Topic: Server Manager SSL Certificate panel.

[NickCritten]

Damnit!

/me smacks head against wall

Why *bang* haven't *bang* I *bang* Learnt *bang* PERL *bang* yet?

Bah! I could do this easily if I knew the lingo.
Anyone know of any good Perl-for-newbies tutorials?

[dhardy]

Nick,

If you go for it I'll add another $50 to cover these:

http://www.amazon.com/gp/offer-listing/B00005R09P

http://www.amazon.com/gp/offer-listing/0596101058

 

David.

[NickCritten]

hehe, Okay then,

If no-one has picked this one up in two weeks (When I get back off holiday and get all my meetings out of the way) I'll have a crack at it.

I'm pretty handy with PHP, and the syntax of perl looks fairly similar... I'm hoping I can pick it up pretty quickly.

I may need some help rolling the RPM though!

[msoulier]

I will add an extra $100 to the pot if it helps....

Sounds good to me. I happen to be doing this already for work purposes. It's a tad specialized at the moment, but I hope to fix that when I export it to sourceforge.

I don't suppose anyone made a clear requirements list. At the moment I'm only satisfying my own.

Mike

[dhardy]

I don't suppose anyone made a clear requirements list

I did - at the top of the thread, here it is again:

If anyone would be prepared to develop the panels and wrap it all up in an RPM as a GPL contrib I would gladly pay a bounty of say £50/$75 by paypal - either to the developer or direct to the project.

The scope would be:

1. SME 7 server manager panel to generate a CSR.
2. SME 7 server manager panel to upload a signed certificate.
3. SME 7 server manager panel to generate a self signed certificate*
4. Support for 'chained root certificates' when required to build a proper chain of trust.

(*Anyone who decided not to renew a trial or purchased certificate would need a way to move back to a self signed cert that was at least as easy as moving to a trusted cert.)

Optional features I would like:

5. Cron job to do a countdown nag that the certificate will expire in 21 days
6. Support for the cacert.org certificates (I don't know that this is necessarily any different to steps 1 and 2 above.
7. Affiliated certificate purchase partner to enable contribs to benefit directly from certificates sold.

I primarily want an easy way to 'try out' a purchased or third party cert (which are generally only good for a month) which doesn't need a visit to the command line. Hence  no.3, the easy way back to a self signed cert at the touch of a button.

The renewal process needs to be able to retain the 'key' because CAcert do not require the key to be submitted to them again when they renew the certificate. (This may be common behaviour, I've always bought a new cert from someone else rather than renewed an existing cert with the same authority).

Ideally everything needs to work in a way that doesn't interfere with the built in methods of doing it

No.7 was a money generating thought - it needs more input from others to shape/direct/reject it.

Looking through the thread the current bounty looks to me to be:

dhardy     $250
madadam $100
xjjk16x     $100

Including the $50 I offered to NickCritten to buy the books

If you need a tighter brief I'm sure that we can arrange one .....

Cheers,

David.

[gregswallow]

This might be agood test case for the bounty program that has been discussed by the admins.  My thoughts on how it would work would be similar to how Horde does it... (http://www.horde.org/bounties/)

- An idea for a bounty is presented to the admins
- If the admins approve it for inclusion, they estimate the $ amount that it is worth (depending on the complexity), and the details/requirements of the bounty is decided upon
- At Horde, the person/company that suggests the bounty I think usually sponsors the whole thing, but we coud take smaller amounts from individuals towards the bounty.  The money would be donated to SME Server Inc, with a comment that it is for bounty x.  As soon as some amount of money was collected, the bounty would be listed on a bounties page on contribs.org.  Horde seems to list ones that have no sponsor, but I'd call those suggestions and not bounties.
- When enough money is collected for a bounty, then it is open to any developer to do the work.  They submit their work to the admins for approval and when it meets the requirements, they are paid out by SME Server Inc.
- the bounty code is then released under the GPL to the community and becomes part of SME Server.

I think there has to first be some discussion by the developers about what requrements there would have to be in general (coding standards, etc), but this looks like a good place to start with this type of thing - in this case you have people interested in sponsoring the work, and it looks like someone wants to do the work.

[msoulier]

The scope would be:

1. SME 7 server manager panel to generate a CSR.

Sure, although this is more of a client function. The server primarily should just accept and sign/reject CSRs, but this change would be simple enough.

