Koozali.org: home of the SME Server

Set different SSL on each ibay / vhost

Online Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Set different SSL on each ibay / vhost
« Reply #15 on: January 03, 2018, 10:46:35 PM »
With respect to SSLStrictSNIVHostCheck directive:

Perhaps using "on" was a bad choice, "disabled" would be clearer.
indeed and this would be closer to usual settings. Good point.

The idea was not to emit the line to the config unless "off" is set. In reality this may not even be required as I think the default if there is no line is off.

To get anything to emit to the config you need to do.

config setprop httpd-e-smith  SSLStrictSNIVHostCheck off

Without the above no line will be added at all exactly like the config before this mod.  I agree it may better to have this emitted by default but I was trying to engineer things so current functionality was retained as the default.
Yes, I understand that you did a lot of work around ther, so I am just trying to give a bit of help to improve this and make it more standard with current templates.


With respect to the VirtualHost Certificates:

In reality you can only have one CRT per VirtualHost, irrespective of how many domains it is serving. If you do not specify any CRT for a VirtualHost the main certificate will be picked up, so there is no need to hard wire the main cert when there is no third party cert. If main cert covers multiple domains as in LetsEncrypt you should be ok.  I think you should be able to mix and match my mod with LetsEncrypt simply by not setting the db variables. 

Further, with this mod you could use a third party certificate such as an EV cert for a VirtualHost that serves multiple domains but you would need either a wildcard (if all domains were a sub) or a Cert that would cover multiple domains. I would suspect this would work OK but have not tested it.

The bottom line is in my design if you do not set any of the DB variables the config is not changed from the current config. It is only changed if you set the variables even if the template fragments are in place. Even if you set the variables for one ibay the others will remain the same and use the standard certificate.
with my suggestion nothing changes from previous behaviour, the only thing is that the certificate is being placed one more time in each virtualhost with the second proposition unless something is set for this domain. Anyway the global certificate is declared for the whole service at the beginning of httpd.conf.

The big point there is rather not to use ibays in accounts db but rather domains db because Virtualhost are not expand against ibays but against domains. See the code of /etc/e-smith/templates/etc/httpd/conf/httpd.conf/80VirtualHosts (calling content of /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts) and /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/00Setup  . Using ibays you might end up with your certificate for domain.com added to virtualhost for domain.fr if it points also to the same ibay and get a certificate error unless it was issued for domain.com and domain.fr. Because, yes you can have 2 virtualhosts pointing to the same content, but they will need different certificates.


I must admit, I do not fully understand the LetsEncrypt details and still have to look into that in more detail but for now I think I have a simple clean workable solution for my needs.

clear and simple : you declare the domains (as per in db domains) and hosts ( as per in db hosts) for which you want a certificate, and letsencrypt get you a global certificate for all those domains. It also renew the certificate every 3 months without you to worry.

Offline dhalliday

  • *
  • 41
  • +0/-0
Re: Set different SSL on each ibay / vhost
« Reply #16 on: January 04, 2018, 01:39:49 AM »
Points well taken, I will modify the SSLStrictSNIVHostCheck  section with "disabled" in place of "on" and switch to DomainDB for the Cert definitions.

Not sure when I will have time to make the change and test but do agree with the direction.

Dave.

Offline dhalliday

  • *
  • 41
  • +0/-0
Re: Set different SSL on each ibay / vhost
« Reply #17 on: January 04, 2018, 07:45:33 PM »
Updated Solution

Here is the updated solution following feedback from Jean-Philippe, thanks!

I chose to implement this by creating two new template fragments rather than modifying existing fragments this was to limit the impact on the existing code base.

To make this work I created two new template fragments:

/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL35StrictSNIVHostCheck containing

Code: [Select]
{
    # Specify which if SSLStrictSNIHostCheck should be turned off, this is required if each ibay has its own SSL certificates.

    my $value_SSLStrictSNIVHostCheck =  (${'httpd-e-smith'}{'SSLStrictSNIVHostCheck'} || 'disabled');
    $OUT .= "SSLStrictSNIVHostCheck $value_SSLStrictSNIVHostCheck\n" unless $value_SSLStrictSNIVHostCheck eq 'disabled';
}

/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert Containing:

Code: [Select]
{
    return "    # skipping SSL certificate\n" unless $port eq "443";

    use esmith::DomainsDB;
    my $domains = esmith::DomainsDB->open_ro;

