Koozali.org: home of the SME Server

Server Manager SSL Certificate panel.

dhardy

Server Manager SSL Certificate panel.
« on: January 22, 2006, 10:06:02 PM »
The only thing preventing me from adding a cheapie ssl certificate is that it's a little fiddly and I'd have to do it again every year when it expires ....

Other projects have a web front end for managing certificates with options for generating a self signed or a request for a csr for a 3rd party CA.

I for one would be delighted if this functionality could be integrated into the server manager in the future.

If anyone would be prepared to develop the panels and wrap it all up in an RPM as a GPL contrib I would gladly pay a bounty of say £50/$75 by paypal - either to the developer or direct to the project.

The scope would be:

1. SME 7 server manager panel to generate a CSR.
2. SME 7 server manager panel to upload a signed certificate.
3. SME 7 server manager panel to generate a self signed certificate*
4. Support for 'chained root certificates' when required to build a proper chain of trust.

(*Anyone who decided not to renew a trial or purchased certificate would need a way to move back to a self signed cert that was at least as easy as moving to a trusted cert.)

Optional features I would like:

5. Cron job to do a countdown nag that the certificate will expire in 21 days
6. Support for the cacert.org certificates (I don't know that this is necessarily any different to steps 1 and 2 above.
7. Affiliated certificate purchase partner to enable contribs to benefit directly from certificates sold.

The current cheapest certs I have seen are in the order of £10/$15  (www.ev1servers.net) I would be prepared to pay a chunk more to get them from contribs if it was decided to go for the RapidSSL reseller package here http://www.rapidssl.com/ssl-certificate-resellers/index.htm

although to make $10 on a $30 sale an upfront investment of $1000 would be needed or less return ($5 on $30 sale) for less investment ($625) ... speculate to accumulate!

I've wandered off topic a bit, if anyone is up for the development bounty get in touch by replying to this post or by email (david#millfarmnet - you know the drill, # -> @ and a . before net) to negotiate!

Thanks,

David.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Server Manager SSL Certificate panel.
« Reply #1 on: January 23, 2006, 03:47:39 AM »
Quote from: "dhardy"

3. SME 7 server manager panel to generate a self signed certificate*


The server already automatically generates (and uses) a self-signed certificate, so I don't see that there's a need for a panel to request it.

Thanks for the bounty offer - that's a fine initiative.

Offline gordonr

  • *
  • 646
  • +0/-0
    • http://www.smeserver.com.au/
Re: Server Manager SSL Certificate panel.
« Reply #2 on: January 23, 2006, 05:18:03 AM »
Quote from: "CharlieBrady"

Thanks for the bounty offer - that's a fine initiative.

Absolutely - I'm all in favour of it.

However, without trying to rain on the parade...if I stick a wet finger in the air and say it's around 10 hours of work (I guesstimate it's probably double that), at a junior programmer rate of $40/hour, and then halve it as "spare time cash", the bounty might need to go up a bit to be enticing.
............

dhardy

Re: Server Manager SSL Certificate panel.
« Reply #3 on: January 23, 2006, 03:31:50 PM »
Quote from: "CharlieBrady"
Quote from: "dhardy"

3. SME 7 server manager panel to generate a self signed certificate*


The server already automatically generates (and uses) a self-signed certificate, so I don't see that there's a need for a panel to request it.



The point wasn't to say that the existing arrangement was not suitable, but to provide an easy GUI way back to a self generated certificate when/if a paid/trial certificate expires.

The self signed certificate on my 6.01 expired and it was a bit convoluted to renew it (which may well have been my fault for applying too many varied contribs) a button that said 'create new self signed SSL certificate' would have been very nice!

As an experienced programmer yourself, how long would you expect development of these panels to take?

dhardy

Re: Server Manager SSL Certificate panel.
« Reply #4 on: January 23, 2006, 03:39:38 PM »
Quote from: "gordonr"

However, without trying to rain on the parade...if I stick a wet finger in the air and say it's around 10 hours of work (I guesstimate it's probably double that), at a junior programmer rate of $40/hour, and then halve it as "spare time cash", the bounty might need to go up a bit to be enticing.


