssl.conf
Change
SSLCertificateFile /usr/clearos/sandbox/etc/httpd/conf/server.crt to
SSLCertificateFile /usr/clearos/sandbox/etc/httpd/conf/secure.crt
SSLCertificateKeyFile /usr/clearos/sandbox/etc/httpd/conf/server.key to
SSLCertificatekeyFile /usr/clearos/sandbox/etc/httpd/conf/secure.key
Dave Lopers input:...... One thing that many browsers require with modern certificate providers is the intermediate certificate chain. For example, Comodo's certificates really need the intermediate chain for it to register without complaint in mode browsers. So you can/should add this line as well to:
SSLCertificateChainFile /etc/pki/tls/certs/comodo_intermediate.crt
nano (vi) certs.conf
Change
# SSLCertificateFile /etc/clearos/certificate_manager.d/server.crt
# SSLCertificateKeyFile /etc/clearos/certificate_manager.d/server.key
to
SSLCertificateFile /etc/clearos/certificate_manager.d/secure.crt
SSLCertificateKeyFile /etc/clearos/certificate_manager.d/secure.key
SSLCertificateChainFile /etc/pki/tls/certs/comodo_intermediate.crt
service webconfig restart
If all is OK you will be able to log in normally. Any issues you can change back to the default files 'server.crt & server.key'
/var/logs/webconfig contain a raft of useful info in case of problems.
Ensure the file permissions are correct for the crt and key files or webconfig will fail.
Please feel free to share any amendments and suggestions so this document can be updated.
Share this post:
Responses (7)
-
Accepted Answer
If you want to solicit help, please don't criticize so strongly. If you think the documents could be improved please suggest improvements.
I don't understand why you are trying to sign a CSR. That is for an External Certificate, so you should be sending it to your chosen certificate provider. They will send you the certificates back which you can then re-import.
The Certificate Manager (which isn't brilliant), as the docs say, has two purposes. One is to control the CA and System certificate used for internal certificates such as the OpenVPN certificates. The other function is to manage external certificates. -
Accepted Answer
-
Accepted Answer
A couple more things to add.
1 - If you have created your default web server through the webconfig, then, for normal https, the config file pointing to the certificates is /etc/httpd/conf.d/flex-443.conf. Use /etc/httpd/conf.d/ssl.conf only you you have not configured the default web server.
2 - Once you have your certificates imported, the Webconfig can be configured to use them via Webconfig > System > Settings > General Settings -
Accepted Answer
Nick's GUI 'normal' method is fine unless it turns pear shaped as in my recent cert install. Then understanding the underlying process is essential to resolve the issues and discover the cause of the problem. To much reliance is placed on the GUI sadly these days. In so many cases it requires extensive research to nut out the problem as a result. My post was written to explain the underlying process and I encourage readers to post cribs such as mine when they discover a method or solution to a specific problem. -
Accepted Answer
Can I suggest a different approach to stay closer to the ClearOS way of working?
Once you have your certificate, chain/intermediate certificate and key files, download them onto your desktop. Then you can import them through the ClearOS Certificate Manager, giving them a simple name there. Once imported through the certificate manager, in the Webconfig Web Server App you can assign them to your web sites and I forget where so I'll check later, you can also assign them to the Webconfig. Overall this will be much simpler and lower risk than playing round with the underlying files and their permissions. -
Accepted Answer
Thanks Chris for taking the time to improve ClearOS and to share your work!!!
One thing that many browsers require with modern certificate providers is the intermediate certificate chain. For example, Comodo's certificates really need the intermediate chain for it to register without complaint in mode browsers. So you can/should add this line as well:
SSLCertificateChainFile /etc/pki/tls/certs/comodo.crt
You can put it right next to your other lines you suggest:
SSLCertificateFile /etc/clearos/certificate_manager.d/secure.crt
SSLCertificateKeyFile /etc/clearos/certificate_manager.d/secure.key
SSLCertificateChainFile /etc/pki/tls/certs/comodo_intermediate.crt -
Accepted Answer
This is helpful. Thanks @Chris.
I have had some "fun" with these certificates over the past months as I've tried to get my email, webserver & domain certificates sorted. It was really easy with COS5.2 if you were doing self signed certificates but is a real bear for COS7. Now I'm trying a mix of self signed for email & Let's Encrypt for webserver.
I suspect that I've completely screwed it up and was just looking for posts on the site with certificate in the title when I found yours. There aren't too many.
Would you be able to suggest a link to a good newbie overview of certificates in Centos/Redhat? I've found it a challenge to find.
Thanks again for posting!
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »