Topic: Creating custom wildcard cacert.org certificate

[rogato]

Code: [Select]

#!/usr/bin/perl

use strict;
use esmith::util;
use esmith::ConfigDB;
use esmith::DomainsDB;

my $config   = esmith::ConfigDB->open;
my $domainsdb = esmith::DomainsDB->open_ro;

my $domain = $config->get('DomainName')->value;
my %domain_names = map { $_->{key} => 1 } grep { $_->key ne $domain } $domainsdb->domains;

my @domains = ($domain, keys %domain_names);

open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
print CONFIG "[ req ]\ndefault_bits = 1024\ndistinguished_name = req_distinguished_name\n";
print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n\n";
print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
print CONFIG "\n";
close(CONFIG) or die "Closing openssl config file reported: $!";

unless ( -f "$domains[0].key" )
{
    open(KEY, ">$domains[0].key") or die "Can't open key file: $!";
    unless (open(SSL,"-|"))
    {
        exec("/usr/bin/openssl",
            qw(genrsa -rand),
            join(':',
            qw(
                /proc/apm
                /proc/cpuinfo
                /proc/dma
                /proc/filesystems
                /proc/interrupts
                /proc/ioports
                /proc/bus/pci/devices
                /proc/rtc
                /proc/uptime
                )),
            '1024')
            || die "can't exec program: $!";
    }
    while (<SSL>)
    {
        print KEY $_;
    }
    close(SSL) or die "Closing openssl pipe reported: $!";
    close(KEY) or die "Closing key file reported: $!";
}

open(CSR, ">$domains[0].csr") or die "Can't open csr $!";
unless (open(SSL,"-|"))
{
    exec("/usr/bin/openssl",
        qw(req -config), "$domains[0].config",
        qw(-new -key), "$domains[0].key",
        qw(-days 730 -set_serial), time())
        || die "can't exec program: $!";
}
while (<SSL>)
{
    print CSR $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(CSR) or die "Closing csr file reported: $!";

As root do the following:

# mkdir ~/cacert
# cd ~/cacert
** download the above code and store it in ~/cacert/cacert_csr_request
# chmod u+x cacert_csr_request
# ./cacert_csr_request
# cat {domain}.csr
** paste the output into the cacert.org website and get your certificate.  Save this in ~/cacert/{domain}.crt
# cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
# cp {domain}.key /home/e-smith/ssl.key/{domain}.key
# config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
# config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
# signal-event console-save

You will need to replace {domain} above with your primary domain name.  Also you will need to have all domains registered with your cacert.org account.  This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.

Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.

plz help me
[root@rogs cacert]# ./cacert_csr_request
": No existe el fichero o el directorio.
Use -S to search $PATH for it.

[jankowskid]

After I paste into the CSR window on CAcert.org's site, I get the following error...

CommonName field was blank. This is usually caused by entering your own name when openssl prompt's you for 'YOUR NAME', or if you try to issue certificates for domains you haven't already verified, as such this process can't continue.

I have all the domains on my SME box verified on their web site, and they all show up in my generated config file from the script.  Also the .csr file 'looks' correct ...Here is my .config

Code: [Select]

HOME = .
RANDFILE = $ENV::HOME/.rnd

[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]
CN = danoshome.dyndns.org

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage =  nonRepudiation,digitalSignature,keyEncipherment
subjectAltName = critical,DNS:danoshome.dyndns.org,DNS:*.danoshome.dyndns.org,DNS:northcoastcs.com,DNS:*.northcoastcs.com,DNS:jankowski.kicks-ass.net,DNS:*.jankowski.kicks-ass.net,DNS:jankoshome.dyndns.org,DNS:*.jankoshome.dyndns.org,DNS:copperfoots.com,DNS:*.copperfoots.com,DNS:copperfoot.com,DNS:*.copperfoot.com


Does CAcert have issues with dynamic hosts?  Any thoughts would be helpful...thanks.

[scheuing]

I tried this how to and when I went to purchase the certificate it failed saying that the CSR was created with an invalid two-letter country code. I guess it should be US in my case, but I am not sure how to create the CSR with the valid country code.

