Koozali.org: home of the SME Server

Set different SSL on each ibay / vhost

Offline dhalliday

  • *
  • 41
  • +0/-0
Set different SSL on each ibay / vhost
« on: December 29, 2017, 10:08:36 PM »
I am trying to find the recommend way to set the SSL cert / Key and chain file for each ibay / virtualhost.

I have found the docs on setting the SSL for the main site / webmail but that is not appropriate as multiple SSL certificates up for ibays that are not sub domains. For example www.foobar.com www.fredbloggs.com etc. I actually don't really care about the webmail aspect.

I do see there is a template to set the SSL param for an ibay:

/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/25SSLDirectives

But it only seems to turn SSL on.

One thought I had was that I could override this and do some hack. For example add a big switch based on $domain->key and output paths to SSL files manually.

Wondering if this has already come up and what other do.

Any pointers or help would be appreciated.

Many Thanks,

Dave.

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Set different SSL on each ibay / vhost
« Reply #1 on: December 30, 2017, 01:29:38 PM »
I am trying to find the recommend way to set the SSL cert / Key and chain file for each ibay / virtualhost.
Not really possible.  That would require SNI, which SME doesn't support.  However, you can get a single cert from Let's Encrypt which will cover all your hostnames.  See https://wiki.contribs.org/Letsencrypt.
......

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Set different SSL on each ibay / vhost
« Reply #2 on: December 30, 2017, 01:35:46 PM »
Here's an old forum post discussing the issue:
https://forums.contribs.org/index.php?topic=52270.0


Offline dhalliday

  • *
  • 41
  • +0/-0
Re: Set different SSL on each ibay / vhost
« Reply #3 on: January 01, 2018, 09:25:23 AM »
Thanks all for the pointers, having done something similar on a traditional CentOS system I had some ideas on how to do this but was not familiar with what SME Server had to offer,

I am using a commercial Comodo positive SSL certificate for the ibays. To make this work temporarily on my SME Server I have:

1) Created a folder in /home/e-smith/files/ibays/daveweb/ssl

Where davidweb is the ibay name.

2) Placed the ssl key, chain (intermediate) and crt files in as

Code: [Select]
    ssl.key
    ssl.crt
    ssl.chain

Make sure the files are not globally readable (chmod o-r * om the ssl directory)

3) To the httpd.conf file in the vhost section I added SSL directives to the three files.

Code: [Select]
    SSLCertificateChainFile /home/e-smith/files/ibays/davidweb/ssl/ssl.chainfile
    SSLCertificateFile /home/e-smith/files/ibays/davidweb/ssl/ssl.crt
    SSLCertificateKeyFile /home/e-smith/files/ibays/davidweb/ssl/ssl.key

4) Added the following line above all Vhost definitions.

Code: [Select]
    SSLStrictSNIVHostCheck off
This line is needed to allow selection of the correct certificate through TLS.

I tested these changes and it all works well but obviously when the server is updated the httpd.config changes will all come crashing down.

I suppose the next step is to hard wire a custom template for 25SSLDirectives to add the directives to the vhost and find a suitable template to override to add the HostCheck line.

Its been a very long time since I hacked the templates directly but there used to be a dev guide someplace that gave some pointers.

Thanks Guys,

Dave.

« Last Edit: January 01, 2018, 09:28:52 AM by dhalliday »

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Set different SSL on each ibay / vhost
« Reply #4 on: January 01, 2018, 01:29:50 PM »
I tested these changes and it all works well
Glad you have it working.  But what have you accomplished?  What in particular requires a different cert for each ibay in your installation?  I'd understand if you were using an EV cert, to get the green bar in the browser, but you aren't--the Positive SSL cert is a DV cert just like the one provided by Let's Encrypt.  But rather than getting the cert for free, and being able to automate its renewal, you're paying $50/year/domain (based on the prices I'm seeing on positivessl.com for a 3-year cert), needing to manually renew, and manually install the renewed cert.

And lest it be unclear, this is a genuine question; I'm not asking rhetorically or trying to be snarky: why do you think you need to do this, or what benefit do you think you'll receive from doing this?  This question comes up from time to time, but most of the time (as in the thread @mmccarn linked to) it's because of a misunderstanding of what's needed.  It's perfectly possible--simple, even--to get a single cert that covers multiple domain names.
......

