Topic: Expired cert solution in wiki not working - missing folders

[winecooler]

I'm having the issue where I get the ssl error constantly on my console. So to fix it I'm following the instructions in the wiki here. The first step tells me to do this:

Code: [Select]

cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt
However, there is no /home in the templates-custom folder. The only folder in there is /etc. Do I create a /home/e-smith folder or is there something else seriously wrong that I need to address first?

thanks!

[stephdl]

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/home/e-smith/continue the how to after that

Code: [Select]

cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt

[winecooler]

Okay I created the folder successfully, confirmed it was there. Then continued along with the instructions to fix the certificate errors (here).

I edited ssl.crt to extend it to 5 years, saved the file, confirmed it was set to the new value. I removed the 3 files specified (actually there were none in there anyhow). BTW, I don't see how removing 3 files will "force sme server to immediately create a new self signed certificate." I ran a post-upgrade and reboot afterwards.

The errors are still continuing. When I look in /home/e-smith/ssl.crt/ it is empty. Was the post-upgrade supposed to generate a new cert?

[guest22]

What error exactly do you get?

[winecooler]

Code: [Select]

Syntax error on line 134 of /etc/httpd/conf/httpd.conf:
SSLCertificate:file ' /home/e-smith/ssl.crt/server.domain.crt' does not exist or is empty

[CharlieBrady]

BTW, I don't see how removing 3 files will "force sme server to immediately create a new self signed certificate."

"immediate" is incorrect.

I ran a post-upgrade and reboot afterwards.

That should create a new certificate.

[guest22]

signal-event console-save
signal-event post-upgrade
signal-event reboot

Try that sequence.

[winecooler]

I did that sequence and same result, there is nothing in /home/e-smith/ssl.crt/

[janet]

winecooler

Please do the following & show us the output

cd /home/e-smith
ls -al

cd /home/e-smith/ssl.crt
ls -al

cd /home/e-smith/ssl.key
ls -al
cd /home/e-smith/ssl.pem
ls -al

cd /etc/e-smith/templates/home/e-smith
ls -al

cp /etc/e-smith/templates-custom/home/e-smith
ls -al


also
config show modSSL

[winecooler]

okay i just took pictures, hope that's okay - here

some pics have multiple ls'

[CharlieBrady]

I edited ssl.crt to extend it to 5 years, saved the file, ...

I recommend you delete that custom template file and follow the reconfiguration steps to generate a new standard certificate file. You don't need 5 years - SME server will generate a new certificate file before the old one expires.

I suspect whatever customisation you made isn't working quite right. If so, you may see error messages in /var/log/messages during attempted template expansion.

[janet]

winecooler

As Charlie says remove the custom template & reset the certificate.
Do:
rm /etc/e-smith/templates-custom/home/e-smith/ssl.crt
rmdir /etc/e-smith/templates-custom/home/e-smith

Then to reset the self signed certificate to standard do:

rm /home/e-smith/ssl.crt/*
rm /home/e-smith/ssl.key/*
rm /home/e-smith/ssl.pem/*
signal-event post-upgrade
signal-event reboot

That comes from
http://wiki.contribs.org/Certificates_Concepts#Expiration_time_of_the_self_signed_certificate

Let us know the outcome.

Once you get a standard certificate working & you know it's right, you can then make any custom template changes you want to.

From your photos:
ls -al /home/e-smith/ssl.crt

That is empty which is not a good thing !
It matches your error:
Syntax error on line 134 of /etc/httpd/conf/httpd.conf:
SSLCertificate:file ' /home/e-smith/ssl.crt/server.domain.crt' does not exist or is empty

It should have had a file in there with a name like
backup.titqet.local.crt

When reset it will follow the name of your server & the main domain name.

[janet]

CharlieBrady

You don't need 5 years - SME server will generate a new certificate file before the old one expires.

Yes, but....
I'm sure you know this so for the benefit of others who don't, when the annual auto renewal happens, users who have put the self signed certificate into their browser etc, will get a warning message as the regenerated certificate is untrusted.
This causes "drama" as users get worried about these scary warnings & do not know or forget how to add the self signed certificate back into their browsers trusted root certificate list.

So a longer validity period removes this issue from happening annually, to every 5 years (or whatever validity period is chosen).
It does not remove the issue, but reduces the frequency of it happening.

[winecooler]

Hi janet, okay I followed those last instructions and the errors have gone. there is a cert there now. BTW would you mind removing the real domain name text from your post? don't need it searchable, thanks, just use "domain" or some such.

Thanks again!