Create a SSL certificate for your APACHE server

Hello,

When you install interworx-cp a default SSL certificate is created. The Common Name used is, by default, the one of your hostname (FQDN).
The default config for SSL for Apache is set in the file

/etc/httpd/conf.d/ssl.conf

At Apache startup you might have a warning telling you your servername is different than the RSA Common Name.

[B][warn] RSA server certificate CommonName (CN) your-hostname.tld' does NOT match server name!?[/B] [notice] Digest: generating secret for digest authentication ... [notice] Digest: done [warn] RSA server certificate CommonName (CN) your-hostname.tld’ does NOT match server name!?

To not have this alert you must set, in the ssl.conf file, ServerName as your hostname (FQDN).

edit the ssl.conf file

[QUOTE]vi /etc/httpd/conf.d/ssl.conf

update this line

General setup for the virtual host

DocumentRoot “/var/www/htdocs”
ServerName your-hostname.tld:443
ServerAdmin yourmail@domain.tld
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log

[/QUOTE]

But It might happens you change your box’s hostname. In this case the certificate CN isn’t uptodate with your hostname.

So it can be interesting to recreate the SSL certificate for your Apache config to match your real hostname.

Here is how we do this.

  • In /root, create a directory call ssl and go into it

mkdir /root/ssl
cd /root/ssl

1 - First create your new private key (privkey.pem) and server.csr

openssl req -config /usr/share/ssl/openssl.cnf -new -out server.csr
OR
openssl req -config /etc/pki/tls/openssl.cnf -new -out server.csr

it will ask you for a PEM pass phrase. Enter a pass phrase, confirm it and remember it !!!
Then it will ask you for few informations.
The most important is to set Common Name (eg, your name or your server’s hostname) exactly as your hostname (fqdn).

Generating a 1024 bit RSA private key
…++++++
…++++++
writing new private key to ‘privkey.pem’
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [GB]:FR
State or Province Name (full name) [Berkshire]:Ile de France
Locality Name (eg, city) [Newbury]:Paris
Organization Name (eg, company) [My Company Ltd]:Carat Hosting
Organizational Unit Name (eg, section) []:NOC
Common Name (eg, your name or your server’s hostname) []:my.hostname.com
Email Address []:mymail@mydomain.tld

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: <— enter nothing and PRESS ENTER
An optional company name []: <— enter nothing and PRESS ENTER

This create a server.pem file

2 - Now we will create the server.key file

openssl rsa -in privkey.pem -out server.key

It will ask you for the privkey.pem (“Enter pass phrase for privkey.pem”).
You must enter the pass phrase you choosed in 1

openssl rsa -in privkey.pem -out server.key

Enter pass phrase for privkey.pem:
writing RSA key

3- Create the server.crt using the key we just generated

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

Replace -days 365 by what you want !

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

Signature ok
subject=/C=FR/ST=Idf/L=Paris/O=Carat Hosting/OU=NOC/CN=my.hostname.tld/emailAddress=my-email@my-domain.tld
Getting Private key

You now have 4 files

]# ls -l
total 16
-rw-r--r--  1 root root  963 d?c 29 20:50 privkey.pem
-rw-r--r--  1 root root 1013 d?c 29 21:06 server.crt
-rw-r--r--  1 root root  737 d?c 29 20:50 server.csr
-rw-r--r--  1 root root  887 d?c 29 21:05 server.key

4- Move the cert files to the good place

before this backup your existing file

5- Finaly restart Apache

service httpd restart

Verify all is fine

tail -n20 /var/log/httpd/error_log

[notice] Digest: generating secret for digest authentication …
[notice] Digest: done
[notice] Apache/2.0.59 (Unix) configured – resuming normal operations

Thats it !

Pascal

Carat Hosting : H?bergement de sites Internet

Thanks for the tip Pascal!

I’am confused.

Like many others, I also want to get rid of the certificate-warnings of f.i. IE7. So followed steps of above. Two things happened, at first reboot went wel but warning about servername in apache-log remained. So I changed the general settings but then restart failed! Log said:

Starting httpd: Syntax error on line 102 of /etc/httpd/conf.d/ssl.conf:
SSLCipherSuite takes one argument, Colon-delimited list of permitted SSL Ciphers (`XXX:…:XXX’ - see manual)

Was shocked because did meant several of my clients were off-line. Oeps! After commenting-out the line, and 19 minutes of high stress, I was lucky to get the thing restarted.