Any ideas?

Thanks!

[cactus]

I was able to successfully install the CAcert signed certificate, but after that I got the following message repeatedly in my /var/log/messages file three times in 10 seconds:

Aug 25 17:45:29 homer dhcpd: Internet Systems Consortium DHCP Server V3.0.1
Aug 25 17:45:29 homer dhcpd: Copyright 2004 Internet Systems Consortium.
Aug 25 17:45:29 homer dhcpd: All rights reserved.
Aug 25 17:45:29 homer dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Aug 25 17:45:29 homer dhcpd: Wrote 0 deleted host decls to leases file.
Aug 25 17:45:29 homer dhcpd: Wrote 0 new dynamic host decls to leases file.
Aug 25 17:45:29 homer dhcpd: Wrote 4 leases to leases file.
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: No subnet declaration for eth0 (0.0.0.0).
Aug 25 17:45:30 homer dhcpd: ** Ignoring requests on eth0.  If this is not what
Aug 25 17:45:30 homer dhcpd:    you want, please write a subnet declaration
Aug 25 17:45:30 homer dhcpd:    in your dhcpd.conf file for the network segment
Aug 25 17:45:30 homer dhcpd:    to which interface eth0 is attached. **
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: Not configured to listen on any interfaces!
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: If you did not get this software from ftp.isc.org, please
Aug 25 17:45:30 homer dhcpd: get the latest from ftp.isc.org and install that before
Aug 25 17:45:30 homer dhcpd: requesting help.
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: If you did get this software from ftp.isc.org and have not
Aug 25 17:45:30 homer dhcpd: yet read the README, please read it before requesting help.
Aug 25 17:45:30 homer dhcpd: If you intend to request help from the dhcp-server@isc.org
Aug 25 17:45:30 homer dhcpd: mailing list, please read the section on the README about
Aug 25 17:45:30 homer dhcpd: submitting bug reports and requests for help.
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: Please do not under any circumstances send requests for
Aug 25 17:45:30 homer dhcpd: help directly to the authors of this software - please
Aug 25 17:45:30 homer dhcpd: send them to the appropriate mailing list as described in
Aug 25 17:45:30 homer dhcpd: the README file.
Aug 25 17:45:30 homer dhcpd:
Aug 25 17:45:30 homer dhcpd: exiting.

I was able to solve it by issuing the following command restarting my NIC:

Code: [Select]

ifdown eth0; ifup eth0
I get the idea that it might have to do something with the smeserver-openvpn-bridge as this is the message I get after reloading the NIC:

Aug 25 20:44:35 homer dhcpd: Internet Systems Consortium DHCP Server V3.0.1
Aug 25 20:44:35 homer dhcpd: Copyright 2004 Internet Systems Consortium.
Aug 25 20:44:35 homer dhcpd: All rights reserved.
Aug 25 20:44:35 homer dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Aug 25 20:44:35 homer dhcpd: Wrote 0 deleted host decls to leases file.
Aug 25 20:44:35 homer dhcpd: Wrote 0 new dynamic host decls to leases file.
Aug 25 20:44:35 homer dhcpd: Wrote 4 leases to leases file.
Aug 25 20:44:35 homer dhcpd: Multiple interfaces match the same subnet: eth0 br0
Aug 25 20:44:35 homer dhcpd: Multiple interfaces match the same shared network: eth0 br0
Aug 25 20:44:35 homer dhcpd: Listening on LPF/eth0/00:10:a7:0b:e7:a9/192.168.55/24
Aug 25 20:44:35 homer dhcpd: Sending on   LPF/eth0/00:10:a7:0b:e7:a9/192.168.55/24
Aug 25 20:44:35 homer dhcpd: Sending on   Socket/fallback/fallback-net
Aug 25 20:44:45 homer kernel: br0: topology change detected, propagating
Aug 25 20:44:45 homer kernel: br0: port 1(eth0) entering forwarding state

Perhaps this might benefit others.

[arnoldob]

Great work Shad! I was trying to work this out sometime ago but gave up. The how-to worked perfectly.
 

[imcintyre]

I am also getting the CommonName field empty error. Any solutions?

