This topic kicked off as a simple ‘here’s how…’ but the more I worked the more I ending up revising the content and the topic name.<\/p>\n
So the topic should be “SMEServer 7.4: Installing a CA authorised certificate for an external facing hostname that is not the same as the internal facing hostname!!”<\/p>\n
I started by not finding any information in the SMEServer Wiki so I rolled my own.<\/p>\n
Having now had the ability to reflect on the last day and a half of effort I wish I had searched harder on the Wiki yesterday. So I am writing this with the benefit of hind-sight and having already got this working the long way around.<\/p>\n
Read all of this before<\/em> starting!<\/p>\n I followed the SMEServer v6.0 instructions<\/a> for a external certificate as distinct from the self-issued ones. I got my certificate from my preferred supplier at RapidSSL<\/a>.<\/p>\n After doing apparently all the right things with setup I found that I could not get Apache to start after the changes.<\/p>\n The errors were many but mostly this every 2 seconds:<\/p>\n No space left on device: mod_rewrite: could not create rewrite_log_lock<\/p><\/blockquote>\n This was related to using a passphrase with the private key. While I tried a number of options to get it working in the end it was pointless as the only method to have this working other than a manual launch of Apache after every reboot was to have a plain text file injecting the passphrase when Apache needed it. Makes the passphrase security redundant. So I removed the passphrase:<\/p>\n openssl rsa -in keyfilewithpassphrase.key keyfilenopassphrase.key<\/p><\/blockquote>\n Backup your files as per normal risk management before doing this and then swap the nopassphrase key into the live file so that Apache is no longer needing a passphrase.<\/p>\n Once that was done Apache was loading ok, but I still had an error:<\/p>\n RSA server certificate CommonName (CN) `myexternalhostname’ does NOT match server name!?<\/p><\/blockquote>\n On SMEServer this relates to the ServerName setting in the VirtualHosts. I also changed the default setting one first without success and then the VirtualHost with success.<\/p>\n To do this you need to create copies of the template scripts as follows:<\/p>\n mkdir -p \/etc\/e-smith\/templates-custom\/etc\/httpd\/conf\/httpd.conf\/VirtualHosts<\/p>\n cd \/etc\/e-smith\/templates-custom\/etc\/httpd\/conf\/httpd.conf\/VirtualHosts<\/p>\n cp \/etc\/e-smith\/templates\/etc\/httpd\/conf\/httpd.conf\/VirtualHosts\/02ServerName .<\/p><\/blockquote>\n (Dont forget the ‘.’ at the end!)<\/p>\n and then edit the contents of 02ServerName<\/p>\n ServerName your.server.name This will remark out the automated setting and configure it to use your certified ServerName<\/p>\n Prepare the resulting template with<\/p>\n \/sbin\/e-smith\/expand-template \/etc\/httpd\/conf\/httpd.conf<\/p><\/blockquote>\n and restart apache<\/p>\n apachectl restart<\/p><\/blockquote>\n This should clear all the errors and leave you with a working SSL certificate for web access to the server and no issues with self-issued certificates.<\/p>\n And it Works !\u00a0 But…..\u00a0 the secure imap and the pptp connections now fail. I had only covered the web server access with all the above.<\/p>\n
\n#ServerName {$virtualHost}<\/p><\/blockquote>\n