Koozali.org: home of the SME Server

Creating custom wildcard cacert.org certificate

Offline slords

  • ****
  • 235
  • +3/-0
Creating custom wildcard cacert.org certificate
« on: November 20, 2006, 06:32:42 PM »
Code: [Select]
#!/usr/bin/perl

use strict;
use esmith::util;
use esmith::ConfigDB;
use esmith::DomainsDB;

my $config   = esmith::ConfigDB->open;
my $domainsdb = esmith::DomainsDB->open_ro;

my $domain = $config->get('DomainName')->value;
my %domain_names = map { $_->{key} => 1 } grep { $_->key ne $domain } $domainsdb->domains;

my @domains = ($domain, keys %domain_names);

open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
print CONFIG "[ req ]\ndefault_bits = 1024\ndistinguished_name = req_distinguished_name\n";
print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n\n";
print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
print CONFIG "\n";
close(CONFIG) or die "Closing openssl config file reported: $!";

unless ( -f "$domains[0].key" )
{
    open(KEY, ">$domains[0].key") or die "Can't open key file: $!";
    unless (open(SSL,"-|"))
    {
        exec("/usr/bin/openssl",
            qw(genrsa -rand),
            join(':',
            qw(
                /proc/apm
                /proc/cpuinfo
                /proc/dma
                /proc/filesystems
                /proc/interrupts
                /proc/ioports
                /proc/bus/pci/devices
                /proc/rtc
                /proc/uptime
                )),
            '1024')
            || die "can't exec program: $!";
    }
    while (<SSL>)
    {
        print KEY $_;
    }
    close(SSL) or die "Closing openssl pipe reported: $!";
    close(KEY) or die "Closing key file reported: $!";
}

open(CSR, ">$domains[0].csr") or die "Can't open csr $!";
unless (open(SSL,"-|"))
{
    exec("/usr/bin/openssl",
        qw(req -config), "$domains[0].config",
        qw(-new -key), "$domains[0].key",
        qw(-days 730 -set_serial), time())
        || die "can't exec program: $!";
}
while (<SSL>)
{
    print CSR $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(CSR) or die "Closing csr file reported: $!";


As root do the following:

# mkdir ~/cacert
# cd ~/cacert
** download the above code and store it in ~/cacert/cacert_csr_request
# chmod u+x cacert_csr_request
# ./cacert_csr_request
# cat {domain}.csr
** paste the output into the cacert.org website and get your certificate.  Save this in ~/cacert/{domain}.crt
# cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
# cp {domain}.key /home/e-smith/ssl.key/{domain}.key
# config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
# config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
# signal-event console-save

You will need to replace {domain} above with your primary domain name.  Also you will need to have all domains registered with your cacert.org account.  This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.

Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs,
and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." -- Rich Cook

Offline dmay

  • *
  • 450
  • +0/-0
    • http://myezserver.com
Creating custom wildcard cacert.org certificate
« Reply #1 on: November 20, 2006, 09:07:29 PM »
Shad,

There are lines wraps in your displayed code above that will cause execution to fail if one simply cuts/pastes your displayed code. You might wish to post your cacert_csr_request file for download.

Darrell

Offline byte

  • *
  • 2,183
  • +2/-0
Re: Creating custom wildcard cacert.org certificate
« Reply #2 on: November 20, 2006, 09:38:53 PM »
Quote from: "slords"
[code]#!/usr/bin/perl
my $config   = esmith::ConfigDB->open;


Shad,

Shouldn't this line be...

my $config   = esmith::ConfigDB->open_ro;

? Thanks for the nice tool!
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline byte

  • *
  • 2,183
  • +2/-0
Creating custom wildcard cacert.org certificate
« Reply #3 on: November 20, 2006, 09:49:22 PM »
Quote from: "dmay"

There are lines wraps in your displayed code above that will cause execution to fail if one simply cuts/pastes your displayed code. You might wish to post your cacert_csr_request file for download.


Darrell, I just managed to copy in a text file ok without line wraps, took it over to the test SME Server and could generate key with results of text file.
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline william_syd

  • ****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
Creating custom wildcard cacert.org certificate
« Reply #4 on: November 21, 2006, 12:11:42 AM »
Certificate info reported by cacert.org
Code: [Select]
Please make sure the following details are correct before proceeding any further.