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Set different SSL on each ibay / vhost
« Reply #5 on: January 01, 2018, 04:08:08 PM »
Here's a walk-through of how to figure out what to do with the custom template fragment(s):
https://wiki.contribs.org/Template_Tutorial#Detailed_generic_troubleshooting_.26_configuration_steps

For the VirtualHosts/25SSLDirectives, copy and customize:
 /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/25SSLDirectives

Your custom code will need to check for the specific ibay you're working on (davidweb), or create some new db variables pointing to the cert files like this:
Code: [Select]
db accounts setprop davidweb IbaySSLCertificateChainFile '/home/e-smith/files/ibays/davidweb/ssl/ssl.chainfile'

Then add code to your new custom template fragment that pulls it out if present, or sets a default if not, like this:
Code: [Select]
my $ibaySSLCertificateChainFile = $ibay->prop("IbaySSLCertificateChainFile") || "disabled";

Then add conditional code to a customized version of Virtualhosts/20IbayContent or VirtualHosts/25SSLDirectives something like this (untested):
Code: [Select]

$OUT .= "    SSLCertificateChainFile $ibaySSLCertificateChainFile\n" unless $ibaySSLCertificateChainFile eq 'disabled';


Similarly, a new db variable for the httpd service could be used to control if/whether to output 
SSLStrictSNIVHostCheck off at the top of the config file:

Code: [Select]
config setprop httpd-e-smith  SSLStrictSNIVHostCheck off

Look at the code in 35SSL30SSLProtocol to figure out how to conditionally output the SSLStrictSNIVHostCheck directive.


If you get something that works, please post it as an attachment to the NFR bug on this:
https://bugs.contribs.org/show_bug.cgi?id=8693

[edit]
added URL to NFR bug
« Last Edit: January 01, 2018, 07:18:01 PM by mmccarn »

Offline dhalliday

  • *
  • 41
  • +0/-0
Re: Set different SSL on each ibay / vhost
« Reply #6 on: January 01, 2018, 07:17:33 PM »
Thanks again guys,

Dan, The Lets Encrypt method looks interesting and will look into it more but is not really what I needed for this project.  I already had the Comodo cert for my site (at a very reasonable $4.99 per year from ssls.com, a reputable re-seller).  Also the other ibays will need Certs from other places, possibly even a EV cert. None of this is commercial hosting but I do host a website for my starving artist sister etc where it is conceivable there may be some online transactions.

Mmccarn,  thanks for the little insight and reminder on how templates work in SME this is very helpful when I last hacked this stuff it was still owned by Mitel. I will grab my perl book and have a go. Will post when I have done some more work.

I tried to find the NFR for this in Bugzilla but could only see Bug 48 and that seem a little different, do you know the bug ID or should I just open a new one?

Thanks again guys.

Dave.

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Set different SSL on each ibay / vhost
« Reply #7 on: January 01, 2018, 07:29:50 PM »
You have a bigger problem than having your configuration not templated

Quote
1) Created a folder in /home/e-smith/files/ibays/daveweb/ssl

As you happen to put your certs inside your webroot / basedir (/home/e-smith/files/ibays/daveweb/  what any running script in the ibay could access) your certificates and private keys have been potentially compromised.  i strongly suggest you to revoke your certs and ask for new ones and put the new ones outside the php basedir and webroot.

Offline dhalliday

  • *
  • 41
  • +0/-0
Re: Set different SSL on each ibay / vhost
« Reply #8 on: January 01, 2018, 09:48:17 PM »
Jean,

A very valid point in most cases where an ibay is a generic file store. In my case however this is not an issue as the ibay is only accessible to to myself and used as a web hosting container. I have very strict rules about what scripts / exe I allow in an ibay (they are essentially just hosting containers.) and removed the global access to this directory. Further each ibay has a separate group level access and these files have no global read access (see above).