2. SME 7 server manager panel to upload a signed certificate.

Done, in raw form. I focused primarily on a REST web service to do this programatically for my own purposes, but I can expand on my little test form and turn it into a proper upload form.

3. SME 7 server manager panel to generate a self signed certificate*
(*Anyone who decided not to renew a trial or purchased certificate would need a way to move back to a self signed cert that was at least as easy as moving to a trusted cert.)

Currently what I have looks for a custom plug-in package that can be built to provide a purchased Cert or intermediate CA to make a CA on the box. If neither of these are present then the plan is to make a self-signed cert for the CA. I had no plans to move back, but simply generate a new self-signed cert on such a change. I don't see a problem invalidating all of the Certs in the field at this point.

4. Support for 'chained root certificates' when required to build a proper chain of trust.

Currently provided in the REST interface when one's cert is downloaded. There is support for any additional certs that the admin wishes to export, although at most usually 2 are assumed, being the CA cert and the intermediate CA cert.

Optional features I would like:

5. Cron job to do a countdown nag that the certificate will expire in 21 days

Hardly the job of the CA, although it's easy to do.

6. Support for the cacert.org certificates (I don't know that this is necessarily any different to steps 1 and 2 above.

I don't think there's anything unique about cacert.org.

7. Affiliated certificate purchase partner to enable contribs to benefit directly from certificates sold.

Certainly not a big priority on my list. I think this can be done out of band by the admin.

I primarily want an easy way to 'try out' a purchased or third party cert (which are generally only good for a month) which doesn't need a visit to the command line. Hence  no.3, the easy way back to a self signed cert at the touch of a button.

Personally, I'd visit the command-line. Tar up old CA. Regen CA with new cert. If you don't like it, blow away the CA and untar the old one. Again, it's doable but it's pretty specialized.

The renewal process needs to be able to retain the 'key' because CAcert do not require the key to be submitted to them again when they renew the certificate. (This may be common behaviour, I've always bought a new cert from someone else rather than renewed an existing cert with the same authority).

Ideally everything needs to work in a way that doesn't interfere with the built in methods of doing it

No.7 was a money generating thought - it needs more input from others to shape/direct/reject it.

Looking through the thread the current bounty looks to me to be:

dhardy     $250
madadam $100
xjjk16x     $100

Including the $50 I offered to NickCritten to buy the books

If you need a tighter brief I'm sure that we can arrange one .....

Cheers,

David.

I'll be exporting what I have soon. It won't satisfy these requirements but it may in time. Once it does I'm happy to take the bounty as a bonus for my work.

Mike

[msoulier]

This might be agood test case for the bounty program that has been discussed by the admins.

Perhaps, but if I hadn't already been working on this, I would have never considered doing it for such a small bounty. Implementing a CA with a full UI that's simple to use and manage is not a small feat. Perhaps you should try a simpler test-case for bounties, like a small UI change.

Mike

[dhardy]

Wow,

I think your solution is much more comprehensive than what I had in mind.

I was hoping for a contrib with a few panels to allow me to generate a server key and to accept the signed certificate back from the CA. With options to abandon the signed certificate, reuse the existing key or generate a new self signed key.

I want to copy the server key and then paste in the signed cert that comes back from the CA.  Minimum fuss, no confused users and easy admin.

The chained certificate thing has come from experience with Windows and Comodo where we had to install three chained certificates first before we could install the CA signed server certicate.

A full on certificate authority with client certificates etc is way bigger than my original brief ......

 

[msoulier]

Wow,

I think your solution is much more comprehensive than what I had in mind.

I was hoping for a contrib with a few panels to allow me to generate a server key and to accept the signed certificate back from the CA. With options to abandon the signed certificate, reuse the existing key or generate a new self signed key.

There's a need for this certainly, but installing a new cert/key for apache is a one-line command on the command-line. No real demand for a panel for this, but I suppose we could always do one. It wouldn't be difficult. I wanted to address the entire SSL story on the box, and I require a programatic interface to keep things easy on the client side.

I want to copy the server key and then paste in the signed cert that comes back from the CA.  Minimum fuss, no confused users and easy admin.

Sure.

The chained certificate thing has come from experience with Windows and Comodo where we had to install three chained certificates first before we could install the CA signed server certicate.

A full on certificate authority with client certificates etc is way bigger than my original brief ......

 

Well, I'm thinking of it as a general Certificate Management panel. Host certs, client certs, and the CA. The CA will be self-signed by default, but it can be one that's been purchased.