CommonName: magicwilly.info
subjectAltName: DNS:magicwilly.info
subjectAltName: DNS:*.magicwilly.info
subjectAltName: DNS:wally2.magicwilly.info
subjectAltName: DNS:*.wally2.magicwilly.info
subjectAltName: DNS:wally.magicwilly.info
subjectAltName: DNS:*.wally.magicwilly.info
subjectAltName: DNS:wally1.magicwilly.info
subjectAltName: DNS:*.wally1.magicwilly.info
No additional information will be included on certificates because it can not be automatically checked by the system.


This is for..
Code: [Select]
magicwilly.info
wally.magicwilly.info
wally1.magicwilly.info
wally2.magicwilly.info
Regards,
William

IF I give advise.. It's only if it was me....

Offline Teviot

  • *
  • 610
  • +0/-0
Creating custom wildcard cacert.org certificate
« Reply #5 on: November 29, 2006, 09:21:37 AM »
I followed the instruction by slords and now have the following error displayed on the screen on my SME Server

Code: [Select]
Syntax error on line 138 of /etc/httpd/conf/httpd.conf
SSLCertificateKeyFile: file '/home/e-smith/ssl.crt.xxxxxx.xxx.key' does not exsist or is empty


Can anyone point me in the right direction?  My web server has stopped working since this error appeared
Regards
M0GLJ
......................................................
I am new to SAIL SME Server v8b6 and have been using SME for many years.
I have already done some research and only ask questions if I still can't work it out.

Offline william_syd

  • ****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
Creating custom wildcard cacert.org certificate
« Reply #6 on: November 29, 2006, 09:51:32 AM »
Quote from: "teviot"


Can anyone point me in the right direction?  My web server has stopped working since this error appeared


You probably want to undo what you did then try again.

You have to undo this bit...
Code: [Select]
# cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
# cp {domain}.key /home/e-smith/ssl.key/{domain}.key
# config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
# config setprop modSSL key /home/e-smith/ssl.crt/{domain}.key


Try..
Code: [Select]
# config delprop modSSL crt
# config delprop modSSL key


Then delete everything in

/home/e-smith/ssl.crt/  and  /home/e-smith/ssl.key/

Then..
Code: [Select]
signal-event console-save
signal-event post-upgrade
signal-event reboot
Regards,
William

IF I give advise.. It's only if it was me....

Offline william_syd

  • ****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
Creating custom wildcard cacert.org certificate
« Reply #7 on: November 29, 2006, 09:56:49 AM »
Quote from: "teviot"
I followed the instruction by slords and now have the following error displayed on the screen on my SME Server

Code: [Select]
Syntax error on line 138 of /etc/httpd/conf/httpd.conf
SSLCertificateKeyFile: file '/home/e-smith/ssl.crt.teviot.net.key' does not exsist or is empty


Can anyone point me in the right direction?  My web server has stopped working since this error appeared


Code: [Select]
config setprop modSSL key /home/e-smith/ssl.crt/{domain}.key

Did you replace a / with a . just before {domain} ??

Code: [Select]
config printprop modSSL key will show what you typed.
Regards,
William

IF I give advise.. It's only if it was me....

Offline Teviot

  • *
  • 610
  • +0/-0
Creating custom wildcard cacert.org certificate
« Reply #8 on: November 29, 2006, 10:17:45 AM »
Hi

Thanks again william_syd.

This i managed to fix it myself.  What I did was to copy the missing file to the correct directory and everything is working again.  It even stopped internet access which was most disturbing.

Thanks again for your help. But as I didn't have net access I didn't get your response until I copied the file across.
Regards
M0GLJ
......................................................
I am new to SAIL SME Server v8b6 and have been using SME for many years.
I have already done some research and only ask questions if I still can't work it out.

Offline william_syd

  • ****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
Creating custom wildcard cacert.org certificate
« Reply #9 on: November 29, 2006, 11:51:23 AM »
Quote from: "teviot"
 It even stopped internet access which was most disturbing.


Thats why my firewall/router is a different box that I never touch (mostly).
Regards,
William

IF I give advise.. It's only if it was me....

Offline cno

  • *
  • 35
  • +0/-0
Creating custom wildcard cacert.org certificate
« Reply #10 on: November 29, 2006, 09:12:13 PM »
I got this error

Code: [Select]
./cacert_csr_request

4196 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...++++++
..++++++
e is 65537 (0x10001)
error on line 7 of xx-xxxx.dk.config
10301:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported:  at ./cacert_csr_request line 74.


xx-xxxx.dk is my primary domain
........................