OK, done - I hereby raise the bounty to $200.

Any takers?

Thanks,


David.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Server Manager SSL Certificate panel.
« Reply #5 on: January 23, 2006, 03:54:50 PM »
Quote from: "dhardy"

The point wasn't to say that the existing arrangement was not suitable, but to provide an easy GUI way back to a self generated certificate when/if a paid/trial certificate expires.

The self signed certificate on my 6.01 expired and it was a bit convoluted to renew it (which may well have been my fault for applying too many varied contribs) a button that said 'create new self signed SSL certificate' would have been very nice!


The server automatically renews its default self-signed certificate.

If you have added a non-default certificate (http://forums.contribs.org/index.php?topic=30320.msg127146#msg127146), and want to undo that step, this is all it takes:

/sbin/e-smith/config delprop modSSL crt
/sbin/e-smith/config delprop modSSL key
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot

I'm not suggesting that your enhanced panel might not be useful, but you do undersell the existing features of the server.

munro

Certficate Expired - Renewed - Same Serial Number
« Reply #6 on: February 06, 2006, 02:04:29 AM »
(Warning - new to contribs, although I've been "successfully" managing a 6.0.1 for a while.)

Hmmm ... a solved problem ... where to start ...

There is probably a bug in the Automatic Certificate Renewal (on 6.0.1).

Trying to connect remotely to server-manager via https Mozilla Firefox 1.0.7 said:
Quote
You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:

Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.


This problem did not happen connecting internally via IE or Firefox (but the details are not precisely recorded). (There are a number of prossible explainations ...)

So in Firefox Edit->Preferences->Certificates->Manage-Certificates->Web-Sites-> The-ESmith-Site->Certifcate and it is marked as "expired". I looked for a Firefox option "Accept (all/this) Expired Certificates" and I could not find one. I contemplated generating a self signed certificate by hand, which I have done before elsewhere, but my brain still hurts. So I decided to look for a howto and found this thread.

The quick "workaround" is - use the firefox interface above to delete the old certificate and try to revisit the subject esmith site.

But it wasn't that obvious at first ...

I looked at Charlie's advice above. I was not always the only sys admin, someone could have added a custom certificate. However the details of the certificate in firefox were clear: self signed and expired. I inquired on the subject esmith site:
    /sbin/e-smith/config getprop modSSL crt
    /sbin/e-smith/config getprop modSSL key

Both returned nothing indicating that no custom certificate had been installed.

Anyway in Firefox I acidentally deleted the old certificate, not quite how I decribe above. The next visit to the esmith site prompted about a new certificate, which was clearly up to date. Problem worked around.

It appears however, that on 6.0.1 (planning to upgrade soon), the renewed certificate has  the same serial number as the previous self signed certificate issued by the server.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Certficate Expired - Renewed - Same Serial Number
« Reply #7 on: February 06, 2006, 02:15:32 AM »
Quote from: "munro"

There is probably a bug in the Automatic Certificate Renewal (on 6.0.1).


Please use the Bug Tracker link to the left of your browser screen.

Offline NickCritten

  • *
  • 245
  • +0/-0
Re: Certficate Expired - Renewed - Same Serial Number
« Reply #8 on: February 06, 2006, 01:51:40 PM »
Quote from: "munro"
I contemplated generating a self signed certificate by hand, which I have done before elsewhere, but my brain still hurts. So I decided to look for a howto and found this thread.


Hi Munro,

If you want an easy to follow SSL cert howto, check out mine at http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl.htm
Just Scroll to the bottom and follow the 'Rush Job' :hammer:
...
Nick

"No good deed goes unpunished." :-x...

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Just re-boot to generate a new certificate
« Reply #9 on: February 08, 2006, 06:36:11 AM »
My old certificate expired yesterday but didn't seem to be renewing itself automatically as suggested by CharlieBrady.  

Before digging in to the comprehensive (and daunting!) howto posted by NickCritten I decided to reboot, just to see what would happen...

I logged in to the server-manager, clicked on 'post-upgrade and reboot' and voila! I have a new certificate lasting a year from today.

I alerted my users about possible certificate rejection as described by munro and went to bed...

