Replace Nodeworx SSL Cert?

jerricho · August 8, 2005, 1:53pm

How to accomplish this?

system · August 8, 2005, 4:58pm

Here is what we did:

cd /home/interworx/etc/ssl/

openssl genrsa -out servername.com.key 1024
openssl req -new -key servername.com.key -out servername.com.csr

Use the self signed cert or purchase one, then:

vi /home/interworx/etc/httpd/httpd-custom.conf

REPLACE FOLLOWING LINES TO MAKE YOUR DOMAIN:

  SSLCertificateFile    \
        /home/interworx/etc/ssl/servername.com.crt
  SSLCertificateKeyFile \
        /home/interworx/etc/ssl/servername.com.key

Save the file and restart iworx

/etc/init.d/iworx restart

jerricho · August 8, 2005, 9:23pm

We already have a Cert.

Justec · August 9, 2005, 5:37am

Then just point the two lines to the cert and key

jerricho · August 9, 2005, 6:49am

Awesome, thank you!

jerricho · December 30, 2006, 3:57pm

Updated our Cert, now I get this :

[root@acme ~]# /etc/init.d/iworx restart                     
Stopping InterWorx-web:                                    [  OK  ]
Stopping InterWorx-db:                                     [  OK  ]
Starting InterWorx-db:                                     [  OK  ]
Syntax error on line 108 of /home/interworx/etc/httpd/httpd-custom.conf:
SSLCertificateFile takes one argument, SSL Server Certificate file (`/path/to/file' - PEM or DER encoded)
Starting InterWorx-web:                                    [FAILED]
Binding IP Aliases:                                        [  OK  ]

Confused

int · March 25, 2007, 11:24am

[quote=xlogicgroup;4515]Here is what we did:

cd /home/interworx/etc/ssl/

openssl genrsa -out servername.com.key 1024
openssl req -new -key servername.com.key -out servername.com.csr

Use the self signed cert or purchase one, then:

vi /home/interworx/etc/httpd/httpd-custom.conf

REPLACE FOLLOWING LINES TO MAKE YOUR DOMAIN:

  SSLCertificateFile    \
        /home/interworx/etc/ssl/servername.com.crt
  SSLCertificateKeyFile \
        /home/interworx/etc/ssl/servername.com.key

Save the file and restart iworx

/etc/init.d/iworx restart[/quote]

You meant:
openssl req -new -key servername.com.key -out servername.com.crt right? =)

Either way, even if i change it to .crt, after following your steps, when i restart iworx, iworx-web fails to restart - any idea why that might be?

system · March 26, 2007, 5:10am

Syntax error on line 108 of /home/interworx/etc/httpd/httpd-custom.conf:
SSLCertificateFile takes one argument, SSL Server Certificate file (`/path/to/file' - PEM or DER encoded)

That should be a little self-explanatory… Make sure “SSLCertificateFile /path/to/file” is on a line on its own…

int · March 26, 2007, 8:30am

[quote=Catalyst;12028]

Syntax error on line 108 of /home/interworx/etc/httpd/httpd-custom.conf:
SSLCertificateFile takes one argument, SSL Server Certificate file (`/path/to/file' - PEM or DER encoded)

That should be a little self-explanatory… Make sure “SSLCertificateFile /path/to/file” is on a line on its own…[/quote]

That wasn’t my error. For me, no error was displayed as to why iworx-web failed to restart, and the /path/to/file was definitely on its own line.

This is what I see when i restart iworx, after following the steps to create the .crt and .key files, and point the httpd-custom.conf to the right file:

[root@tsh httpd]# /etc/init.d/iworx restart
Stopping InterWorx-web: [ OK ]
Stopping InterWorx-db: [ OK ]
Starting InterWorx-db: [ OK ]
Starting InterWorx-web: [FAILED]
Binding IP Aliases: [ OK ]

IWorx-Paul · March 26, 2007, 8:35am

Any error in /home/interworx/var/log/error.log when trying to restart iworx?

