Koozali.org: home of the SME Server

Server Manager SSL Certificate panel.

dhardy

Server Manager SSL Certificate panel.
« on: January 22, 2006, 10:06:02 PM »
The only thing preventing me from adding a cheapie ssl certificate is that it's a little fiddly and I'd have to do it again every year when it expires ....

Other projects have a web front end for managing certificates with options for generating a self signed or a request for a csr for a 3rd party CA.

I for one would be delighted if this functionality could be integrated into the server manager in the future.

If anyone would be prepared to develop the panels and wrap it all up in an RPM as a GPL contrib I would gladly pay a bounty of say £50/$75 by paypal - either to the developer or direct to the project.

The scope would be:

1. SME 7 server manager panel to generate a CSR.
2. SME 7 server manager panel to upload a signed certificate.
3. SME 7 server manager panel to generate a self signed certificate*
4. Support for 'chained root certificates' when required to build a proper chain of trust.

(*Anyone who decided not to renew a trial or purchased certificate would need a way to move back to a self signed cert that was at least as easy as moving to a trusted cert.)

Optional features I would like:

5. Cron job to do a countdown nag that the certificate will expire in 21 days
6. Support for the cacert.org certificates (I don't know that this is necessarily any different to steps 1 and 2 above.
7. Affiliated certificate purchase partner to enable contribs to benefit directly from certificates sold.

The current cheapest certs I have seen are in the order of £10/$15  (www.ev1servers.net) I would be prepared to pay a chunk more to get them from contribs if it was decided to go for the RapidSSL reseller package here http://www.rapidssl.com/ssl-certificate-resellers/index.htm

although to make $10 on a $30 sale an upfront investment of $1000 would be needed or less return ($5 on $30 sale) for less investment ($625) ... speculate to accumulate!

I've wandered off topic a bit, if anyone is up for the development bounty get in touch by replying to this post or by email (david#millfarmnet - you know the drill, # -> @ and a . before net) to negotiate!

Thanks,

David.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Server Manager SSL Certificate panel.
« Reply #1 on: January 23, 2006, 03:47:39 AM »
Quote from: "dhardy"

3. SME 7 server manager panel to generate a self signed certificate*


The server already automatically generates (and uses) a self-signed certificate, so I don't see that there's a need for a panel to request it.

Thanks for the bounty offer - that's a fine initiative.

Offline gordonr

  • *
  • 646
  • +0/-0
    • http://www.smeserver.com.au/
Re: Server Manager SSL Certificate panel.
« Reply #2 on: January 23, 2006, 05:18:03 AM »
Quote from: "CharlieBrady"

Thanks for the bounty offer - that's a fine initiative.

Absolutely - I'm all in favour of it.

However, without trying to rain on the parade...if I stick a wet finger in the air and say it's around 10 hours of work (I guesstimate it's probably double that), at a junior programmer rate of $40/hour, and then halve it as "spare time cash", the bounty might need to go up a bit to be enticing.
............

dhardy

Re: Server Manager SSL Certificate panel.
« Reply #3 on: January 23, 2006, 03:31:50 PM »
Quote from: "CharlieBrady"
Quote from: "dhardy"

3. SME 7 server manager panel to generate a self signed certificate*


The server already automatically generates (and uses) a self-signed certificate, so I don't see that there's a need for a panel to request it.



The point wasn't to say that the existing arrangement was not suitable, but to provide an easy GUI way back to a self generated certificate when/if a paid/trial certificate expires.

The self signed certificate on my 6.01 expired and it was a bit convoluted to renew it (which may well have been my fault for applying too many varied contribs) a button that said 'create new self signed SSL certificate' would have been very nice!

As an experienced programmer yourself, how long would you expect development of these panels to take?

dhardy

Re: Server Manager SSL Certificate panel.
« Reply #4 on: January 23, 2006, 03:39:38 PM »
Quote from: "gordonr"

However, without trying to rain on the parade...if I stick a wet finger in the air and say it's around 10 hours of work (I guesstimate it's probably double that), at a junior programmer rate of $40/hour, and then halve it as "spare time cash", the bounty might need to go up a bit to be enticing.


OK, done - I hereby raise the bounty to $200.

Any takers?

Thanks,


David.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Server Manager SSL Certificate panel.
« Reply #5 on: January 23, 2006, 03:54:50 PM »
Quote from: "dhardy"

The point wasn't to say that the existing arrangement was not suitable, but to provide an easy GUI way back to a self generated certificate when/if a paid/trial certificate expires.

The self signed certificate on my 6.01 expired and it was a bit convoluted to renew it (which may well have been my fault for applying too many varied contribs) a button that said 'create new self signed SSL certificate' would have been very nice!


The server automatically renews its default self-signed certificate.

If you have added a non-default certificate (http://forums.contribs.org/index.php?topic=30320.msg127146#msg127146), and want to undo that step, this is all it takes:

/sbin/e-smith/config delprop modSSL crt
/sbin/e-smith/config delprop modSSL key
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot

I'm not suggesting that your enhanced panel might not be useful, but you do undersell the existing features of the server.

munro

Certficate Expired - Renewed - Same Serial Number
« Reply #6 on: February 06, 2006, 02:04:29 AM »
(Warning - new to contribs, although I've been "successfully" managing a 6.0.1 for a while.)

