Working a bit with two new SME servers in the past week and creating additional configuration of Samba as a part of this.  There have been a number of things I needed to mess with to get it working how I wanted.

First up SME server 7.5 & 8.0b5 still have an inconsistency with the templating process.

Normally the compilation of a file from the template fragments follows the logical path of the resultant file, i.e.

/etc/httpd/httpd.conf file

is built from the

/etc/e-smith/templates/etc/httpd/httpd.conf/

directory with the template fragments within it.

The Samba smb.conf file lives within the /etc/samba directory

/etc/samba/smb.conf

but is compiled from the

/etc/e-smith/templates/etc/smb.conf

location which is inconsistent but having read through http://bugs.contribs.org it would appear that this has been left alone for quite some years as ok. Minor annoyance for me.

The next bit is trying to get a new share setup for general use and multi user access to a QuickBooks data file.

Creating a new template fragment

{

$OUT .= <<HERE;

[newsharename]
comment = Data files for my group
path = /home/e-smith/files/data
create mask = 0770
force group = mygroupsname
guest ok = yes
writable = yes
browseable = yes

HERE

}

Ok, next I expand the template and restart smb service.

#/sbin/e-smith/expand-template /etc/smb.conf

#service smb restart

Which all appears to work nicely with new files created with the groupname set so that any group member can get to the files they want to open. The only thing I cannot work out is why the exceute bit is not set for the group, i.e. the file mask is -rwxrw—- (0760) rather than -rwxrwx— (0770)  but it does not appear to impact on anything.

This topic kicked off as a simple ‘here’s how…’ but the more I worked the more I ending up revising the content and the topic name.

So the topic should be “SMEServer 7.4: Installing a CA authorised certificate for an external facing hostname that is not the same as the internal facing hostname!!”

I started by not finding any information in the SMEServer Wiki so I rolled my own.

Having now had the ability to reflect on the last day and a half of effort I wish I had searched harder on the Wiki yesterday. So I am writing this with the benefit of hind-sight and having already got this working the long way around.

Read all of this before starting!

I followed the SMEServer v6.0 instructions for a external certificate as distinct from the self-issued ones. I got my certificate from my preferred supplier at RapidSSL.

After doing apparently all the right things with setup I found that I could not get Apache to start after the changes.

The errors were many but mostly this every 2 seconds:

No space left on device: mod_rewrite: could not create rewrite_log_lock

This was related to using a passphrase with the private key. While I tried a number of options to get it working in the end it was pointless as the only method to have this working other than a manual launch of Apache after every reboot was to have a plain text file injecting the passphrase when Apache needed it. Makes the passphrase security redundant. So I removed the passphrase:

openssl rsa -in keyfilewithpassphrase.key keyfilenopassphrase.key

Backup your files as per normal risk management before doing this and then swap the nopassphrase key into the live file so that Apache is no longer needing a passphrase.

Once that was done Apache was loading ok, but I still had an error:

RSA server certificate CommonName (CN) `myexternalhostname’ does NOT match server name!?

On SMEServer this relates to the ServerName setting in the VirtualHosts. I also changed the default setting one first without success and then the VirtualHost with success.

To do this you need to create copies of the template scripts as follows:

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts

cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts

cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/02ServerName .

(Dont forget the ‘.’ at the end!)

and then edit the contents of 02ServerName

ServerName your.server.name
#ServerName {$virtualHost}

This will remark out the automated setting and configure it to use your certified ServerName

Prepare the resulting template with

/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf

and restart apache

apachectl restart

This should clear all the errors and leave you with a working SSL certificate for web access to the server and no issues with self-issued certificates.

And it Works !  But…..  the secure imap and the pptp connections now fail. I had only covered the web server access with all the above.

Then I searched the SMEServer Wiki again and this time found a document on installing a CA signed certificate. The only issue with this is that it also assumes that your internal hostname and domain will also be the external hostname and domain.

So by the time I found this the only bits I really need were the last few instructions:

config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key

And then restart

signal-event post-upgrade
signal-event reboot

And it’s all really working! At last!

So whats the correct / short way around ?

I think the sequence is to use this Custom CA Certificate instructions however if you want to have the certificate for a hostname.domainname combination that is not the same as the internal hostname.domainname then it needs some work.

I have not tested this but I think it needs to be like this:

Do the certificate request as a manual process on your server.

Get the certificate organised and copied to your server in the appropriate directories/home/e-smith/ssl.key, ssl.crt, etc

Make the changes for the Apache host stuff as per above

Make the config setprop changes and signal the events

This should address the use of an inconsistent external hostname and keep the IMAP and PPTP connections consistent with Apache.