-
A couple more things to add.
1 - If you have created your default web server through the webconfig, then, for normal https, the config file pointing to the certificates is /etc/httpd/conf.d/flex-443.conf. Use /etc/httpd/conf.d/ssl.conf only you you have not configured the default web server.
2 - Once you have your certificates imported, the Webconfig can be configured to use them via Webconfig > System > Settings > General Settings -
-
Nick's GUI 'normal' method is fine unless it turns pear shaped as in my recent cert install. Then understanding the underlying process is essential to resolve the issues and discover the cause of the problem. To much reliance is placed on the GUI sadly these days. In so many cases it requires extensive research to nut out the problem as a result. My post was written to explain the underlying process and I encourage readers to post cribs such as mine when they discover a method or solution to a specific problem.
-
-
-
Secure certificates Clearos v7 How to definitive guide
Ran into a heap of issues trying to install a digital certificate on ClearOS 7 and get webconfig working, so herewith is a guide that hopefully will help. For HTTPS the process is more or less the same but done in /etc/. I'll amend this document when I get round to doing the webservers.
The major issue I faced was thanks to a colleague registering the certificate (CSR) except the KEY he saved was off a different CSR. It took a lot of finding to work out exactly what was going wrong as I never thought to check as the key and certs he stored in the same IT engineering directory on the server! Doh!
I did my install using a shell rather than the GUI which I found didn't update webconfig.
So generate the key
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
Upload to your certificate provider. When issued copy to the server say... /root/digitalcerts (you might want to rename the supplied CRT file to match say 'secure.crt')
Remember you will require additional server names to be added to the CRT for multiple servers. The server names in the CRT MUST match the FQDN server name or you will get an error.
I recommend you first check the KEY and CRT match!
You can check whether the certificate matches the private key using the following openssl commands:
openssl x509 -in /path/to/certificate.crt -noout -modulus | openssl sha1
openssl rsa -in /path/to/private.key -noout -modulus | openssl sha1
Rename the provided CRT and the KEY files to something simple like secure.key & secure.crt Note: The certificate manager GUI requires a simple name such as 'Securecert1'
Copy the files to /etc/clearos/certificate-manager.d
Chown root:root secure.*
Chmod 600 secure.*
cp secure.* /usr/clearos/sandbox/etc/httpd/conf/
cd /usr/clearos/sandbox/etc/httpd/conf/
chown webconfig:webconfig secure.*
cd ../config.d/
nano (vi) ssl.conf
Change
SSLCertificateFile /usr/clearos/sandbox/etc/httpd/conf/server.crt to
SSLCertificateFile /usr/clearos/sandbox/etc/httpd/conf/secure.crt
SSLCertificateKeyFile /usr/clearos/sandbox/etc/httpd/conf/server.key to
SSLCertificatekeyFile /usr/clearos/sandbox/etc/httpd/conf/secure.key
nano (vi) certs.conf
Change
# SSLCertificateFile /etc/clearos/certificate_manager.d/server.crt
# SSLCertificateKeyFile /etc/clearos/certificate_manager.d/server.key
to
SSLCertificateFile /etc/clearos/certificate_manager.d/secure.crt
SSLCertificateKeyFile /etc/clearos/certificate_manager.d/secure.key
service webconfig restart
If all is OK you will be able to log in normally. Any issues you can change back to the default files 'server.crt & server.key'
/var/logs/webconfig contain a raft of useful info in case of problems.
Ensure the file permissions are correct for the crt and key files or webconfig will fail. -
Toggle Sidebar