[root@www davidweb]# ls -l /home/e-smith/files/ibays/davidweb/
total 20
drwxrwsr-x 2 root wwwdavidhalliday 4096 Feb  6  2013 cgi-bin
drwxrwsr-x 2 root wwwdavidhalliday 4096 Feb  6  2013 files
drwxrwsr-x 4 root wwwdavidhalliday 4096 Dec 29 14:21 html
drwxr-x--- 2 root wwwdavidhalliday 4096 Dec 29 13:38 ssl
drwxrwxrwt 2 root wwwdavidhalliday 4096 Jan  7  2016 tmp
[root@www davidweb]# lid -g wwwdavidhalliday
 wwwdavidhalliday(uid=5020)
 admin(uid=101)
 www(uid=102)
 davidweb(uid=5021)


How granted if say apache is compromised and allows a break out from the root <path-to-ibay>/html folder it will be a problem but that would be true in any file system location.

EDIT: re-read you comment. I think i see what you are now saying but DocumentRoot is /home/e-smith/files/ibays/davidweb/html  so /home/e-smith/files/ibays/davidweb/ssl is OUTSIDE of the BaseRoot for the VirtualHost. FYI, cgi-bin is at the same level of the new ssl folder and accessible but only because a ScriptAlias is added not because the base is a level higher.

I really do appreciate you comment but I think I am OK or am I missing something here?

Dave.
« Last Edit: January 01, 2018, 10:17:41 PM by dhalliday »

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Set different SSL on each ibay / vhost
« Reply #9 on: January 02, 2018, 06:57:48 PM »
the php base dir is /home/e-smith/files/ibays/davidweb/ by default.
So any php script in /home/e-smith/files/ibays/davidweb/html can access to any content of /home/e-smith/files/ibays/davidweb/ unless unix permissions restrict so.
A very frequent hack on website is to simply upload a malicious php script on the html root (/home/e-smith/files/ibays/davidweb/html in your case) allowing to explore anything in php basedir allowed directories, and downloading them or uploading there another malicious script or fake website hidden in a directory. The upload usually occurs using a web form to upload files that is not protected to refuse php files, I have also seen cases using piece of software such as phpmailer that is included in a lot of CMS.
So unless you changed before that the directive PhpBaseDir  (https://wiki.contribs.org/Useful_Commands#PHPBaseDir_per_ibay ) to /home/e-smith/files/ibays/davidweb/html/ it was **possible** to steal your certificate and key from the Internet and use them to then impersonate your webserver, defeating the purpose of paying for a certificate and serving pages as https.

However, I do not think changing the PhpBaseDir is the solution as you might forget this for the next site, or when restoring this site to another server, and might reproduce this issue. I strongly suggest to move your cert either to /home/e-smith/domain.name/ or to /etc/httpd/mycerts/domain.name. In the second solution you will have to backup manually this location as this is not inside the main SME backup list.

I insist there on **possible** as yes you do not have any proof it was indeed stolen, but it will be rather difficult to prove it was not, unless your ibay was only open for LAN use and you are the only user on the LAN. So if your needs of security are as high as you presented which lead  that you can not use letsencrypt, then with the same level of security you should consider your certificate as compromised and ask for a new one.

If you feel you can live with this doubt, then letsencrypt solution will be far more secure than keeping your current certificate.


Anyway, this is indeed a need to add the support for SNI on SME if ones wants to use certificate, so my goal here is not to stop you to work this direction, just to warn on false sensation of higher security.

The related bug to support per virtualhost certificate  is https://bugs.contribs.org/show_bug.cgi?id=8693
Yes this is per virtualhost, so it might not be defined per ibay as they can appear in differents virtualhosts (at least Primary one and a dedicated one).


An important point you showed by your test, If I have well followed, is that you did not remove the directive for the global certificate as defined per the whole server in httpd.conf, and only defined the per virtualhost certificate in the virtualhost you needed and it worked ? Right ?
If yes, then this is an important element for the design.
« Last Edit: January 02, 2018, 07:00:09 PM by Jean-Philippe Pialasse »

Offline dhalliday

  • *
  • 41
  • +0/-0
Re: Set different SSL on each ibay / vhost
« Reply #10 on: January 03, 2018, 12:41:37 AM »
Indeed you are correct. For some odd reason the PHP base dir is set one level higher. I can only assume this is to allow php in the CGI folder to access stuff in files and html. Squirreled at the bottom of the httpd.conf file are lines of the form:

<Directory /home/e-smith/files/ibays/davidweb/html>
    AddType application/x-httpd-php .php .php3 .phtml
    AddType application/x-httpd-php-source .phps
    php_admin_value open_basedir /home/e-smith/files/ibays/davidweb/
</Directory>

When configuring my own Apache files I always set open_basedir to document root. To ensure everything is well contained. This is an enlightening difference from my SOP, thanks for pointing this out.