Offline pmstewart

  • *
  • 73
  • +0/-0
Error while generating cert
« Reply #11 on: December 11, 2006, 03:56:28 PM »
When generating the certificate I receive this error:

error on line 7 of {domain}.com.config
4404:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported:  at ./cacert_csr_request line 74.


This is a fresh install of sme 7.0

Offline slords

  • ****
  • 235
  • +3/-0
Re: Error while generating cert
« Reply #12 on: December 11, 2006, 04:07:22 PM »
Quote from: "pmstewart"
error on line 7 of sitbs.com.config
4404:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported:  at ./cacert_csr_request line 74


Please post the output of the sitbs.com.config file.
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs,
and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." -- Rich Cook

Offline kingjm

  • **
  • 55
  • +0/-0
    • www.iking.ca
key file
« Reply #13 on: December 12, 2006, 05:41:50 AM »
I understand that I should copy the key file to ssl.key folder

but why

config setprop modSSL key /home/e-smith/ssl.crt/{domian).key

should this be ... /ssl.key/{domain}.key

i only ask because I have tried both ways and your doesn't change the cert when I check with my browser

When I try it my way I can't access my webpage at all.
The advise about delprop modSSL key/crt works thanks

Any advice as to what is going on>

Offline william_syd

  • ****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
Re: key file
« Reply #14 on: December 12, 2006, 06:10:10 AM »
Quote from: "kingjm"

should this be ... /ssl.key/{domain}.key



Any advice as to what is going on>


Has the original post been corrected ?
Regards,
William

IF I give advise.. It's only if it was me....

Offline ldkeen

  • *
  • 401
  • +0/-0
Creating custom wildcard cacert.org certificate
« Reply #15 on: December 12, 2006, 11:42:33 AM »
Shad,

This is brilliant work, I've been trying for ages to get this working - I even bought a cheap SSL certificate (which I couldn't work out how to use). Your instructions worked like a dream and now I don't get those annoying warnings anymore. Thanks heaps.

Quote from: "dmay"
There are lines wraps in your displayed code

I came across this as well but I think it's more to do with how you copy the code - not the code itself. I'm not sure, but I just used dos2unix to strip out the carriage returns and all was well.
Code: [Select]
#dos2unix cacert_csr_request
Lloyd

Offline kingjm

  • **
  • 55
  • +0/-0
    • www.iking.ca
old certs
« Reply #16 on: December 12, 2006, 04:45:24 PM »
should we be deleting the old crts and keys before we
signal-event config-console

Maybe this is why it is not working for me...

Offline pmstewart

  • *
  • 73
  • +0/-0
Creating custom wildcard cacert.org certificate
« Reply #17 on: December 12, 2006, 06:17:29 PM »
I have recently re-installed SME 7....posting the contents is not possible.

There is so much information in the contribs about ssl certificates it's hard
to know which one's work in which situations.

Thanks for the reply

Offline Smitro

  • *
  • 348
  • +0/-0
Creating custom wildcard cacert.org certificate
« Reply #18 on: December 19, 2006, 01:27:14 AM »
Because of errors in IE7 with webmail. I'm wanting to get my SSL certs sorted out. Is it possible for some one who has done this successfully to put it into a how to on the Wikki? it's a little confusing atm and for what it seems different people came out with different solutions. I have a test box here that I'm willing to test it on if some one is able to write up the how to.

Thanks.
.........

Offline stephen noble

  • *
  • 607
  • +1/-0
    • Dungog
Creating custom wildcard cacert.org certificate
« Reply #19 on: December 19, 2006, 02:01:03 AM »
Ignore all other methods, this is the definitive guide

the only area this howto could be clarified are the steps you should take at cacert.org, shad did mention what you need to achieve just not how you do it

<snip>
> Also you will need to have all domains registered with your cacert.org account.


each howto needn't go into how to edit files or set db values

Offline william_syd

  • ****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
Creating custom wildcard cacert.org certificate
« Reply #20 on: December 19, 2006, 02:38:27 AM »
Quote from: "Smitro"
Because of errors in IE7 with webmail. I'm wanting to get my SSL certs sorted out. Is it possible for some one who has done this successfully to put it into a how to on the Wikki? it's a little confusing atm and for what it seems different people came out with different solutions. I have a test box here that I'm willing to test it on if some one is able to write up the how to.

