This topic kicked off as a simple ‘here’s how…’ but the more I worked the more I ending up revising the content and the topic name.
So the topic should be “SMEServer 7.4: Installing a CA authorised certificate for an external facing hostname that is not the same as the internal facing hostname!!”
I started by not finding any information in the SMEServer Wiki so I rolled my own.
Having now had the ability to reflect on the last day and a half of effort I wish I had searched harder on the Wiki yesterday. So I am writing this with the benefit of hind-sight and having already got this working the long way around.
Read all of this before starting!
I followed the SMEServer v6.0 instructions for a external certificate as distinct from the self-issued ones. I got my certificate from my preferred supplier at RapidSSL.
After doing apparently all the right things with setup I found that I could not get Apache to start after the changes.
The errors were many but mostly this every 2 seconds:
No space left on device: mod_rewrite: could not create rewrite_log_lock
This was related to using a passphrase with the private key. While I tried a number of options to get it working in the end it was pointless as the only method to have this working other than a manual launch of Apache after every reboot was to have a plain text file injecting the passphrase when Apache needed it. Makes the passphrase security redundant. So I removed the passphrase:
openssl rsa -in keyfilewithpassphrase.key keyfilenopassphrase.key
Backup your files as per normal risk management before doing this and then swap the nopassphrase key into the live file so that Apache is no longer needing a passphrase.
Once that was done Apache was loading ok, but I still had an error:
RSA server certificate CommonName (CN) `myexternalhostname’ does NOT match server name!?
On SMEServer this relates to the ServerName setting in the VirtualHosts. I also changed the default setting one first without success and then the VirtualHost with success.
To do this you need to create copies of the template scripts as follows:
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/02ServerName .
(Dont forget the ‘.’ at the end!)
and then edit the contents of 02ServerName
ServerName your.server.name
#ServerName {$virtualHost}
This will remark out the automated setting and configure it to use your certified ServerName
Prepare the resulting template with
/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
and restart apache
apachectl restart
This should clear all the errors and leave you with a working SSL certificate for web access to the server and no issues with self-issued certificates.
And it Works ! But….. the secure imap and the pptp connections now fail. I had only covered the web server access with all the above.
Then I searched the SMEServer Wiki again and this time found a document on installing a CA signed certificate. The only issue with this is that it also assumes that your internal hostname and domain will also be the external hostname and domain.
So by the time I found this the only bits I really need were the last few instructions:
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
And then restart
signal-event post-upgrade signal-event reboot
And it’s all really working! At last!
So whats the correct / short way around ?
I think the sequence is to use this Custom CA Certificate instructions however if you want to have the certificate for a hostname.domainname combination that is not the same as the internal hostname.domainname then it needs some work.
I have not tested this but I think it needs to be like this:
Do the certificate request as a manual process on your server.
Get the certificate organised and copied to your server in the appropriate directories/home/e-smith/ssl.key, ssl.crt, etc
Make the changes for the Apache host stuff as per above
Make the config setprop changes and signal the events
This should address the use of an inconsistent external hostname and keep the IMAP and PPTP connections consistent with Apache.