Paul

int · March 26, 2007, 8:43am

[Mon Mar 26 11:30:47 2007] [info] Init: Initializing OpenSSL library
[Mon Mar 26 11:30:47 2007] [info] Init: Seeding PRNG with 136 bytes of entropy
[Mon Mar 26 11:30:47 2007] [info] Loading certificate & private key of SSL-aware server
[Mon Mar 26 11:30:47 2007] [error] Init: Unable to read server certificate from file /home/interworx/etc/ssl/tsh.com.crt
[Mon Mar 26 11:30:47 2007] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Mar 26 11:30:47 2007] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

Thanks for the quick reply Paul =)

EDIT: I thought maybe it was because the owner/group and permissions of the newly generated .crt and .key files were wrong (they were root rather than iworx), but after having fixed all that, I still get:

[Mon Mar 26 15:58:02 2007] [info] Init: Initializing OpenSSL library
[Mon Mar 26 15:58:02 2007] [info] Init: Seeding PRNG with 136 bytes of entropy
[Mon Mar 26 15:58:02 2007] [info] Loading certificate & private key of SSL-aware server
[Mon Mar 26 15:58:02 2007] [error] Init: Unable to read server certificate from file /home/interworx/etc/ssl/tsh.com.crt
[Mon Mar 26 15:58:02 2007] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Mar 26 15:58:02 2007] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

IWorx-Socheat · March 26, 2007, 2:58pm

Try creating a self-signed cert in a SiteWorx account, then copy that cert information (found in /home/username/var/domain.com/ssl) to where you need it to be.

The error you’re getting leads me to believe something went wrong when generating your SSL cert.

system · April 1, 2007, 4:23pm

I think I found out (the bad way) what goes wrong with mister INT.

Above there’s not mentioned you have to create a certificate (CRT) also en not only a certificate signing request CSR.

apache does nog start up on a signing request very well (;-))

command:
openssl x509 -in domain.tld.csr -out domain.tld.crt -req -signkey domain.tld.key -days 365

response
Signature ok

gtz

int · April 1, 2007, 8:49pm

[quote=Colly-K;12134]I think I found out (the bad way) what goes wrong with mister INT.

Above there’s not mentioned you have to create a certificate (CRT) also en not only a certificate signing request CSR.

apache does nog start up on a signing request very well (;-))

gtz[/quote]

Thanks for the reply!

I successfully created the .crt by following your instructions Colly-K, however, weirdly – when I restart Iworx after changing the certificate it uses, I get this the first time:

[root@tsh ssl]# service iworx restart
Stopping InterWorx-web: [ OK ]
Stopping InterWorx-db: [ OK ]
Starting InterWorx-db: [ OK ]
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:2080
no listening sockets available, shutting down
Unable to open logs
Starting InterWorx-web: [FAILED]
Binding IP Aliases: [ OK ]

When I try restarting the same service right after (15 seconds after getting the above), I see:

[root@tsh ssl]# service iworx restart
Stopping InterWorx-web: [ OK ]
Stopping InterWorx-db: [ OK ]
Starting InterWorx-db: [ OK ]
Starting InterWorx-web: [ OK ]
Binding IP Aliases: [ OK ]

Anyways, it worked! I still get a certificate error when accessing www.domain.tld/nodeworx, but at least the certificate being used is self-signed now rather than signed by Iworx =)

Thanks!

system · April 2, 2007, 12:47am

You get a different warning, a warning its a self-signed (actualy not trusted bij IE) certificate. If you want to lose the warnings at all:

trust the certificate explitly by IE-options “view certificate” and then “install certificate” next next next etc. Then IE will be satisfied but the thing is you have to do this on every client-pc.

or

send the CRS-file to a already trusted party like verisign, thawte ect. Prices for signing server-certificates by public party’s are between 20-1000 euro (a year). I personaly haven’t found a party who’s in the default IE-list of trusted roots and which is for free, anyone?

Sorry can’t help you with the sock-thing.