Thanks.


The howto is in the first post.

Register you domains at Cacert first.
Regards,
William

IF I give advise.. It's only if it was me....

Offline kingjm

  • **
  • 55
  • +0/-0
    • www.iking.ca
mail still using old cert
« Reply #21 on: January 28, 2007, 08:14:03 AM »
I have finally figured out how to install these certs and get everything working.  When I open Safari and Firefox it does not ask me to look at the certificates any more.

However I am using imap ssl and smtp ssl
mail.app is still asking for me to look at the old certs ie: sme.domain.com instead of domain.com

Then once I rebooted everythings was ok

I thought I would put this in for everyone else

Offline mcp_dk

  • *
  • 34
  • +0/-0
    • http://lillenet.dk
Re: Error while generating cert
« Reply #22 on: February 09, 2007, 04:23:58 PM »
Quote from: "slords"
Quote from: "pmstewart"
error on line 7 of sitbs.com.config
4404:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported:  at ./cacert_csr_request line 74


Please post the output of the sitbs.com.config file.


I got this exact same error. DId you ever manage to find out what caused it?
Who is General Failure and why is he reading my harddrive?

Offline slords

  • ****
  • 235
  • +3/-0
Creating custom wildcard cacert.org certificate
« Reply #23 on: February 09, 2007, 04:26:17 PM »
The config file was never posted so it was never fixed.  Post your config file and lets see what the issue is.
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs,
and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." -- Rich Cook

Offline Normando

  • *
  • 841
  • +2/-1
    • Unixlan
Creating custom wildcard cacert.org certificate
« Reply #24 on: March 17, 2007, 03:07:19 AM »
Slords, I create a page in the wiki HowTo. Check if are all ok, and thank you to your contrib.

Offline cjensen

  • *
  • 133
  • +0/-0
    • http://acenet-tech.org
Re: Error while generating cert
« Reply #25 on: March 28, 2007, 04:37:51 AM »
Quote from: "slords"
Quote from: "pmstewart"
error on line 7 of sitbs.com.config
4404:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported:  at ./cacert_csr_request line 74


Please post the output of the sitbs.com.config file.


Quote from: "mcp_dk"

I got this exact same error. DId you ever manage to find out what caused it?

This error is from your not correcting any line wraps in the script.  Look at the script. Lines must not wrap.

CJensen

Offline pmstewart

  • *
  • 73
  • +0/-0
Creating custom wildcard cacert.org certificate
« Reply #26 on: March 28, 2007, 03:09:29 PM »
Sorry, I wasn't watching the thread like I should have.

Quote


[root@~]# cat /root/cacert/domain.com.config
HOME = .
RANDFILE = $ENV::HOME/.rnd

[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]
CN = domain.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation,digitalSignature,keyEncipherment
subjectAltName = critical,DNS:domain.com,DNS:*.domain.com


hope this helps.......

Offline kingjm

  • **
  • 55
  • +0/-0
    • www.iking.ca
upgrade 7.1.3 no https from outside
« Reply #27 on: April 17, 2007, 05:11:56 PM »
I have upgraded to the current version and now I can access https:// only from inside the network not from the outside. Could this have anything to do with these certs? I can still access my imaps from outside.

any ideas where to look?
edit just found this post about certs being reset
http://forums.contribs.org/index.php?topic=36334.0

Offline shell

  • ***
  • 117
  • +0/-0
Creating custom wildcard cacert.org certificate
« Reply #28 on: May 16, 2007, 05:20:57 AM »
trying the process from this thread but after running the script
(which doesn't ask for input):?
i have the script and 3 files - all for my primary domain.  

i assume i am wanting the .key, .csr and .config for the other domains on my server, so if there are 4 virtual domains i would be expecting 12 other files.

anyone know if this process is still valid?  running 7.1.3
or more likely i'm doing something wrong...