The certificate cost really is not a big deal it is only $4.99 from ssls.com so I can revoke and burn that one and push on.

Rather than monkey with the open_basedir directive, I will just place the certificates next to the main ones in a directory /home/e-smith/ibay_ssl/<IBAYNAME>

I think I am about done with my solution and it really was quite simple, now obviously this is only for web. It does not address dedicated certificates for things like IMAP but it meets my needs well. Hopefully the developers will take this on board and add my couple of template fragments.

I have a little more testing to do but hopefully will post what I came up with in a few hours.

Thanks again for pointing out the PHP base issue.

Dave.

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Set different SSL on each ibay / vhost
« Reply #11 on: January 03, 2018, 01:43:39 AM »
Dave,

good to hear it is ok for you. Yes IMAPs, POPs and sSMTP are other deals.

Yes php basedir include one level up so you can call files in files or create a directory out of the webroot to have php able to access it without having access to the files with a direct http link. I am aware there could be other solutions to do so, like htaccess  files, but if you disable overide as it is by default all folders in webroot are readable with a direct link.

Offline dhalliday

  • *
  • 41
  • +0/-0
Re: Set different SSL on each ibay / vhost
« Reply #12 on: January 03, 2018, 01:51:58 AM »
My Solution

I chose to implement this by creating two new template fragments rather than modifying existing fragments this was to limit the impact on the existing code base.

To make this work I created two new template fragments:

/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL35StrictSNIVHostCheck containing

Code: [Select]
{
    # Specify if SSLStrictSNIHostCheck should be turned off, this is required if each ibay has its own SSL certificates.

    my $check_SSLStrictSNIVHostCheck =  (${'httpd-e-smith'}{'SSLStrictSNIVHostCheck'} || 'on');
    $OUT .= "SSLStrictSNIVHostCheck off" unless $check_SSLStrictSNIVHostCheck eq 'on';
}

/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert Containing:

Code: [Select]
{
    return "    # skipping SSL certificate\n" unless $port eq "443";

    use esmith::AccountsDB;
    my $accounts = esmith::AccountsDB->open_ro;

    $OUT = "";

    my $ibay = $virtualHostContent;
    my $ssl_file_crt = $accounts->get_prop($ibay, "IbaySSLCertificateFile") || "disabled";
    my $ssl_file_key = $accounts->get_prop($ibay, "IbaySSLCertificateKeyFile") || "disabled";
    my $ssl_file_chain = $accounts->get_prop($ibay, "IbaySSLCertificateKeyFile") || "disabled";

    $OUT .= "    SSLCertificateFile $ssl_file_crt\n" unless $ssl_file_crt eq 'disabled';
    $OUT .= "    SSLCertificateChainFile $ssl_file_chain\n" unless $ssl_file_chain eq 'disabled';
    $OUT .= "    SSLCertificateKeyFile $ssl_file_key\n" unless $ssl_file_key eq 'disabled';
}

Next you need to disable SSLSNIVHostCheck by using:

Code: [Select]
config setprop httpd-e-smith  SSLStrictSNIVHostCheck off
Now tell the server where your IBAY certificate files are (in the following my ibay is called davidweb) :

Code: [Select]
db accounts setprop davidweb IbaySSLCertificateChainFile '/home/e-smith/ibay_ssl/davidweb/ssl.chainfile'
db accounts setprop davidweb IbaySSLCertificateFile '/home/e-smith/ibay_ssl/davidweb/ssl.crt'
db accounts setprop davidweb IbaySSLCertificateKeyFile '/home/e-smith/ibay_ssl/davidweb/ssl.key'

In this case I have created a folder /home/e-smith/ibay_ssl/davidweb in which I place the SSL certificate files. It is important to note you should NOT put the certificate files in /home/e-smith/files/ibays/<IBAYNAME> as this will make them accessible to people on the web and would be a security problem.

This can be repeated for several ibays as needed. You do not need to give certificates for all ibays, if you do not supply them the default master certificate is used just as before.

Finally you need to re-expand the templates and restart apache. The simplest way to do this is with the command:

Code: [Select]
signal-event console-save


This will only work for apache based services such as web, webmail, server-manager etc in theory it is possible to add SNI to Dovecot for IMAP but I do not need that functionality at the moment but may take a look at that if I have some spare time.