Line says btw:

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

But in the end I also found out iworx is still running with default iworx-certificate en not the newly generated one.

Can any-one explain to me wat is the difference between this tread and http://www.interworx.com/forums/showthread.php?t=705&highlight=ssl

What is the difference between “httpd/conf.d/” and “etc/httpd/httpd-custom.conf”

I simply wanted to replace the certificate, secondly I try to let it sign by generaly trusted CA like CaCert?

Tnx in advance for anyone who could help me.

(Bye the way, machine is fully controlled by me, running openvz (one partition only) and centos4.4. Interworx has 7 IP’s adresses to use (some dedicated some shared).)

This how-to is for replacing the default SSL certificate used by Apache that runs on port 80 and port 443 and uses config files in /etc/httpd/.

InterWorx installs its own version of Apache, used only to run the NodeWorx/SiteWorx interface, and the config files for that are found in /home/interworx/etc/httpd/.

This is why when you edited the files in /etc/httpd/ nothing changed in InterWorx.

Hope that helps,
Socheat

Thx for the reply, I came sortoff to the same conclusion, reconsidering what I did and what it changed.

I am still a little lost,

  1. my OpenVZ runs its own Apache,
  2. Interworx does,
  3. The several hosted sited (managed within interworx) have their own.

Do You think I have more running apache’s? (I mean as standard functionality within tools named above)

Interworx already supports SSL by the gui(if dedicated-IP), but am I right it does not affect webmail nor nodeworx? Means also I have to create one central site for all sites to use nodeworx en webmail and can’t create a specific secure webmail-location for every managed site?

question:
Why can I use SSl on a dedicated Ip managed site and why does interworx not uses this server for secure webmail?

What I justed changed only affects /webmail behaviour, right?

Gtz

[QUOTE=Colly-K;12128]1. my OpenVZ runs its own Apache,
2. Interworx does,
3. The several hosted sited (managed within interworx) have their own.[/quote]

I’m not as familar with OpenVZ, so I can’t comment on that. But yes, InterWorx has it’s own Apache, and then all the sites hosted on your InterWorx box share another instance of Apache. Making for two Apache installs on every InterWorx box.

[QUOTE=Colly-K;12128]Interworx already supports SSL by the gui(if dedicated-IP), but am I right it does not affect webmail nor nodeworx? Means also I have to create one central site for all sites to use nodeworx en webmail and can’t create a specific secure webmail-location for every managed site?

Why can I use SSl on a dedicated Ip managed site and why does interworx not uses this server for secure webmail?[/quote]

Because they are two separate instances of Apache, installing an SSL certificate for one of your SiteWorx accounts will not update the proper files for InterWorx to also use that SSL certificate. And, because you can have multiple dedicated IPs on a single server, each with a different SSL certificate, somehow, you’d have to tell InterWorx which SSL certificate you wanted it to use. We currently don’t have a NodeWorx SSL interface, but it will probably be added in the future.

Considering the above, can anyone explain why statement

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL

makes apache choke?

I think you want:

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

No space between the “+e” and the “NULL”

No sorry, original file contains parameter without the space, I must have copied it wrong into this thread.

Earlier somewere I found a different syntax, something not using !ADH but can’t find it again!! ;-((

Try putting the default value back:

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

and then restart Apache.

Hi

For interworx you can do exactly the same thing but move the .crt and .key you have created in :
/home/interworx/etc/ssl/iworx.crt
/home/interworx/etc/ssl/iworx.key

Of course if you have bought a certificate we just have to generate a csr then put then follow the instrutctions defined by the seller of the certificate

Pascal

C’est super, Pascal ;–)

Merci!

One year has passed since I got HTTPS working. Certificate expired.

Tried to create new certificate with old private-key but get an error:

openssl x509 -in server.csr -out server.crt -req -signkey -server.key -days 1825

Signature ok
subject=/C=NL/L=Place/O=Management/OU= IT/CN=www.site.nl/emailAddress=blabla
Getting Private key
Error opening Private key -server.key
20120:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen(’-server.key’,‘r’)
20120:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
unable to load Private key

Then tried to recreate an new server key:

openssl rsa -in privkey.pem -out server.key

User interface error
unable to load Private Key
21548:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:399:

Does this has something to do with release 3 of nodeworx perhaps?

Can anyone tell me how to create a new certificate voor the nodeworx-instance of the apache webserver?

Thx