WHICH I WAS!!!
"This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com."
Have noted the "a certificate"
My beef.... sorry :oops:

cosmin

CA Certificate and Webmail
« Reply #29 on: May 21, 2007, 01:19:06 PM »
After install a new CA Certificate I can no longer connect to webmail. In logs i have:

May 20 22:46:34 main HORDE[4221]: [imp] FAILED LOGIN 85.186.x.x to localhost:143[imap/notls] as cosmin [on line 258 of "/home/httpd/html/horde/imp/lib/Auth/imp.php"]

2007-05-20 22:46:34.731791500 imapfront-auth[7672]: * OK imapfront ready.
2007-05-20 22:46:34.734150500 2007.05.20 19:46:34 LOG5[7671:3086706368]: Using 'imap' as tcpwrapper service name
2007-05-20 22:46:34.738671500 2007.05.20 19:46:34 LOG3[7671:3086706368]: Error reading certificate file: imapd.pem
2007-05-20 22:46:34.738792500 2007.05.20 19:46:34 LOG3[7671:3086706368]: SSL_CTX_use_certificate_chain_file: error:0906D066:PEM routines:PEM_read_bio:bad end line
2007-05-20 22:46:34.758962500 tcpsvd: info: end 7671 exit 1
2007-05-20 22:46:34.758969500 tcpsvd: info: status 0/400

What I must do to make it work? For now I have delete the .crt and .key files and remove them from config too and webmail works again (but it keep say that certificate is wrong)

Thanks

rogato

Re: Creating custom wildcard cacert.org certificate
« Reply #30 on: June 20, 2007, 06:19:43 PM »
Quote from: "slords"
Code: [Select]
#!/usr/bin/perl

use strict;
use esmith::util;
use esmith::ConfigDB;
use esmith::DomainsDB;

my $config   = esmith::ConfigDB->open;
my $domainsdb = esmith::DomainsDB->open_ro;

my $domain = $config->get('DomainName')->value;
my %domain_names = map { $_->{key} => 1 } grep { $_->key ne $domain } $domainsdb->domains;

my @domains = ($domain, keys %domain_names);

open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
print CONFIG "[ req ]\ndefault_bits = 1024\ndistinguished_name = req_distinguished_name\n";
print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n\n";
print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
print CONFIG "\n";
close(CONFIG) or die "Closing openssl config file reported: $!";

unless ( -f "$domains[0].key" )
{
    open(KEY, ">$domains[0].key") or die "Can't open key file: $!";
    unless (open(SSL,"-|"))
    {
        exec("/usr/bin/openssl",
            qw(genrsa -rand),
            join(':',
            qw(
                /proc/apm
                /proc/cpuinfo
                /proc/dma
                /proc/filesystems
                /proc/interrupts
                /proc/ioports
                /proc/bus/pci/devices
                /proc/rtc
                /proc/uptime
                )),
            '1024')
            || die "can't exec program: $!";
    }
    while (<SSL>)
    {
        print KEY $_;
    }
    close(SSL) or die "Closing openssl pipe reported: $!";
    close(KEY) or die "Closing key file reported: $!";
}

open(CSR, ">$domains[0].csr") or die "Can't open csr $!";
unless (open(SSL,"-|"))
{
    exec("/usr/bin/openssl",
        qw(req -config), "$domains[0].config",
        qw(-new -key), "$domains[0].key",
        qw(-days 730 -set_serial), time())
        || die "can't exec program: $!";
}
while (<SSL>)
{
    print CSR $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(CSR) or die "Closing csr file reported: $!";


As root do the following:

# mkdir ~/cacert
# cd ~/cacert
** download the above code and store it in ~/cacert/cacert_csr_request
# chmod u+x cacert_csr_request
# ./cacert_csr_request
# cat {domain}.csr
** paste the output into the cacert.org website and get your certificate.  Save this in ~/cacert/{domain}.crt
# cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
# cp {domain}.key /home/e-smith/ssl.key/{domain}.key
# config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
# config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
# signal-event console-save

You will need to replace {domain} above with your primary domain name.  Also you will need to have all domains registered with your cacert.org account.  This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.

Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.




plz help me
[root@rogs cacert]# ./cacert_csr_request
": No existe el fichero o el directorio.
Use -S to search $PATH for it.

jankowskid

Creating custom wildcard cacert.org certificate
« Reply #31 on: July 28, 2007, 04:23:58 AM »
After I paste into the CSR window on CAcert.org's site, I get the following error...

CommonName field was blank. This is usually caused by entering your own name when openssl prompt's you for 'YOUR NAME', or if you try to issue certificates for domains you haven't already verified, as such this process can't continue.