Dave.

« Last Edit: January 03, 2018, 02:05:04 AM by dhalliday »

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Set different SSL on each ibay / vhost
« Reply #13 on: January 03, 2018, 07:21:37 AM »
My Solution

I chose to implement this by creating two new template fragments rather than modifying existing fragments this was to limit the impact on the existing code base.

To make this work I created two new template fragments:

/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL35StrictSNIVHostCheck containing

Code: [Select]
{
    # Specify if SSLStrictSNIHostCheck should be turned off, this is required if each ibay has its own SSL certificates.

    my $check_SSLStrictSNIVHostCheck =  (${'httpd-e-smith'}{'SSLStrictSNIVHostCheck'} || 'on');
    $OUT .= "SSLStrictSNIVHostCheck off" unless $check_SSLStrictSNIVHostCheck eq 'on';
}

I would suggest  to set default as off for the moment as your might not have on certificate per vitrualhost. This will allow you to avoid to set the property right now.

Code: [Select]
{
    # Specify if SSLStrictSNIHostCheck should be turned off, this is required if each ibay has its own SSL certificates.

    my $check_SSLStrictSNIVHostCheck =  (${'httpd-e-smith'}{'SSLStrictSNIVHostCheck'} || 'off');
    $OUT .= "SSLStrictSNIVHostCheck off" unless $check_SSLStrictSNIVHostCheck eq 'on';
}


/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert Containing:

Code: [Select]
{
    return "    # skipping SSL certificate\n" unless $port eq "443";

    use esmith::AccountsDB;
    my $accounts = esmith::AccountsDB->open_ro;

    $OUT = "";

    my $ibay = $virtualHostContent;
    my $ssl_file_crt = $accounts->get_prop($ibay, "IbaySSLCertificateFile") || "disabled";
    my $ssl_file_key = $accounts->get_prop($ibay, "IbaySSLCertificateKeyFile") || "disabled";
    my $ssl_file_chain = $accounts->get_prop($ibay, "IbaySSLCertificateKeyFile") || "disabled";

    $OUT .= "    SSLCertificateFile $ssl_file_crt\n" unless $ssl_file_crt eq 'disabled';
    $OUT .= "    SSLCertificateChainFile $ssl_file_chain\n" unless $ssl_file_chain eq 'disabled';
    $OUT .= "    SSLCertificateKeyFile $ssl_file_key\n" unless $ssl_file_key eq 'disabled';
}

Virtualhost are not set by ibay but by domains, these domains point to ibay. The way you do, I fear that your certificate will fail if you have more than one domain pointing to the same ibay and this certificate is only for one of the domains.
Thus I would rather suggest :

Code: [Select]
{
    return "    # skipping Virtualhost dedicated SSL certificate\n" unless $port eq "443";

    use esmith::DomainsDB;
    my $domains = esmith::DomainsDB->open_r



    my $ssl_file_crt = $domains->get_prop($virtualHost, "SSLCertificateFile") || "disabled";
    my $ssl_file_key = $domains->get_prop($virtualHost, "SSLCertificateKeyFile") || "disabled";
    my $ssl_file_chain = $domains->get_prop($virtualHost, "SSLCertificateKeyFile") || "disabled";


    $OUT = "";
    $OUT .= "    SSLCertificateFile $ssl_file_crt\n" unless $ssl_file_crt eq 'disabled';
    $OUT .= "    SSLCertificateChainFile $ssl_file_chain\n" unless $ssl_file_chain eq 'disabled';
    $OUT .= "    SSLCertificateKeyFile $ssl_file_key\n" unless $ssl_file_key eq 'disabled';
}

instead of disabled we could get default value from modSSL. This would set a certificate for every virtualhost, so you can make coexist a letsencrypt certificate for multiple domains and a different certificate for one domaine :

