Topic: Creating custom wildcard cacert.org certificate

[slords]

Code: [Select]

#!/usr/bin/perl

use strict;
use esmith::util;
use esmith::ConfigDB;
use esmith::DomainsDB;

my $config   = esmith::ConfigDB->open;
my $domainsdb = esmith::DomainsDB->open_ro;

my $domain = $config->get('DomainName')->value;
my %domain_names = map { $_->{key} => 1 } grep { $_->key ne $domain } $domainsdb->domains;

my @domains = ($domain, keys %domain_names);

open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
print CONFIG "[ req ]\ndefault_bits = 1024\ndistinguished_name = req_distinguished_name\n";
print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n\n";
print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
print CONFIG "\n";
close(CONFIG) or die "Closing openssl config file reported: $!";

unless ( -f "$domains[0].key" )
{
    open(KEY, ">$domains[0].key") or die "Can't open key file: $!";
    unless (open(SSL,"-|"))
    {
        exec("/usr/bin/openssl",
            qw(genrsa -rand),
            join(':',
            qw(
                /proc/apm
                /proc/cpuinfo
                /proc/dma
                /proc/filesystems
                /proc/interrupts
                /proc/ioports
                /proc/bus/pci/devices
                /proc/rtc
                /proc/uptime
                )),
            '1024')
            || die "can't exec program: $!";
    }
    while (<SSL>)
    {
        print KEY $_;
    }
    close(SSL) or die "Closing openssl pipe reported: $!";
    close(KEY) or die "Closing key file reported: $!";
}

open(CSR, ">$domains[0].csr") or die "Can't open csr $!";
unless (open(SSL,"-|"))
{
    exec("/usr/bin/openssl",
        qw(req -config), "$domains[0].config",
        qw(-new -key), "$domains[0].key",
        qw(-days 730 -set_serial), time())
        || die "can't exec program: $!";
}
while (<SSL>)
{
    print CSR $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(CSR) or die "Closing csr file reported: $!";

As root do the following:

# mkdir ~/cacert
# cd ~/cacert
** download the above code and store it in ~/cacert/cacert_csr_request
# chmod u+x cacert_csr_request
# ./cacert_csr_request
# cat {domain}.csr
** paste the output into the cacert.org website and get your certificate.  Save this in ~/cacert/{domain}.crt
# cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
# cp {domain}.key /home/e-smith/ssl.key/{domain}.key
# config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
# config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
# signal-event console-save

You will need to replace {domain} above with your primary domain name.  Also you will need to have all domains registered with your cacert.org account.  This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.

Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.

[dmay]

Shad,

There are lines wraps in your displayed code above that will cause execution to fail if one simply cuts/pastes your displayed code. You might wish to post your cacert_csr_request file for download.

Darrell

[byte]

[code]#!/usr/bin/perl
my $config   = esmith::ConfigDB->open;

Shad,

Shouldn't this line be...

my $config   = esmith::ConfigDB->open_ro;

? Thanks for the nice tool!

[byte]

There are lines wraps in your displayed code above that will cause execution to fail if one simply cuts/pastes your displayed code. You might wish to post your cacert_csr_request file for download.

Darrell, I just managed to copy in a text file ok without line wraps, took it over to the test SME Server and could generate key with results of text file.

[william_syd]

Certificate info reported by cacert.org

Code: [Select]

Please make sure the following details are correct before proceeding any further.

CommonName: magicwilly.info
subjectAltName: DNS:magicwilly.info
subjectAltName: DNS:*.magicwilly.info
subjectAltName: DNS:wally2.magicwilly.info
subjectAltName: DNS:*.wally2.magicwilly.info
subjectAltName: DNS:wally.magicwilly.info
subjectAltName: DNS:*.wally.magicwilly.info
subjectAltName: DNS:wally1.magicwilly.info
subjectAltName: DNS:*.wally1.magicwilly.info
No additional information will be included on certificates because it can not be automatically checked by the system.

This is for..

Code: [Select]

magicwilly.info
wally.magicwilly.info
wally1.magicwilly.info
wally2.magicwilly.info

[Teviot]

I followed the instruction by slords and now have the following error displayed on the screen on my SME Server

Code: [Select]

Syntax error on line 138 of /etc/httpd/conf/httpd.conf
SSLCertificateKeyFile: file '/home/e-smith/ssl.crt.xxxxxx.xxx.key' does not exsist or is empty

Can anyone point me in the right direction?  My web server has stopped working since this error appeared

[william_syd]

Can anyone point me in the right direction?  My web server has stopped working since this error appeared

You probably want to undo what you did then try again.

You have to undo this bit...

Code: [Select]

# cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
# cp {domain}.key /home/e-smith/ssl.key/{domain}.key
# config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
# config setprop modSSL key /home/e-smith/ssl.crt/{domain}.key

Try..

Code: [Select]

# config delprop modSSL crt
# config delprop modSSL key

Then delete everything in

/home/e-smith/ssl.crt/  and  /home/e-smith/ssl.key/

Then..

Code: [Select]

signal-event console-save
signal-event post-upgrade
signal-event reboot

[william_syd]

I followed the instruction by slords and now have the following error displayed on the screen on my SME Server

Code: [Select]

Syntax error on line 138 of /etc/httpd/conf/httpd.conf
SSLCertificateKeyFile: file '/home/e-smith/ssl.crt.teviot.net.key' does not exsist or is empty

Can anyone point me in the right direction?  My web server has stopped working since this error appeared

Code: [Select]

config setprop modSSL key /home/e-smith/ssl.crt/{domain}.key

Did you replace a / with a . just before {domain} ??

Code: [Select]

config printprop modSSL key will show what you typed.

[Teviot]

Hi

Thanks again william_syd.

This i managed to fix it myself.  What I did was to copy the missing file to the correct directory and everything is working again.  It even stopped internet access which was most disturbing.

Thanks again for your help. But as I didn't have net access I didn't get your response until I copied the file across.

[william_syd]

 It even stopped internet access which was most disturbing.

Thats why my firewall/router is a different box that I never touch (mostly).

[cno]

I got this error

Code: [Select]

./cacert_csr_request

4196 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...++++++
..++++++
e is 65537 (0x10001)
error on line 7 of xx-xxxx.dk.config
10301:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported:  at ./cacert_csr_request line 74.


xx-xxxx.dk is my primary domain

[pmstewart]

When generating the certificate I receive this error:

error on line 7 of {domain}.com.config
4404:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported:  at ./cacert_csr_request line 74.


This is a fresh install of sme 7.0

[slords]

error on line 7 of sitbs.com.config
4404:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported:  at ./cacert_csr_request line 74

Please post the output of the sitbs.com.config file.

[kingjm]

I understand that I should copy the key file to ssl.key folder

but why

config setprop modSSL key /home/e-smith/ssl.crt/{domian).key

should this be ... /ssl.key/{domain}.key

i only ask because I have tried both ways and your doesn't change the cert when I check with my browser

When I try it my way I can't access my webpage at all.
The advise about delprop modSSL key/crt works thanks

Any advice as to what is going on>

[william_syd]

should this be ... /ssl.key/{domain}.key



Any advice as to what is going on>

Has the original post been corrected ?