Offline gordonr

  • *
  • 646
  • +0/-0
    • http://www.smeserver.com.au/
Re: Just re-boot to generate a new certificate
« Reply #10 on: February 14, 2006, 02:20:59 PM »
Quote from: "mmccarn"
My old certificate expired yesterday but didn't seem to be renewing itself automatically as suggested by CharlieBrady.  
[...]
I alerted my users about possible certificate rejection as described by munro and went to bed...

You forgot one step - raise a bug!
............

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Server Manager SSL Certificate panel.
« Reply #11 on: February 14, 2006, 02:43:40 PM »
OK - Bug 789 created!

Offline madadam

  • *
  • 149
  • +0/-0
    • http://www.extremetourist.com
Re: Server Manager SSL Certificate panel.
« Reply #12 on: March 21, 2006, 10:20:22 AM »
Quote from: "gordonr"

However, without trying to rain on the parade...if I stick a wet finger in the air and say it's around 10 hours of work (I guesstimate it's probably double that), at a junior programmer rate of $40/hour, and then halve it as "spare time cash", the bounty might need to go up a bit to be enticing.


The purpose of bounties is that other members can add to it until it becomes a suitable incentive. I have done this with other projects I am involved with.

Adam
...

Offline madadam

  • *
  • 149
  • +0/-0
    • http://www.extremetourist.com
Re: Server Manager SSL Certificate panel.
« Reply #13 on: March 21, 2006, 10:25:08 AM »
Quote from: "dhardy"

OK, done - I hereby raise the bounty to $200.
Any takers?


I further raise it by USD$100 (I'm assuming that you were using USD) bringing the total to USD$300.

It still may not be enough, but if there are other members out there who are would like this functionality then maybe they will put in too.

I would like also like to be able to manage multiple certs on SME. This has been discussed before so I won't go into it again.

Adam
...

xjjk16x

Server Manager SSL Certificate panel.
« Reply #14 on: March 22, 2006, 05:31:17 PM »
I will add an extra $100 to the pot if it helps....

Offline NickCritten

  • *
  • 245
  • +0/-0
Server Manager SSL Certificate panel.
« Reply #15 on: March 22, 2006, 05:36:45 PM »
Damnit!

/me smacks head against wall

Why *bang* haven't *bang* I *bang* Learnt *bang* PERL *bang* yet?

Bah! I could do this easily if I knew the lingo.
Anyone know of any good Perl-for-newbies tutorials?
...
Nick

"No good deed goes unpunished." :-x...

dhardy

Server Manager SSL Certificate panel.
« Reply #16 on: March 22, 2006, 09:20:10 PM »
Nick,

If you go for it I'll add another $50 to cover these:

http://www.amazon.com/gp/offer-listing/B00005R09P

http://www.amazon.com/gp/offer-listing/0596101058

  8-)

David.

Offline NickCritten

  • *
  • 245
  • +0/-0
Server Manager SSL Certificate panel.
« Reply #17 on: March 22, 2006, 09:38:46 PM »
hehe, Okay then,

If no-one has picked this one up in two weeks (When I get back off holiday and get all my meetings out of the way) I'll have a crack at it.

I'm pretty handy with PHP, and the syntax of perl looks fairly similar... I'm hoping I can pick it up pretty quickly.

I may need some help rolling the RPM though! :-)
...
Nick

"No good deed goes unpunished." :-x...

msoulier

Already working on it
« Reply #18 on: March 28, 2006, 06:01:38 AM »
Quote from: "xjjk16x"
I will add an extra $100 to the pot if it helps....


Sounds good to me. I happen to be doing this already for work purposes. It's a tad specialized at the moment, but I hope to fix that when I export it to sourceforge.

I don't suppose anyone made a clear requirements list. At the moment I'm only satisfying my own.

Mike

dhardy

Server Manager SSL Certificate panel.
« Reply #19 on: March 28, 2006, 09:10:31 AM »
Quote
I don't suppose anyone made a clear requirements list


I did - at the top of the thread, here it is again:

Quote
If anyone would be prepared to develop the panels and wrap it all up in an RPM as a GPL contrib I would gladly pay a bounty of say £50/$75 by paypal - either to the developer or direct to the project.