Code: [Select]
{
    return "    # skipping Virtualhost dedicated SSL certificate\n" unless $port eq "443";

    use esmith::DomainsDB;
    my $domains = esmith::DomainsDB->open_r

    my $crt = $modSSL{'crt'} ||
        "/home/e-smith/ssl.crt/${SystemName}.${DomainName}.crt";
    my $key = $modSSL{'key'} ||
        "/home/e-smith/ssl.key/${SystemName}.${DomainName}.key";
    my $chain_file = $modSSL{CertificateChainFile}||
       "disabled";

    my $ssl_file_crt = $domains->get_prop($virtualHost, "SSLCertificateFile") || $crt || "disabled";
    my $ssl_file_key = $domains->get_prop($virtualHost, "SSLCertificateKeyFile") || $key ||"disabled";
    my $ssl_file_chain = $domains->get_prop($virtualHost, "SSLCertificateKeyFile") || $chain_file || "disabled";

    $OUT = "";
    $OUT .= "    SSLCertificateFile $ssl_file_crt\n" unless $ssl_file_crt eq 'disabled';
    $OUT .= "    SSLCertificateChainFile $ssl_file_chain\n" unless $ssl_file_chain eq 'disabled';
    $OUT .= "    SSLCertificateKeyFile $ssl_file_key\n" unless $ssl_file_key eq 'disabled';
}



Now tell the server where your IBAY certificate files are (in the following my ibay is called davidweb) :

Code: [Select]
db accounts setprop davidweb IbaySSLCertificateChainFile '/home/e-smith/ibay_ssl/davidweb/ssl.chainfile'
db accounts setprop davidweb IbaySSLCertificateFile '/home/e-smith/ibay_ssl/davidweb/ssl.crt'
db accounts setprop davidweb IbaySSLCertificateKeyFile '/home/e-smith/ibay_ssl/davidweb/ssl.key'


for the same reason I would suggest



Code: [Select]
db domains setprop daviddomain.tld SSLCertificateChainFile '/home/e-smith/sni_ssl/daviddomain.tld/ssl.chainfile'
db domains setprop daviddomain.tld SSLCertificateFile '/home/e-smith/sni_ssl/daviddomain.tld/ssl.crt'
db domains setprop daviddomain.tld SSLCertificateKeyFile '/home/e-smith/sni_ssl/daviddomain.tld/ssl.key'

Offline dhalliday

  • *
  • 41
  • +0/-0
Re: Set different SSL on each ibay / vhost
« Reply #14 on: January 03, 2018, 08:44:04 PM »
With respect to SSLStrictSNIVHostCheck directive:

Perhaps using "on" was a bad choice, "disabled" would be clearer. The idea was not to emit the line to the config unless "off" is set. In reality this may not even be required as I think the default if there is no line is off.

To get anything to emit to the config you need to do.

config setprop httpd-e-smith  SSLStrictSNIVHostCheck off

Without the above no line will be added at all exactly like the config before this mod.  I agree it may better to have this emitted by default but I was trying to engineer things so current functionality was retained as the default.

With respect to the VirtualHost Certificates:

In reality you can only have one CRT per VirtualHost, irrespective of how many domains it is serving. If you do not specify any CRT for a VirtualHost the main certificate will be picked up, so there is no need to hard wire the main cert when there is no third party cert. If main cert covers multiple domains as in LetsEncrypt you should be ok.  I think you should be able to mix and match my mod with LetsEncrypt simply by not setting the db variables. 

Further, with this mod you could use a third party certificate such as an EV cert for a VirtualHost that serves multiple domains but you would need either a wildcard (if all domains were a sub) or a Cert that would cover multiple domains. I would suspect this would work OK but have not tested it.

The bottom line is in my design if you do not set any of the DB variables the config is not changed from the current config. It is only changed if you set the variables even if the template fragments are in place. Even if you set the variables for one ibay the others will remain the same and use the standard certificate.

I must admit, I do not fully understand the LetsEncrypt details and still have to look into that in more detail but for now I think I have a simple clean workable solution for my needs.

If anything ever gets embedded into the main code I will obviously move to that in the meantime, thanks all for all the help.

Dave.





« Last Edit: January 03, 2018, 09:09:31 PM by dhalliday »

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Set different SSL on each ibay / vhost
« Reply #15 on: January 03, 2018, 10:46:35 PM »
With respect to SSLStrictSNIVHostCheck directive:

Perhaps using "on" was a bad choice, "disabled" would be clearer.
indeed and this would be closer to usual settings. Good point.

The idea was not to emit the line to the config unless "off" is set. In reality this may not even be required as I think the default if there is no line is off.