I have all the domains on my SME box verified on their web site, and they all show up in my generated config file from the script.  Also the .csr file 'looks' correct ...Here is my .config

Code: [Select]
HOME = .
RANDFILE = $ENV::HOME/.rnd

[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]
CN = danoshome.dyndns.org

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage =  nonRepudiation,digitalSignature,keyEncipherment
subjectAltName = critical,DNS:danoshome.dyndns.org,DNS:*.danoshome.dyndns.org,DNS:northcoastcs.com,DNS:*.northcoastcs.com,DNS:jankowski.kicks-ass.net,DNS:*.jankowski.kicks-ass.net,DNS:jankoshome.dyndns.org,DNS:*.jankoshome.dyndns.org,DNS:copperfoots.com,DNS:*.copperfoots.com,DNS:copperfoot.com,DNS:*.copperfoot.com


Does CAcert have issues with dynamic hosts?  Any thoughts would be helpful...thanks.

Offline scheuing

  • 4
  • +0/-0
Country Code?
« Reply #32 on: July 30, 2007, 06:24:29 PM »
I tried this how to and when I went to purchase the certificate it failed saying that the CSR was created with an invalid two-letter country code. I guess it should be US in my case, but I am not sure how to create the CSR with the valid country code.

Any ideas?

Thanks!

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Creating custom wildcard cacert.org certificate
« Reply #33 on: August 25, 2007, 08:59:34 PM »
I was able to successfully install the CAcert signed certificate, but after that I got the following message repeatedly in my /var/log/messages file three times in 10 seconds:

Quote from: /var/log/messages
Aug 25 17:45:29 homer dhcpd: Internet Systems Consortium DHCP Server V3.0.1
Aug 25 17:45:29 homer dhcpd: Copyright 2004 Internet Systems Consortium.
Aug 25 17:45:29 homer dhcpd: All rights reserved.
Aug 25 17:45:29 homer dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Aug 25 17:45:29 homer dhcpd: Wrote 0 deleted host decls to leases file.
Aug 25 17:45:29 homer dhcpd: Wrote 0 new dynamic host decls to leases file.
Aug 25 17:45:29 homer dhcpd: Wrote 4 leases to leases file.
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: No subnet declaration for eth0 (0.0.0.0).
Aug 25 17:45:30 homer dhcpd: ** Ignoring requests on eth0.  If this is not what
Aug 25 17:45:30 homer dhcpd:    you want, please write a subnet declaration
Aug 25 17:45:30 homer dhcpd:    in your dhcpd.conf file for the network segment
Aug 25 17:45:30 homer dhcpd:    to which interface eth0 is attached. **
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: Not configured to listen on any interfaces!
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: If you did not get this software from ftp.isc.org, please
Aug 25 17:45:30 homer dhcpd: get the latest from ftp.isc.org and install that before
Aug 25 17:45:30 homer dhcpd: requesting help.
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: If you did get this software from ftp.isc.org and have not
Aug 25 17:45:30 homer dhcpd: yet read the README, please read it before requesting help.
Aug 25 17:45:30 homer dhcpd: If you intend to request help from the dhcp-server@isc.org
Aug 25 17:45:30 homer dhcpd: mailing list, please read the section on the README about
Aug 25 17:45:30 homer dhcpd: submitting bug reports and requests for help.
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: Please do not under any circumstances send requests for
Aug 25 17:45:30 homer dhcpd: help directly to the authors of this software - please
Aug 25 17:45:30 homer dhcpd: send them to the appropriate mailing list as described in
Aug 25 17:45:30 homer dhcpd: the README file.
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: exiting.

I was able to solve it by issuing the following command restarting my NIC:
Code: [Select]
ifdown eth0; ifup eth0
I get the idea that it might have to do something with the smeserver-openvpn-bridge as this is the message I get after reloading the NIC:

Quote from: /var/log/messages
Aug 25 20:44:35 homer dhcpd: Internet Systems Consortium DHCP Server V3.0.1
Aug 25 20:44:35 homer dhcpd: Copyright 2004 Internet Systems Consortium.
Aug 25 20:44:35 homer dhcpd: All rights reserved.
Aug 25 20:44:35 homer dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Aug 25 20:44:35 homer dhcpd: Wrote 0 deleted host decls to leases file.
Aug 25 20:44:35 homer dhcpd: Wrote 0 new dynamic host decls to leases file.
Aug 25 20:44:35 homer dhcpd: Wrote 4 leases to leases file.
Aug 25 20:44:35 homer dhcpd: Multiple interfaces match the same subnet: eth0 br0
Aug 25 20:44:35 homer dhcpd: Multiple interfaces match the same shared network: eth0 br0
Aug 25 20:44:35 homer dhcpd: Listening on LPF/eth0/00:10:a7:0b:e7:a9/192.168.55/24
Aug 25 20:44:35 homer dhcpd: Sending on   LPF/eth0/00:10:a7:0b:e7:a9/192.168.55/24
Aug 25 20:44:35 homer dhcpd: Sending on   Socket/fallback/fallback-net
Aug 25 20:44:45 homer kernel: br0: topology change detected, propagating
Aug 25 20:44:45 homer kernel: br0: port 1(eth0) entering forwarding state

Perhaps this might benefit others.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline arnoldob

  • *
  • 183
  • +0/-0
Re: Creating custom wildcard cacert.org certificate
« Reply #34 on: August 25, 2007, 10:46:54 PM »
Great work Shad! I was trying to work this out sometime ago but gave up. The how-to worked perfectly.
 :pint:
Tampa, FL USA

Offline imcintyre

  • *
  • 609
  • +0/-0
Re: Creating custom wildcard cacert.org certificate
« Reply #35 on: October 28, 2007, 01:10:15 AM »
I am also getting the CommonName field empty error. Any solutions?

Offline 7eis

  • *
  • 47
  • +0/-0
Re: Creating custom wildcard cacert.org certificate
« Reply #36 on: February 20, 2008, 05:55:23 AM »
Code: [Select]
[code]Running 7.3 fully updated

I recon this is a problem that others have had.
[code]
[root@box cacert]# ./cacert_csr_request
4762 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
......................................................++++++
...............++++++
e is 65537 (0x10001)
error on line 7 of domain.com.config
15992:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported:  at ./cacert_csr_request line 74.
domain.com.csr is EMPTY
domain.com.key contains a RSA key

content of domain.com.config:
Code: [Select]
HOME = .
RANDFILE = $ENV::HOME/.rnd

[ req ]
default_bits = 1024
distinguished_name =
req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]
CN = dreijer.dk

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage =
nonRepudiation,digitalSignature,keyEncipherment
subjectAltName = critical,DNS:domain.com,DNS:*.domain.com,DNS:domain2.com,DNS:*. domain2.com,DNS:m.y.i.p,DNS:*.m.y.i.p

I've had the sme-certificate contrib installed previously, but its long gone now.

Any tips?[/code][/code]
« Last Edit: February 20, 2008, 05:57:45 AM by 7eis »

Offline JonB

  • *
  • 351
  • +0/-0
Re: Creating custom wildcard cacert.org certificate
« Reply #37 on: February 20, 2008, 06:22:14 AM »
Check and fix any line wraps that may have occured when you created the cacert_csr_request script.

Jon
...

Offline 7eis

  • *
  • 47
  • +0/-0
Re: Creating custom wildcard cacert.org certificate
« Reply #38 on: February 20, 2008, 08:28:08 PM »
Check and fix any line wraps that may have occured when you created the cacert_csr_request script.

Jon

I had to do a weird workaround for copy/pasting (not even sure that did the trick, but apparently it works now - need to check with cacerts before I have an absolute positive). I've uploaded the script to my server so you guys can wget it if you run into the same trouble.

http://dreijer.dk/cacert_csr_request

Cheers

EDIT: IT WORKS!  :D
« Last Edit: February 20, 2008, 08:50:45 PM by 7eis »

Offline arne

  • ****
  • 1,116
  • +0/-4
Re: Creating custom wildcard cacert.org certificate
« Reply #39 on: February 24, 2008, 12:08:00 AM »
Made the installation according to the first post at the very top.

Had some minor bugs, but these was traced down to be just my own fingertrouble.

After some practise and learning about the issuing and installation of ssl sertificates it all worked - from the internet side.

(I am for the moment running a Centos host system plus a virtual Smoothwall plus a Virtual SME 7.3 server-only. This should work equally like an ordinary lan server behind a ordinary Smoothwall gateway.)

First Webmail and etc did not work propably from the lan side. Just fixed this (on the XP workstation) by editing the file   C:\WINDOWS\system32\drivers\etc , adding a text something like this "10.0.0.2 mydomain.com" (I guess that this dns bug could have been fixed via the firewall as well.)