The scope would be:

1. SME 7 server manager panel to generate a CSR.
2. SME 7 server manager panel to upload a signed certificate.
3. SME 7 server manager panel to generate a self signed certificate*
4. Support for 'chained root certificates' when required to build a proper chain of trust.

(*Anyone who decided not to renew a trial or purchased certificate would need a way to move back to a self signed cert that was at least as easy as moving to a trusted cert.)

Optional features I would like:

5. Cron job to do a countdown nag that the certificate will expire in 21 days
6. Support for the cacert.org certificates (I don't know that this is necessarily any different to steps 1 and 2 above.
7. Affiliated certificate purchase partner to enable contribs to benefit directly from certificates sold.


I primarily want an easy way to 'try out' a purchased or third party cert (which are generally only good for a month) which doesn't need a visit to the command line. Hence  no.3, the easy way back to a self signed cert at the touch of a button.

The renewal process needs to be able to retain the 'key' because CAcert do not require the key to be submitted to them again when they renew the certificate. (This may be common behaviour, I've always bought a new cert from someone else rather than renewed an existing cert with the same authority).

Ideally everything needs to work in a way that doesn't interfere with the built in methods of doing it

No.7 was a money generating thought - it needs more input from others to shape/direct/reject it.

Looking through the thread the current bounty looks to me to be:

dhardy     $250
madadam $100
xjjk16x     $100


Including the $50 I offered to NickCritten to buy the books :-)

If you need a tighter brief I'm sure that we can arrange one .....

Cheers,

David.

Offline gregswallow

  • *
  • 651
  • +1/-0
Server Manager SSL Certificate panel.
« Reply #20 on: March 28, 2006, 09:36:31 AM »
This might be agood test case for the bounty program that has been discussed by the admins.  My thoughts on how it would work would be similar to how Horde does it... (http://www.horde.org/bounties/)

- An idea for a bounty is presented to the admins
- If the admins approve it for inclusion, they estimate the $ amount that it is worth (depending on the complexity), and the details/requirements of the bounty is decided upon
- At Horde, the person/company that suggests the bounty I think usually sponsors the whole thing, but we coud take smaller amounts from individuals towards the bounty.  The money would be donated to SME Server Inc, with a comment that it is for bounty x.  As soon as some amount of money was collected, the bounty would be listed on a bounties page on contribs.org.  Horde seems to list ones that have no sponsor, but I'd call those suggestions and not bounties.
- When enough money is collected for a bounty, then it is open to any developer to do the work.  They submit their work to the admins for approval and when it meets the requirements, they are paid out by SME Server Inc.
- the bounty code is then released under the GPL to the community and becomes part of SME Server.

I think there has to first be some discussion by the developers about what requrements there would have to be in general (coding standards, etc), but this looks like a good place to start with this type of thing - in this case you have people interested in sponsoring the work, and it looks like someone wants to do the work.

msoulier

Server Manager SSL Certificate panel.
« Reply #21 on: March 28, 2006, 03:51:13 PM »
Quote

The scope would be:

1. SME 7 server manager panel to generate a CSR.


Sure, although this is more of a client function. The server primarily should just accept and sign/reject CSRs, but this change would be simple enough.

Quote

2. SME 7 server manager panel to upload a signed certificate.


Done, in raw form. I focused primarily on a REST web service to do this programatically for my own purposes, but I can expand on my little test form and turn it into a proper upload form.

Quote

3. SME 7 server manager panel to generate a self signed certificate*
(*Anyone who decided not to renew a trial or purchased certificate would need a way to move back to a self signed cert that was at least as easy as moving to a trusted cert.)


Currently what I have looks for a custom plug-in package that can be built to provide a purchased Cert or intermediate CA to make a CA on the box. If neither of these are present then the plan is to make a self-signed cert for the CA. I had no plans to move back, but simply generate a new self-signed cert on such a change. I don't see a problem invalidating all of the Certs in the field at this point.

Quote

4. Support for 'chained root certificates' when required to build a proper chain of trust.


Currently provided in the REST interface when one's cert is downloaded. There is support for any additional certs that the admin wishes to export, although at most usually 2 are assumed, being the CA cert and the intermediate CA cert.