Hmmm ... a solved problem ... where to start ...

There is probably a bug in the Automatic Certificate Renewal (on 6.0.1).

Trying to connect remotely to server-manager via https Mozilla Firefox 1.0.7 said:
Quote
You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:

Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.


This problem did not happen connecting internally via IE or Firefox (but the details are not precisely recorded). (There are a number of prossible explainations ...)

So in Firefox Edit->Preferences->Certificates->Manage-Certificates->Web-Sites-> The-ESmith-Site->Certifcate and it is marked as "expired". I looked for a Firefox option "Accept (all/this) Expired Certificates" and I could not find one. I contemplated generating a self signed certificate by hand, which I have done before elsewhere, but my brain still hurts. So I decided to look for a howto and found this thread.

The quick "workaround" is - use the firefox interface above to delete the old certificate and try to revisit the subject esmith site.

But it wasn't that obvious at first ...

I looked at Charlie's advice above. I was not always the only sys admin, someone could have added a custom certificate. However the details of the certificate in firefox were clear: self signed and expired. I inquired on the subject esmith site:
    /sbin/e-smith/config getprop modSSL crt
    /sbin/e-smith/config getprop modSSL key

Both returned nothing indicating that no custom certificate had been installed.

Anyway in Firefox I acidentally deleted the old certificate, not quite how I decribe above. The next visit to the esmith site prompted about a new certificate, which was clearly up to date. Problem worked around.

It appears however, that on 6.0.1 (planning to upgrade soon), the renewed certificate has  the same serial number as the previous self signed certificate issued by the server.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Certficate Expired - Renewed - Same Serial Number
« Reply #7 on: February 06, 2006, 02:15:32 AM »
Quote from: "munro"

There is probably a bug in the Automatic Certificate Renewal (on 6.0.1).


Please use the Bug Tracker link to the left of your browser screen.

Offline NickCritten

  • *
  • 245
  • +0/-0
Re: Certficate Expired - Renewed - Same Serial Number
« Reply #8 on: February 06, 2006, 01:51:40 PM »
Quote from: "munro"
I contemplated generating a self signed certificate by hand, which I have done before elsewhere, but my brain still hurts. So I decided to look for a howto and found this thread.


Hi Munro,

If you want an easy to follow SSL cert howto, check out mine at http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl.htm
Just Scroll to the bottom and follow the 'Rush Job' :hammer:
...
Nick

"No good deed goes unpunished." :-x...

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Just re-boot to generate a new certificate
« Reply #9 on: February 08, 2006, 06:36:11 AM »
My old certificate expired yesterday but didn't seem to be renewing itself automatically as suggested by CharlieBrady.  

Before digging in to the comprehensive (and daunting!) howto posted by NickCritten I decided to reboot, just to see what would happen...

I logged in to the server-manager, clicked on 'post-upgrade and reboot' and voila! I have a new certificate lasting a year from today.

I alerted my users about possible certificate rejection as described by munro and went to bed...

Offline gordonr

  • *
  • 646
  • +0/-0
    • http://www.smeserver.com.au/
Re: Just re-boot to generate a new certificate
« Reply #10 on: February 14, 2006, 02:20:59 PM »
Quote from: "mmccarn"
My old certificate expired yesterday but didn't seem to be renewing itself automatically as suggested by CharlieBrady.  
[...]
I alerted my users about possible certificate rejection as described by munro and went to bed...

You forgot one step - raise a bug!
............

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Server Manager SSL Certificate panel.
« Reply #11 on: February 14, 2006, 02:43:40 PM »
OK - Bug 789 created!

Offline madadam

  • *
  • 149
  • +0/-0
    • http://www.extremetourist.com
Re: Server Manager SSL Certificate panel.
« Reply #12 on: March 21, 2006, 10:20:22 AM »
Quote from: "gordonr"

However, without trying to rain on the parade...if I stick a wet finger in the air and say it's around 10 hours of work (I guesstimate it's probably double that), at a junior programmer rate of $40/hour, and then halve it as "spare time cash", the bounty might need to go up a bit to be enticing.


The purpose of bounties is that other members can add to it until it becomes a suitable incentive. I have done this with other projects I am involved with.

Adam
...

Offline madadam

  • *
  • 149
  • +0/-0
    • http://www.extremetourist.com
Re: Server Manager SSL Certificate panel.
« Reply #13 on: March 21, 2006, 10:25:08 AM »
Quote from: "dhardy"

OK, done - I hereby raise the bounty to $200.
Any takers?


I further raise it by USD$100 (I'm assuming that you were using USD) bringing the total to USD$300.

It still may not be enough, but if there are other members out there who are would like this functionality then maybe they will put in too.

I would like also like to be able to manage multiple certs on SME. This has been discussed before so I won't go into it again.

Adam
...

xjjk16x

Server Manager SSL Certificate panel.
« Reply #14 on: March 22, 2006, 05:31:17 PM »
I will add an extra $100 to the pot if it helps....