Profile Details

Toggle Sidebar
Recent updates
  • A couple more things to add.
    1 - If you have created your default web server through the webconfig, then, for normal https, the config file pointing to the certificates is /etc/httpd/conf.d/flex-443.conf. Use /etc/httpd/conf.d/ssl.conf only you you have not configured the default web server.
    2 - Once you have your certificates imported, the Webconfig can be configured to use them via Webconfig > System > Settings > General Settings

  • Nick's GUI 'normal' method is fine unless it turns pear shaped as in my recent cert install. Then understanding the underlying process is essential to resolve the issues and discover the cause of the problem. To much reliance is placed on the GUI sadly these days. In so many cases it requires extensive research to nut out the problem as a result. My post was written to explain the underlying process and I encourage readers to post cribs such as mine when they discover a method or solution to a specific problem.

  • Chris
    Chris updated their profile
  • Secure certificates Clearos v7 How to definitive guide

    Ran into a heap of issues trying to install a digital certificate on ClearOS 7 and get webconfig working, so herewith is a guide that hopefully will help. For HTTPS the process is more or less the same but done in /etc/. I'll amend this document when I get round to doing the webservers.

    The major issue I faced was thanks to a colleague registering the certificate (CSR) except the KEY he saved was off a different CSR. It took a lot of finding to work out exactly what was going wrong as I never thought to check as the key and certs he stored in the same IT engineering directory on the server! Doh!

    I did my install using a shell rather than the GUI which I found didn't update webconfig.

    So generate the key

    openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

    Upload to your certificate provider. When issued copy to the server say... /root/digitalcerts (you might want to rename the supplied CRT file to match say 'secure.crt')

    Remember you will require additional server names to be added to the CRT for multiple servers. The server names in the CRT MUST match the FQDN server name or you will get an error.

    I recommend you first check the KEY and CRT match!

    You can check whether the certificate matches the private key using the following openssl commands:

    openssl x509 -in /path/to/certificate.crt -noout -modulus | openssl sha1
    openssl rsa -in /path/to/private.key -noout -modulus | openssl sha1


    Rename the provided CRT and the KEY files to something simple like secure.key & secure.crt Note: The certificate manager GUI requires a simple name such as 'Securecert1'

    Copy the files to /etc/clearos/certificate-manager.d

    Chown root:root secure.*

    Chmod 600 secure.*

    cp secure.* /usr/clearos/sandbox/etc/httpd/conf/

    cd /usr/clearos/sandbox/etc/httpd/conf/

    chown webconfig:webconfig secure.*

    cd ../config.d/

    nano (vi) ssl.conf

    Change

    SSLCertificateFile /usr/clearos/sandbox/etc/httpd/conf/server.crt to
    SSLCertificateFile /usr/clearos/sandbox/etc/httpd/conf/secure.crt


    SSLCertificateKeyFile /usr/clearos/sandbox/etc/httpd/conf/server.key to
    SSLCertificatekeyFile /usr/clearos/sandbox/etc/httpd/conf/secure.key

    nano (vi) certs.conf

    Change

    # SSLCertificateFile /etc/clearos/certificate_manager.d/server.crt
    # SSLCertificateKeyFile /etc/clearos/certificate_manager.d/server.key

    to

    SSLCertificateFile /etc/clearos/certificate_manager.d/secure.crt
    SSLCertificateKeyFile /etc/clearos/certificate_manager.d/secure.key

    service webconfig restart

    If all is OK you will be able to log in normally. Any issues you can change back to the default files 'server.crt & server.key'

    /var/logs/webconfig contain a raft of useful info in case of problems.

    Ensure the file permissions are correct for the crt and key files or webconfig will fail.