Quote

Optional features I would like:

5. Cron job to do a countdown nag that the certificate will expire in 21 days


Hardly the job of the CA, although it's easy to do.

Quote

6. Support for the cacert.org certificates (I don't know that this is necessarily any different to steps 1 and 2 above.


I don't think there's anything unique about cacert.org.

Quote

7. Affiliated certificate purchase partner to enable contribs to benefit directly from certificates sold.


Certainly not a big priority on my list. I think this can be done out of band by the admin.

Quote

I primarily want an easy way to 'try out' a purchased or third party cert (which are generally only good for a month) which doesn't need a visit to the command line. Hence  no.3, the easy way back to a self signed cert at the touch of a button.


Personally, I'd visit the command-line. Tar up old CA. Regen CA with new cert. If you don't like it, blow away the CA and untar the old one. Again, it's doable but it's pretty specialized.

Quote

The renewal process needs to be able to retain the 'key' because CAcert do not require the key to be submitted to them again when they renew the certificate. (This may be common behaviour, I've always bought a new cert from someone else rather than renewed an existing cert with the same authority).

Ideally everything needs to work in a way that doesn't interfere with the built in methods of doing it

No.7 was a money generating thought - it needs more input from others to shape/direct/reject it.

Looking through the thread the current bounty looks to me to be:

dhardy     $250
madadam $100
xjjk16x     $100


Including the $50 I offered to NickCritten to buy the books :-)

If you need a tighter brief I'm sure that we can arrange one .....

Cheers,

David.


I'll be exporting what I have soon. It won't satisfy these requirements but it may in time. Once it does I'm happy to take the bounty as a bonus for my work. :)

Mike

msoulier

Server Manager SSL Certificate panel.
« Reply #22 on: March 28, 2006, 03:53:28 PM »
Quote from: "gregswallow"
This might be agood test case for the bounty program that has been discussed by the admins.


Perhaps, but if I hadn't already been working on this, I would have never considered doing it for such a small bounty. Implementing a CA with a full UI that's simple to use and manage is not a small feat. Perhaps you should try a simpler test-case for bounties, like a small UI change.

Mike

dhardy

Server Manager SSL Certificate panel.
« Reply #23 on: March 28, 2006, 08:14:28 PM »
Wow,

I think your solution is much more comprehensive than what I had in mind.

I was hoping for a contrib with a few panels to allow me to generate a server key and to accept the signed certificate back from the CA. With options to abandon the signed certificate, reuse the existing key or generate a new self signed key.

I want to copy the server key and then paste in the signed cert that comes back from the CA.  Minimum fuss, no confused users and easy admin.

The chained certificate thing has come from experience with Windows and Comodo where we had to install three chained certificates first before we could install the CA signed server certicate.

A full on certificate authority with client certificates etc is way bigger than my original brief ......

  :-?

msoulier

Server Manager SSL Certificate panel.
« Reply #24 on: March 29, 2006, 03:57:47 PM »
Quote from: "dhardy"
Wow,

I think your solution is much more comprehensive than what I had in mind.

I was hoping for a contrib with a few panels to allow me to generate a server key and to accept the signed certificate back from the CA. With options to abandon the signed certificate, reuse the existing key or generate a new self signed key.


There's a need for this certainly, but installing a new cert/key for apache is a one-line command on the command-line. No real demand for a panel for this, but I suppose we could always do one. It wouldn't be difficult. I wanted to address the entire SSL story on the box, and I require a programatic interface to keep things easy on the client side.

Quote

I want to copy the server key and then paste in the signed cert that comes back from the CA.  Minimum fuss, no confused users and easy admin.


Sure.

Quote

The chained certificate thing has come from experience with Windows and Comodo where we had to install three chained certificates first before we could install the CA signed server certicate.

A full on certificate authority with client certificates etc is way bigger than my original brief ......

  :-?


Well, I'm thinking of it as a general Certificate Management panel. Host certs, client certs, and the CA. The CA will be self-signed by default, but it can be one that's been purchased.

Support for host certs without your own CA will need to be done, I now realize. CA certs aren't cheap unless you make your own.