Then everything worked - from the internet outside and from the lan inside.

Great post at the top and interesting tread and a lot of interresting info :)
« Last Edit: February 24, 2008, 12:13:47 AM by arne »
......

Offline linuxhelp

  • *
  • 173
  • +0/-0
    • Linux PC & Server Support
Re: Creating custom wildcard cacert.org certificate
« Reply #40 on: February 09, 2009, 05:15:38 PM »
got thir error..?

/root/cacert/cacert_csr_request: line 5: use: command not found
/root/cacert/cacert_csr_request: line 6: use: command not found
/root/cacert/cacert_csr_request: line 7: use: command not found
/root/cacert/cacert_csr_request: line 8: use: command not found
/root/cacert/cacert_csr_request: line 10: my: command not found
/root/cacert/cacert_csr_request: line 11: my: command not found
/root/cacert/cacert_csr_request: line 13: syntax error near unexpected token `('
/root/cacert/cacert_csr_request: line 13: `my $domain = $config->get('DomainName')->value;'
Linux PC & Server Support
http://www.linuxonlinehelp.de
.. i Love SME..

Offline byte

  • *
  • 2,183
  • +2/-0
Re: Creating custom wildcard cacert.org certificate
« Reply #41 on: February 09, 2009, 06:58:24 PM »
Moving this topic to the SME 7.x contribs forum, it is more appropriate there. Thanks!
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline bunkobugsy

  • *
  • 270
  • +4/-0
Re: Creating custom wildcard cacert.org certificate
« Reply #42 on: March 20, 2010, 03:50:17 AM »
Guys, go here http://cert.startcom.org/ follow the steps and get your free certificate then replace in the script 1024 wit 2048 in 2 places and uncomment the line with #print CONFIG "default_md  = sha1\n"; and get your cert. Just did this myself and everything works perfectly.
Ofcourse, root cert is well known in IE and firefox so no need to import it, might be worth mentioning in WIKI.

Offline arnoldob

  • *
  • 183
  • +0/-0
Re: Creating custom wildcard cacert.org certificate
« Reply #43 on: September 03, 2010, 08:52:11 PM »
Anyone work out how to deal with the renewal of the cert in this scenario?
Should I issue a new CSR input it at CAcert.org and get an all new cert?
Or do I simply replace the /home/e-smith/{domain}.crt with the new one issued by CAcert.org after I've renewed it on their site, what about the key?
« Last Edit: September 03, 2010, 08:53:47 PM by arnoldob »
Tampa, FL USA

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Creating custom wildcard cacert.org certificate
« Reply #44 on: September 04, 2010, 04:30:19 AM »
arnoldob

IIRC I did the first option, but that just leads to the ongoing annoyance factor of having to renew the certificate every 6 months (totally free version). I stopped using cacert free certificates after that, ie the benefits were less than the time spent reissuing certificates, as users still had to update the root certificate in their browser each time, leading to more annoyance.
You would be better off getting a cheap certificate from godaddy etc.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline arnoldob

  • *
  • 183
  • +0/-0
Re: Creating custom wildcard cacert.org certificate
« Reply #45 on: September 04, 2010, 04:36:44 AM »
Yeah I ended up just doing a new CSR request as well. I'll check into godaddy option, it is a bit of a pain to fussy with twice a year. Any other suggestion for a cheap widely accepted cert?
Tampa, FL USA

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Creating custom wildcard cacert.org certificate
« Reply #46 on: September 04, 2010, 04:57:00 AM »
arnoldob

Quote
it is a bit of a pain to fussy with twice a year. Any other suggestion for a cheap widely accepted cert?

There is the cacert possibility of a 2 year certificate for free, but you have to physically meet someone in your area who is an authorised cacert approver (I forget their exact terminology).
It's their way of establishing trust "on the cheap" ie 2 humans doing a handshake. Check the cacert website for further details.

There are many cheap certificate providers now, do a google search or search these forums as some names have been mentioned a few times. I think someone like godaddy (AU$50 per year for 2 yrs or longer for a single domain) is cheap but reliable. The same cannot necessarily be said for other unknown or little known certificate providers, so it's really a trade off between reliability of security and cost. Your organisation's requirements may call for a much more expensive brand of certificate or a higher spec'd godaddy certificate ie the Premium offerings.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.