To get anything to emit to the config you need to do.

config setprop httpd-e-smith  SSLStrictSNIVHostCheck off

Without the above no line will be added at all exactly like the config before this mod.  I agree it may better to have this emitted by default but I was trying to engineer things so current functionality was retained as the default.
Yes, I understand that you did a lot of work around ther, so I am just trying to give a bit of help to improve this and make it more standard with current templates.


With respect to the VirtualHost Certificates:

In reality you can only have one CRT per VirtualHost, irrespective of how many domains it is serving. If you do not specify any CRT for a VirtualHost the main certificate will be picked up, so there is no need to hard wire the main cert when there is no third party cert. If main cert covers multiple domains as in LetsEncrypt you should be ok.  I think you should be able to mix and match my mod with LetsEncrypt simply by not setting the db variables. 

Further, with this mod you could use a third party certificate such as an EV cert for a VirtualHost that serves multiple domains but you would need either a wildcard (if all domains were a sub) or a Cert that would cover multiple domains. I would suspect this would work OK but have not tested it.

The bottom line is in my design if you do not set any of the DB variables the config is not changed from the current config. It is only changed if you set the variables even if the template fragments are in place. Even if you set the variables for one ibay the others will remain the same and use the standard certificate.
with my suggestion nothing changes from previous behaviour, the only thing is that the certificate is being placed one more time in each virtualhost with the second proposition unless something is set for this domain. Anyway the global certificate is declared for the whole service at the beginning of httpd.conf.

The big point there is rather not to use ibays in accounts db but rather domains db because Virtualhost are not expand against ibays but against domains. See the code of /etc/e-smith/templates/etc/httpd/conf/httpd.conf/80VirtualHosts (calling content of /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts) and /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/00Setup  . Using ibays you might end up with your certificate for domain.com added to virtualhost for domain.fr if it points also to the same ibay and get a certificate error unless it was issued for domain.com and domain.fr. Because, yes you can have 2 virtualhosts pointing to the same content, but they will need different certificates.


I must admit, I do not fully understand the LetsEncrypt details and still have to look into that in more detail but for now I think I have a simple clean workable solution for my needs.

clear and simple : you declare the domains (as per in db domains) and hosts ( as per in db hosts) for which you want a certificate, and letsencrypt get you a global certificate for all those domains. It also renew the certificate every 3 months without you to worry.

Offline dhalliday

  • *
  • 41
  • +0/-0
Re: Set different SSL on each ibay / vhost
« Reply #16 on: January 04, 2018, 01:39:49 AM »
Points well taken, I will modify the SSLStrictSNIVHostCheck  section with "disabled" in place of "on" and switch to DomainDB for the Cert definitions.

Not sure when I will have time to make the change and test but do agree with the direction.

Dave.

Offline dhalliday

  • *
  • 41
  • +0/-0
Re: Set different SSL on each ibay / vhost
« Reply #17 on: January 04, 2018, 07:45:33 PM »
Updated Solution

Here is the updated solution following feedback from Jean-Philippe, thanks!

I chose to implement this by creating two new template fragments rather than modifying existing fragments this was to limit the impact on the existing code base.

To make this work I created two new template fragments:

/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL35StrictSNIVHostCheck containing

Code: [Select]
{
    # Specify which if SSLStrictSNIHostCheck should be turned off, this is required if each ibay has its own SSL certificates.

    my $value_SSLStrictSNIVHostCheck =  (${'httpd-e-smith'}{'SSLStrictSNIVHostCheck'} || 'disabled');
    $OUT .= "SSLStrictSNIVHostCheck $value_SSLStrictSNIVHostCheck\n" unless $value_SSLStrictSNIVHostCheck eq 'disabled';
}

/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert Containing:

Code: [Select]
{
    return "    # skipping SSL certificate\n" unless $port eq "443";

    use esmith::DomainsDB;
    my $domains = esmith::DomainsDB->open_ro;

    $OUT = "";

    my $ssl_file_crt = $domains->get_prop($virtualHost, "DomainSSLCertificateFile") || "disabled";
    my $ssl_file_key = $domains->get_prop($virtualHost, "DomainSSLCertificateKeyFile") || "disabled";
    my $ssl_file_chain = $domains->get_prop($virtualHost, "DomainSSLCertificateChainFile") || "disabled";