Mike

Offline andy_wismer

  • *
  • 107
  • +0/-0
    • ANWI-Net
Self Signed Certificates - Firefox Bug, not SME's
« Reply #25 on: April 07, 2006, 05:15:20 PM »
Hello

I've seen repeated Forum Entries complaining about the Self-Signed Certificate in Firefox. When that expires, or you setup a new server with the same name, Firefox will give you an Error-Message and refuse to connect.

Delete the stored Certificate under the Options of Firefox, that's it.

Once you reconnect, Firefox wll "see" the new Certificate and ask if you'd like to accept it.

That doesn't belong as a Bug in SME.

Regards

Andy

msoulier

Re: Self Signed Certificates - Firefox Bug, not SME's
« Reply #26 on: April 10, 2006, 03:34:13 AM »
Quote from: "andy_wismer"

I've seen repeated Forum Entries complaining about the Self-Signed Certificate in Firefox. When that expires, or you setup a new server with the same name, Firefox will give you an Error-Message and refuse to connect.

Delete the stored Certificate under the Options of Firefox, that's it.

Once you reconnect, Firefox wll "see" the new Certificate and ask if you'd like to accept it.

That doesn't belong as a Bug in SME.


It's not a bug on either end. Firefox is just doing it's job, warning users that the cert offered by the host is not trusted, for one reason or another. The server has always used self-signed certs, but it's simple to replace the host cert/key with one purchased from a trusted authority.

I'm not sure what this has to do with this thread though. We're discussing implementation of a CA on the server, which goes beyond a simple host cert.

Mike

Offline RvLardin

  • ***
  • 82
  • +0/-0
    • http://sme.firewall-services.com
Server Manager SSL Certificate panel.
« Reply #27 on: April 25, 2006, 03:10:00 PM »
Quote from: "gregswallow"
This might be agood test case for the bounty program that has been discussed by the admins.

What a good news that it had been discussed !!!
:-D
I'm really sure that it will be a *very* good thing for SME !
(I'm kindly asking for that for monthes in differents posts)

Quote

- An idea for a bounty is presented to the admins

or directly to the community so that the need could be evaluate and the features discussed at the very beginning of the idea.

Quote

- If the admins approve it for inclusion, they estimate the $ amount that it is worth (depending on the complexity), and the details/requirements of the bounty is decided upon

Ok for the admin approval in junction with the dev-team (future version request, by ex.) but only the nedeed time for dev  could be evaluate...

Quote

- Horde seems to list ones that have no sponsor, but I'd call those suggestions and not bounties.

Not sure we are on the same vibs : The "call for Contrib" could be done by anyone, even if he has no money or just a little idea of could be the contrib but with no skill to understand the whole project.


Quote

- When enough money is collected for a bounty, then it is open to any developer to do the work.  They submit their work to the admins for approval and when it meets the requirements, they are paid out by SME Server Inc.

It is difficult if different guys began te dev by their own, you must attribute the dev to one or to a group. For the price, we will see but the daily price could be much different from one country to an other ...

Quote

- the bounty code is then released under the GPL to the community and becomes part of SME Server.

with a sort of 'contrib's maintainer' for the evolutions ...

My 2 cts, perhaps we could open a larger disscussion on that - and dedicate  a special space on the site (1 forum ?). I'm volunteer to moderate this space and being the link between devs/admin and the community.

RV.
----
"Those who are willing to lose some of their essential liberties in favour of security deserve neither and will lose both."
- Thomas Jefferson .

curlynostril

Re: Certficate Expired - Renewed - Same Serial Number
« Reply #28 on: May 05, 2006, 03:26:35 AM »
Quote from: "NickCritten"
.... SSL cert howto, check out mine at http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl.htm
Just Scroll to the bottom and follow the 'Rush Job' :hammer:


Might be a bit off topic but since you're the author....

I did this with a command shell in Putty on XP pro and also had the web admin page up at the same time....(?)  After several attempts, once I finally got all the input correct (i think) , I went to restart the server and got this message...
Code: [Select]

[root@dlhygt1 ssl.crt]#  /etc/rc.d/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs
                                                           [FAILED]

Although, when I went to refresh the web admin a new certificate prompt came up and I was on to the web admin again.. so it seems the server is up?

