This is a 2010 thread. Please can you start a thread of your own describing your problem? I'm locking this one.

Yeah, so not working for me. There is a step missing and this doesn't cover self signed certificates. I've been working on this problem for several days and have not found a clear and concise answer to the conumdrum

Hello,

Sorry, this was covered already multiple time is guess, but I cannot find the post.

My self-signed ClearOS certificate expired and I just was to create a new self-signed one.

What files to I need to rename to reset the certificate manager?

Thank you.

Best wishes,

Robert

Im going to bring this post back to life as there seems to be some confusion on how to install a purchased SSL certificate in ClearOS. Its a very simple process once you know which file to edit. Traditionally in centos you would edit /etc/httpd/conf.d/ssl.conf to point to your SSL certificates but in ClearOS you need to edit /etc/httpd/conf.d/flex-443.conf.

When you open this file it will look something like this.............

#----------------------------------------------------------------
# WARNING: This file is automatically created by webconfig.
#----------------------------------------------------------------

NameVirtualHost *:443

# Authentication mechanism
DefineExternalAuth pwauth pipe /usr/bin/pwauth
DefineExternalGroup pwauth pipe /usr/bin/unixgroup

# -----------------------------------------------#
# Web Site
# -----------------------------------------------#

ServerName Localhost
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log combined
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# No weak export crypto allowed
# SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!EXP:+eNULL
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0


You need to edit it to look like the following......................

#----------------------------------------------------------------
# WARNING: This file is automatically created by webconfig.
#----------------------------------------------------------------

NameVirtualHost *:443

# Authentication mechanism
DefineExternalAuth pwauth pipe /usr/bin/pwauth
DefineExternalGroup pwauth pipe /usr/bin/unixgroup

# -----------------------------------------------#
# Web Site
# -----------------------------------------------#

ServerName www.yourdomain.com
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/error_log
CustomLog /var/log/httpd/access_log combined
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/www.yourdomain.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.yourdomain.key
SSLCertificateChainFile /etc/pki/tls/certs/bundle.crt
# No weak export crypto allowed
# SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!EXP:+eNULL
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

Please note that the path to the cert file(s) is where I chose to keep my files you may choose a different structure if you wish.

Thank you,

I had to regenerate my SSL certificates becouse i screwed something up, but now everything works fine.

What i have done is quite simple.
First of all, you use the GUI (Graphical user interface) from clarkconnect to generate a SSL key. This is done in system / certificate manager. I have used the 4096 bit encryption method becouse its the strongest. For webpages you want to make a SECURE SERVER keyfile. (** the file you create is needed on your server, and clearos stores it in /etc/ssl/private/sys-0-key.pem **) You can view this key by clicking on the view button under unsigned certificates.
The key starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----

This little baby is verry inportant becouse you need it to request a certificate. I have used godaddy.com simply becouse they are the cheapiest party i could find, but their user assitance i have found to be CRAP. (and they did get feedback on that).

I bought a standard SSL certificate for € 20,- a year (for 3 years) so it was not that costy at all, and i use it for a webshops secure pages.

The next thing i have done, thanks to the verry quick and nice feedback above, is the following:

(Do NOT forget to backup all these files)
I have edited the file as stated above in
/ /etc/httpd/conf.d/ssl.conf (trough the program called Winsgp.exe you can remotely acces the filesystem on your server using either a VPN connection or your own private network)
I have copied the 2 files godaddy returned to me to /etc/ssl/ as they are.
Combined with the keyfile mentioned earlier this gives you the 3 files you need to inplement your SSL into your system.
In the configfile that you hsve opened (as stated earlier) you change the following lines:

- Set SSLCertificateFile to /etc/ssl/mydomainname.something.pem
(This file you recieved)
- Set SSLCertificateKeyFile to /etc/ssl/private/sys-0-key.pem
(This is your GENERATED keyfile by the userconsole)
- Set SSLCACertificateFile to /etc/ssl/gd_bundle.crt
(This is the bundle file you have recieved from your provider, godaddy in my case)

in the commandline (you can use the little program called putty.exe, trough the earlier described VPN) to give the following command:
HTTPD restart

If you have done everything correctly the console replies OK. If you have done something wrong, it tell you where the error should be (wich line it is, and sometimes what you screwed up on)

Then you can retest your website by going to https://mydomain.something/ and clicking on a link there. Then you should see the key simbol behind the website adress and you can verify your key.

Good luck, and Thanks earlier for the feedback.

One more thing...

This solved my security risk warnings for browsers and my web site. Unfortunately, it only changed the problem ever so slightly for Outlook. Certificates have specified uses and whatever Outlook is doing when using a secure POP3 isn't listed in my certificate, so I get some warning about "unable to validate all uses" or something equally cryptic.

Miles

Like you, I was tired of always getting the error message from the browser when connecting to my own computer and instead telling all of the browsers that my ClearOS box was a certificate authority, I got a free SSL certificate from startssl.com. (I found this from an Ars Technica article, http://arstechnica.com/security/news/2009/12/how-to-get-set-with-a-secure-sertificate-for-free.ars)

Then, I wanted to upload my new certificates into ClearOS. Unfortunately, I was not able to find out how to do this. I don't have an upload option. I have install (which is to install it into my browser), download (which I guess is to back it up), renew, delete, and update.

Happily, the webconfig tool tells me the file righ at the top: System -> Certificate Manager -> System Certificate View -> Miscellaneous -> File

Keep in mind that I am an amature and you should back up your system before trying anything crazy I might have done. I'm sure someone with much more experience will eventually post here.

- I then SSH'd into the server, switched to root, and cd'd to: /etc/ssl
- I copied the existing sys-0-cert.pem to a backup file, in case I made a mistake.
- I then copied my domain certificate to /etc/ssl and renamed it to sys-0-cert.pem.
- I also copied startssl's certificate (in your case gd_bundle.crt) into /etc/ssl.
- In /etc/ssl/private I decrypted the encrypted certificate I received from startssl, because I'm lazy and don't want to type in the key's password every time I start apache. I used openssl rsa -in ssl.key -out sys-0-key.pem. Obviously, you'll need to use your own file names.
- Next, I figured out that the apache ssl settings are in /etc/httpd/conf.d/ssl.conf
- I backed up ssl.conf, so I could recover from inevitable mistakes.
- Set SSLCertificateFile to /etc/sll/sys-0-cert.pem
- Set SSLCertificateKeyFile to /etc/ssl/private/sys-0-key.pem
- Set SSLCACertificateFile to /etc/ssl/ca.pem (In your case gd_bundle.crt)

I then restarted apache from the command line. You can do this from webconfig, but if there are errors, it just won't start, but you won't be told why. So I ran /etc/init.d/httpd start. I made some typos and it failed, but it told me which key in ssl.conf I broke.

Good luck.

Miles