    $OUT .= "    SSLCertificateFile $ssl_file_crt\n" unless $ssl_file_crt eq 'disabled';
    $OUT .= "    SSLCertificateChainFile $ssl_file_chain\n" unless $ssl_file_chain eq 'disabled';
    $OUT .= "    SSLCertificateKeyFile $ssl_file_key\n" unless $ssl_file_key eq 'disabled';
}

Next you need to disable SSLSNIVHostCheck by using:

Code: [Select]
config setprop httpd-e-smith  SSLStrictSNIVHostCheck off
Now tell the server where your domain certificate files are (in the I set cert files for mydomain.com) :

Code: [Select]
  db domains setprop mydomain.com DomainSSLCertificateChainFile '/home/e-smith/sni_ssl/mydomain.com/ssl.chainfile'
  db domains setprop mydomain.com DomainSSLCertificateFile '/home/e-smith/sni_ssl/mydomain.com/ssl.crt'
  db domains setprop mydomain.com DomainSSLCertificateKeyFile '/home/e-smith/sni_ssl/mydomain.com/ssl.key'

In this case I have created a folder /home/e-smith/sni_ssl/mydomain.com in which I place the SSL certificate files. It is important to note you should NOT put the certificate files in /home/e-smith/files/ibays/<IBAYNAME> as this will make them accessible to people on the web and would be a security problem.

This can be repeated for several domains as needed. You do not need to give certificates for all domains, if you do not supply them the default master certificate is used just as before.

Finally you need to re-expand the templates and restart apache. The simplest way to do this is with the command:

Code: [Select]
signal-event console-save
This will only work for apache based services such as web, webmail, server-manager etc in theory it is possible to add SNI to Dovecot for IMAP but I do not need that functionality at the moment but may take a look at that if I have some spare time.

Dave.
« Last Edit: January 05, 2018, 12:37:22 AM by dhalliday »

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Set different SSL on each ibay / vhost
« Reply #18 on: January 04, 2018, 08:53:18 PM »
I guess that a simple
Code: [Select]
signal-event ibay-modify
should be enough (httpd.conf file expansion and httpd-e-smith service restart)

Offline dhalliday

  • *
  • 41
  • +0/-0
Re: Set different SSL on each ibay / vhost
« Reply #19 on: January 05, 2018, 01:34:45 AM »
While playing with my solution I find that SME still allows for 3DES ciphers which will give a less than optimal score on ssl tests such as:

https://www.htbridge.com/ssl/
or
https://www.ssllabs.com/ssltest/

This is easy to fix with :

config setprop modSSL CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4:!3DES'

and appropriate commands to re-exapand the templates and restart apache. (note added !3DES to the end of the default CipherSuite line).

Dave.


Offline madadam

  • *
  • 149
  • +0/-0
    • http://www.extremetourist.com
Re: Set different SSL on each ibay / vhost
« Reply #20 on: May 21, 2018, 06:03:24 AM »
Thank you for your work on this David, also thank you Jean-Philippe.

I have implemented your template fragments (2.1) and configured the SME DB. The individual SSL/TLS certs seem to work fine but the default self-signed cert is not when no specific cert is configured. I need to do some more testing.

I did manual re-build of the template segments and got an error. It looks like it should be a simple fix but I cannot see what's wrong with the template code, but I'm no expert. The template is exactly the same as you posted.

Here is the error:
Code: [Select]
[root@duey ~]# expand-template /etc/httpd/conf/httpd.conf
WARNING in /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert: Use of uninitialized value $Text::Template::ERROR in concatenation (.) or string at /usr/share/perl5/vendor_perl/esmith/templates.pm line 579.
WARNING in /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert: ERROR: Cannot process template /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert:
 at /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts line 38
WARNING in /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts line 38.
WARNING in /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert: Use of uninitialized value $Text::Template::ERROR in concatenation (.) or string at /usr/share/perl5/vendor_perl/esmith/templates.pm line 579.
WARNING in /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert: ERROR: Cannot process template /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert:
 at /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts line 38
WARNING in /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts line 38.
WARNING: Template processing succeeded for //etc/httpd/conf/httpd.conf: 2 fragments generated warnings
 at /sbin/e-smith/expand-template line 45


Any assistance would be appreciated.


Cheers,
Adam
...