SME 7.0rc2is installed on a Dell P3 900mhz 768MB

I'm fairly new to this and my installation is quite young (though I'm not).  Should I just wipe it out and start over or is this normal?

Maybe I should start a new topic?

Offline NickCritten

  • *
  • 245
  • +0/-0
Re: Certficate Expired - Renewed - Same Serial Number
« Reply #29 on: May 05, 2006, 09:28:18 AM »
Quote from: "curlynostril"

Code: [Select]

[root@dlhygt1 ssl.crt]#  /etc/rc.d/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs
                                                           [FAILED]

Although, when I went to refresh the web admin a new certificate prompt came up and I was on to the web admin again.. so it seems the server is up?

SME 7.0rc2is installed on a Dell P3 900mhz 768MB

I'm fairly new to this and my installation is quite young (though I'm not).  Should I just wipe it out and start over or is this normal?

Maybe I should start a new topic?


Yeah, I think that happens for me too (Since SME7) But I've not had time to investigate further and it always seems to work OK dispite the error.

See if you can recreate the fault, and if you can you could log it with BugTracker.  I'd do it myself but I am Soooo Busy at the moment I can barely find time to eat!
 :-(
...
Nick

"No good deed goes unpunished." :-x...

curlynostril

started new topic
« Reply #30 on: May 05, 2006, 09:36:59 AM »
I went ahead and started a new topic since this thread seems to really be about the GUI panel and bountys.

http://forums.contribs.org/index.php?topic=31879.0

but I also had a cursory look at the logs and I'm getting a buncha stuff about the cert not matching the server name as well...?

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Certficate Expired - Renewed - Same Serial Number
« Reply #31 on: May 05, 2006, 01:59:38 PM »
Quote from: "curlynostril"

[root@dlhygt1 ssl.crt]#  /etc/rc.d/init.d/httpd restart


That's an inappropriate command to run on an SME server. Use:

/etc/rc7.d/S86httpd-e-smith restart

Offline NickCritten

  • *
  • 245
  • +0/-0
Server Manager SSL Certificate panel.
« Reply #32 on: May 05, 2006, 02:59:43 PM »
Is there a list somewhere of appropriate commands to use on SME?

It seems that with every new release, all the commands that everyone was using up till that point become unsuitable, or something, and we get told off...

It would be nice to have some sort or announcement when things are changed like this!
...
Nick

"No good deed goes unpunished." :-x...

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Server Manager SSL Certificate panel.
« Reply #33 on: May 05, 2006, 03:49:29 PM »
Quote from: "NickCritten"
Is there a list somewhere of appropriate commands to use on SME?

It seems that with every new release, all the commands that everyone was using up till that point become unsuitable, or something, and we get told off...

It would be nice to have some sort or announcement when things are changed like this!


Nothing has changed. Direct use of /etc/rc.d/init.d/thing has always been deprecated.

Please read the developers guide, and FAQ. If you think anything should change or be added, please note via the Bug Tracker.

Also be sure to read release notes for any new version.

Offline NickCritten

  • *
  • 245
  • +0/-0
Server Manager SSL Certificate panel.
« Reply #34 on: May 05, 2006, 04:17:46 PM »
Quote from: "CharlieBrady"
Nothing has changed. Direct use of /etc/rc.d/init.d/thing has always been deprecated.

Well EVERY howto, forum thread, Installation instruction etc etc That I have read in the past 3 years for SME has said to either do a
Code: [Select]
service thing restart
Code: [Select]
/etc/init.d/thing restart or
Code: [Select]
/etc/init.d/rc.d/thing restart

These document include things like:
http://no.longer.valid/phpwiki/index.php/TroubleshootingFAQ
http://no.longer.valid/phpwiki/index.php/InstallSHOUTcast
http://no.longer.valid/phpwiki/index.php/Customizing
http://no.longer.valid/phpwiki/index.php/Changing%20the%20default%20ssh%20port%20on%20SME%207
http://no.longer.valid/phpwiki/index.php/SME%20Server%20Announce%20v6.0

Quote from: "CharlieBrady"
Please read the developers guide, and FAQ. If you think anything should change or be added, please note via the Bug Tracker.
The developers guide I didn't even know existed until you mentioned it... I've searched and found that it is a new addition to teh website... I'll be sure to have a read.