    $OUT = "";

    my $ssl_file_crt = $domains->get_prop($virtualHost, "DomainSSLCertificateFile") || "disabled";
    my $ssl_file_key = $domains->get_prop($virtualHost, "DomainSSLCertificateKeyFile") || "disabled";
    my $ssl_file_chain = $domains->get_prop($virtualHost, "DomainSSLCertificateChainFile") || "disabled";

    $OUT .= "    SSLCertificateFile $ssl_file_crt\n" unless $ssl_file_crt eq 'disabled';
    $OUT .= "    SSLCertificateChainFile $ssl_file_chain\n" unless $ssl_file_chain eq 'disabled';
    $OUT .= "    SSLCertificateKeyFile $ssl_file_key\n" unless $ssl_file_key eq 'disabled';
}

Next you need to disable SSLSNIVHostCheck by using:

Code: [Select]
config setprop httpd-e-smith  SSLStrictSNIVHostCheck off
Now tell the server where your domain certificate files are (in the I set cert files for mydomain.com) :

Code: [Select]
  db domains setprop mydomain.com DomainSSLCertificateChainFile '/home/e-smith/sni_ssl/mydomain.com/ssl.chainfile'
  db domains setprop mydomain.com DomainSSLCertificateFile '/home/e-smith/sni_ssl/mydomain.com/ssl.crt'
  db domains setprop mydomain.com DomainSSLCertificateKeyFile '/home/e-smith/sni_ssl/mydomain.com/ssl.key'

In this case I have created a folder /home/e-smith/sni_ssl/mydomain.com in which I place the SSL certificate files. It is important to note you should NOT put the certificate files in /home/e-smith/files/ibays/<IBAYNAME> as this will make them accessible to people on the web and would be a security problem.

This can be repeated for several domains as needed. You do not need to give certificates for all domains, if you do not supply them the default master certificate is used just as before.

Finally you need to re-expand the templates and restart apache. The simplest way to do this is with the command:

Code: [Select]
signal-event console-save
This will only work for apache based services such as web, webmail, server-manager etc in theory it is possible to add SNI to Dovecot for IMAP but I do not need that functionality at the moment but may take a look at that if I have some spare time.

Dave.
« Last Edit: January 05, 2018, 12:37:22 AM by dhalliday »

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Set different SSL on each ibay / vhost
« Reply #18 on: January 04, 2018, 08:53:18 PM »
I guess that a simple
Code: [Select]
signal-event ibay-modify
should be enough (httpd.conf file expansion and httpd-e-smith service restart)

Offline dhalliday

  • *
  • 41
  • +0/-0
Re: Set different SSL on each ibay / vhost
« Reply #19 on: January 05, 2018, 01:34:45 AM »
While playing with my solution I find that SME still allows for 3DES ciphers which will give a less than optimal score on ssl tests such as:

https://www.htbridge.com/ssl/
or
https://www.ssllabs.com/ssltest/

This is easy to fix with :

config setprop modSSL CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4:!3DES'

and appropriate commands to re-exapand the templates and restart apache. (note added !3DES to the end of the default CipherSuite line).

Dave.


Offline madadam

  • *
  • 149
  • +0/-0
    • http://www.extremetourist.com
Re: Set different SSL on each ibay / vhost
« Reply #20 on: May 21, 2018, 06:03:24 AM »
Thank you for your work on this David, also thank you Jean-Philippe.

I have implemented your template fragments (2.1) and configured the SME DB. The individual SSL/TLS certs seem to work fine but the default self-signed cert is not when no specific cert is configured. I need to do some more testing.

I did manual re-build of the template segments and got an error. It looks like it should be a simple fix but I cannot see what's wrong with the template code, but I'm no expert. The template is exactly the same as you posted.

Here is the error:
Code: [Select]
[root@duey ~]# expand-template /etc/httpd/conf/httpd.conf
WARNING in /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert: Use of uninitialized value $Text::Template::ERROR in concatenation (.) or string at /usr/share/perl5/vendor_perl/esmith/templates.pm line 579.
WARNING in /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert: ERROR: Cannot process template /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert:
 at /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts line 38
WARNING in /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts line 38.
WARNING in /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert: Use of uninitialized value $Text::Template::ERROR in concatenation (.) or string at /usr/share/perl5/vendor_perl/esmith/templates.pm line 579.
WARNING in /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert: ERROR: Cannot process template /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/10SSLCert:
 at /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts line 38
WARNING in /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts line 38.
WARNING: Template processing succeeded for //etc/httpd/conf/httpd.conf: 2 fragments generated warnings
 at /sbin/e-smith/expand-template line 45


Any assistance would be appreciated.


Cheers,
Adam
...