[7eis]

Code: [Select]

[code]Running 7.3 fully updated

I recon this is a problem that others have had.
[code]
[root@box cacert]# ./cacert_csr_request
4762 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
......................................................++++++
...............++++++
e is 65537 (0x10001)
error on line 7 of domain.com.config
15992:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 7
Closing openssl pipe reported:  at ./cacert_csr_request line 74.
domain.com.csr is EMPTY
domain.com.key contains a RSA key

content of domain.com.config:

Code: [Select]

HOME = .
RANDFILE = $ENV::HOME/.rnd

[ req ]
default_bits = 1024
distinguished_name =
req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]
CN = dreijer.dk

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage =
nonRepudiation,digitalSignature,keyEncipherment
subjectAltName = critical,DNS:domain.com,DNS:*.domain.com,DNS:domain2.com,DNS:*. domain2.com,DNS:m.y.i.p,DNS:*.m.y.i.p

I've had the sme-certificate contrib installed previously, but its long gone now.

Any tips?[/code][/code]

[JonB]

Check and fix any line wraps that may have occured when you created the cacert_csr_request script.

Jon

[7eis]

Check and fix any line wraps that may have occured when you created the cacert_csr_request script.

Jon

I had to do a weird workaround for copy/pasting (not even sure that did the trick, but apparently it works now - need to check with cacerts before I have an absolute positive). I've uploaded the script to my server so you guys can wget it if you run into the same trouble.

http://dreijer.dk/cacert_csr_request

Cheers

EDIT: IT WORKS! 

[arne]

Made the installation according to the first post at the very top.

Had some minor bugs, but these was traced down to be just my own fingertrouble.

After some practise and learning about the issuing and installation of ssl sertificates it all worked - from the internet side.

(I am for the moment running a Centos host system plus a virtual Smoothwall plus a Virtual SME 7.3 server-only. This should work equally like an ordinary lan server behind a ordinary Smoothwall gateway.)

First Webmail and etc did not work propably from the lan side. Just fixed this (on the XP workstation) by editing the file   C:\WINDOWS\system32\drivers\etc , adding a text something like this "10.0.0.2 mydomain.com" (I guess that this dns bug could have been fixed via the firewall as well.)

Then everything worked - from the internet outside and from the lan inside.

Great post at the top and interesting tread and a lot of interresting info

[linuxhelp]

got thir error..?

/root/cacert/cacert_csr_request: line 5: use: command not found
/root/cacert/cacert_csr_request: line 6: use: command not found
/root/cacert/cacert_csr_request: line 7: use: command not found
/root/cacert/cacert_csr_request: line 8: use: command not found
/root/cacert/cacert_csr_request: line 10: my: command not found
/root/cacert/cacert_csr_request: line 11: my: command not found
/root/cacert/cacert_csr_request: line 13: syntax error near unexpected token `('
/root/cacert/cacert_csr_request: line 13: `my $domain = $config->get('DomainName')->value;'

[byte]

Moving this topic to the SME 7.x contribs forum, it is more appropriate there. Thanks!

[bunkobugsy]

Guys, go here http://cert.startcom.org/ follow the steps and get your free certificate then replace in the script 1024 wit 2048 in 2 places and uncomment the line with #print CONFIG "default_md  = sha1\n"; and get your cert. Just did this myself and everything works perfectly.
Ofcourse, root cert is well known in IE and firefox so no need to import it, might be worth mentioning in WIKI.

[arnoldob]

Anyone work out how to deal with the renewal of the cert in this scenario?
Should I issue a new CSR input it at CAcert.org and get an all new cert?
Or do I simply replace the /home/e-smith/{domain}.crt with the new one issued by CAcert.org after I've renewed it on their site, what about the key?

[janet]

arnoldob

IIRC I did the first option, but that just leads to the ongoing annoyance factor of having to renew the certificate every 6 months (totally free version). I stopped using cacert free certificates after that, ie the benefits were less than the time spent reissuing certificates, as users still had to update the root certificate in their browser each time, leading to more annoyance.
You would be better off getting a cheap certificate from godaddy etc.