Quote from: "CharlieBrady"
Also be sure to read release notes for any new version.

I'd love to... WHERE ARE THEY?
I look for them every time a new release comes out but I've yet to find anything!


I'm sorry if I seem like I'm throwing my toys out of the pram, but sometimes it seems you expect everyone to be telepathic!!
You are deeply involved in the development of the core of SME and as such are privvy to every little change that occurs, and have a complete understanding of the way SME works, which by and large is very different from any other Linux Distro. (Templates System, Config DB etc)
Unfortunately the vast majority of that info never filters its way out to the community (Without us spending hours of digging for information).

Please try to remember this eh?
...
Nick

"No good deed goes unpunished." :-x...

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Server Manager SSL Certificate panel.
« Reply #35 on: May 05, 2006, 05:35:29 PM »
Quote from: "NickCritten"
Quote from: "CharlieBrady"
Nothing has changed. Direct use of /etc/rc.d/init.d/thing has always been deprecated.

Well EVERY howto, forum thread, Installation instruction etc etc That I have read in the past 3 years for SME has said to either do a
Code: [Select]
service thing restart
Code: [Select]
/etc/init.d/thing restart or
Code: [Select]
/etc/init.d/rc.d/thing restart


Please search the forum and devinfo archives and find the number of times when I've corrected those suggestions.

Quote

Unfortunately the vast majority of that info never filters its way out to the community (Without us spending hours of digging for information).


If you want the documentation to get better, don't bitch here - get involved.

Offline byte

  • *
  • 2,183
  • +2/-0
Server Manager SSL Certificate panel.
« Reply #36 on: May 06, 2006, 01:01:21 AM »
Nick,

Think your being bit harsh, I'm no developer but I know that the correct command for restarting and stopping, also most of those how to's are from people like me and you (who will yeah get things wrong we only human), your'll probably find alot of info is out of date or incorrect on those links you put up, it just seems no-one takes time to correct any of these as these are editable wiki.

I'm sure if your on the dev mailing list you would have seen Gordon post about the Dev guide a few months ago now.

Quote
Unfortunately the vast majority of that info never filters its way out to the community (Without us spending hours of digging for information).


I would disagree, having been watching quietly over the last 4/5years on the dev list you tend to build your knowledge base up even if you subsribe to the bug tracker you learn so much, I don't think it's actually a matter of us not seeing it I think it's a matter of not enough people out there to help out with documenting all of the work, just take a look on the FAQ on 7.0 there's quite a few in the bug list but not many people seem to be working on it.

Anyway I think we are detracting from the original thread here...
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline NickCritten

  • *
  • 245
  • +0/-0
Server Manager SSL Certificate panel.
« Reply #37 on: May 06, 2006, 09:23:19 PM »
I've just been trying to update the Troubleshooting FAQ, but it doesn't look like updating the wiki is possible at the mo.

Have raised a bug.

I will also update my howtos with the proper service restarting method.
...
Nick

"No good deed goes unpunished." :-x...

Offline jfarschman

  • *
  • 406
  • +0/-0
Server Manager SSL Certificate panel.
« Reply #38 on: June 30, 2006, 02:13:22 PM »
Greg,

  Let's get this bounty thing started.  As I understand it we need to put money into donation pool (escrowed) as bounty-SSL Certificate.

  I'm ready to do this.  What do we do buddy.  :-P
Jay Farschman
ICQ - 60448985
jay@hitechsavvy.com

dhardy

Server Manager SSL Certificate panel.
« Reply #39 on: July 11, 2006, 11:56:37 PM »
Oooo thats a positive step.

Where do I send my money?  :hammer:

Greg? Anyone?

Ta

David.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Server Manager SSL Certificate panel.
« Reply #40 on: July 15, 2006, 12:12:04 AM »
Quote from: "madadam"

I would like also like to be able to manage multiple certs on SME. This has been discussed before so I won't go into it again.


It's also been explained many times in the past why you can't have multiple certs on SME.