Support for host certs without your own CA will need to be done, I now realize. CA certs aren't cheap unless you make your own.

Mike

[andy_wismer]

Hello

I've seen repeated Forum Entries complaining about the Self-Signed Certificate in Firefox. When that expires, or you setup a new server with the same name, Firefox will give you an Error-Message and refuse to connect.

Delete the stored Certificate under the Options of Firefox, that's it.

Once you reconnect, Firefox wll "see" the new Certificate and ask if you'd like to accept it.

That doesn't belong as a Bug in SME.

Regards

Andy

[msoulier]

I've seen repeated Forum Entries complaining about the Self-Signed Certificate in Firefox. When that expires, or you setup a new server with the same name, Firefox will give you an Error-Message and refuse to connect.

Delete the stored Certificate under the Options of Firefox, that's it.

Once you reconnect, Firefox wll "see" the new Certificate and ask if you'd like to accept it.

That doesn't belong as a Bug in SME.

It's not a bug on either end. Firefox is just doing it's job, warning users that the cert offered by the host is not trusted, for one reason or another. The server has always used self-signed certs, but it's simple to replace the host cert/key with one purchased from a trusted authority.

I'm not sure what this has to do with this thread though. We're discussing implementation of a CA on the server, which goes beyond a simple host cert.

Mike

[RvLardin]

This might be agood test case for the bounty program that has been discussed by the admins.

What a good news that it had been discussed !!!
:-D
I'm really sure that it will be a *very* good thing for SME !
(I'm kindly asking for that for monthes in differents posts)

- An idea for a bounty is presented to the admins

or directly to the community so that the need could be evaluate and the features discussed at the very beginning of the idea.

- If the admins approve it for inclusion, they estimate the $ amount that it is worth (depending on the complexity), and the details/requirements of the bounty is decided upon

Ok for the admin approval in junction with the dev-team (future version request, by ex.) but only the nedeed time for dev  could be evaluate...

- Horde seems to list ones that have no sponsor, but I'd call those suggestions and not bounties.

Not sure we are on the same vibs : The "call for Contrib" could be done by anyone, even if he has no money or just a little idea of could be the contrib but with no skill to understand the whole project.

- When enough money is collected for a bounty, then it is open to any developer to do the work.  They submit their work to the admins for approval and when it meets the requirements, they are paid out by SME Server Inc.

It is difficult if different guys began te dev by their own, you must attribute the dev to one or to a group. For the price, we will see but the daily price could be much different from one country to an other ...

- the bounty code is then released under the GPL to the community and becomes part of SME Server.

with a sort of 'contrib's maintainer' for the evolutions ...

My 2 cts, perhaps we could open a larger disscussion on that - and dedicate  a special space on the site (1 forum ?). I'm volunteer to moderate this space and being the link between devs/admin and the community.

RV.

[curlynostril]

.... SSL cert howto, check out mine at http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl.htm
Just Scroll to the bottom and follow the 'Rush Job'

Might be a bit off topic but since you're the author....

I did this with a command shell in Putty on XP pro and also had the web admin page up at the same time....(?)  After several attempts, once I finally got all the input correct (i think) , I went to restart the server and got this message...

Code: [Select]


[root@dlhygt1 ssl.crt]#  /etc/rc.d/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs
                                                           [FAILED]

Although, when I went to refresh the web admin a new certificate prompt came up and I was on to the web admin again.. so it seems the server is up?

SME 7.0rc2is installed on a Dell P3 900mhz 768MB

I'm fairly new to this and my installation is quite young (though I'm not).  Should I just wipe it out and start over or is this normal?

Maybe I should start a new topic?

[NickCritten]

Code: [Select]


[root@dlhygt1 ssl.crt]#  /etc/rc.d/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs
                                                           [FAILED]

Although, when I went to refresh the web admin a new certificate prompt came up and I was on to the web admin again.. so it seems the server is up?

SME 7.0rc2is installed on a Dell P3 900mhz 768MB

I'm fairly new to this and my installation is quite young (though I'm not).  Should I just wipe it out and start over or is this normal?

Maybe I should start a new topic?

Yeah, I think that happens for me too (Since SME7) But I've not had time to investigate further and it always seems to work OK dispite the error.

See if you can recreate the fault, and if you can you could log it with BugTracker.  I'd do it myself but I am Soooo Busy at the moment I can barely find time to eat!