Hello,
When you install interworx-cp a default SSL certificate is created. The Common Name used is, by default, the one of your hostname (FQDN).
The default config for SSL for Apache is set in the file
/etc/httpd/conf.d/ssl.conf
At Apache startup you might have a warning telling you your servername is different than the RSA Common Name.
[B][warn] RSA server certificate CommonName (CN) your-hostname.tld' does NOT match server name!?[/B] [notice] Digest: generating secret for digest authentication ... [notice] Digest: done [warn] RSA server certificate CommonName (CN)
your-hostname.tld’ does NOT match server name!?
To not have this alert you must set, in the ssl.conf file, ServerName as your hostname (FQDN).
edit the ssl.conf file
[QUOTE]vi /etc/httpd/conf.d/ssl.conf
update this line
General setup for the virtual host
DocumentRoot “/var/www/htdocs”
ServerName your-hostname.tld:443
ServerAdmin yourmail@domain.tld
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
[/QUOTE]
But It might happens you change your box’s hostname. In this case the certificate CN isn’t uptodate with your hostname.
So it can be interesting to recreate the SSL certificate for your Apache config to match your real hostname.
Here is how we do this.
- In /root, create a directory call ssl and go into it
mkdir /root/ssl
cd /root/ssl
1 - First create your new private key (privkey.pem) and server.csr
openssl req -config /usr/share/ssl/openssl.cnf -new -out server.csr
OR
openssl req -config /etc/pki/tls/openssl.cnf -new -out server.csr
it will ask you for a PEM pass phrase. Enter a pass phrase, confirm it and remember it !!!
Then it will ask you for few informations.
The most important is to set Common Name (eg, your name or your server’s hostname) exactly as your hostname (fqdn).
Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘privkey.pem’
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [GB]:FR
State or Province Name (full name) [Berkshire]:Ile de France
Locality Name (eg, city) [Newbury]:Paris
Organization Name (eg, company) [My Company Ltd]:Carat Hosting
Organizational Unit Name (eg, section) []:NOC
Common Name (eg, your name or your server’s hostname) []:my.hostname.com
Email Address []:mymail@mydomain.tld
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password : <— enter nothing and PRESS ENTER
An optional company name : <— enter nothing and PRESS ENTER
This create a server.pem file
2 - Now we will create the server.key file
openssl rsa -in privkey.pem -out server.key
It will ask you for the privkey.pem (“Enter pass phrase for privkey.pem”).
You must enter the pass phrase you choosed in 1
openssl rsa -in privkey.pem -out server.key
Enter pass phrase for privkey.pem:
writing RSA key
3- Create the server.crt using the key we just generated
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
Replace -days 365 by what you want !
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
Signature ok
subject=/C=FR/ST=Idf/L=Paris/O=Carat Hosting/OU=NOC/CN=my.hostname.tld/emailAddress=my-email@my-domain.tld
Getting Private key
You now have 4 files
]# ls -l
total 16
-rw-r--r-- 1 root root 963 d?c 29 20:50 privkey.pem
-rw-r--r-- 1 root root 1013 d?c 29 21:06 server.crt
-rw-r--r-- 1 root root 737 d?c 29 20:50 server.csr
-rw-r--r-- 1 root root 887 d?c 29 21:05 server.key
4- Move the cert files to the good place
before this backup your existing file
5- Finaly restart Apache
service httpd restart
Verify all is fine
tail -n20 /var/log/httpd/error_log
[notice] Digest: generating secret for digest authentication …
[notice] Digest: done
[notice] Apache/2.0.59 (Unix) configured – resuming normal operations
Thats it !