Say for example from startssl.com?
And where are they all being used?
i.e.
- apache2
- postfix
- anywhere else?
anywhere else?
How about a GUI where we can copy/paste our certificate/key and save it for EFa to use?
Or maybe is a solution using letsencrypt coming "soonish" ? => viewtopic.php?t=1480
How would I replace all certificates used by EVA with proper ones?
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: How would I replace all certificates used by EVA with proper ones?
That's it, just postfix and apache.
Re: How would I replace all certificates used by EVA with proper ones?
OK, cool, thanks for confirming. I can manually handle those two, maybe but a GUI solution into your feature-suggestions list
Re: How would I replace all certificates used by EVA with proper ones?
What is the procedure for this? Linux noob here...
Do I just replace the .crt files? What about if I have intermediate certificates from the author? What is the path for Postfix and Apache certs?
Thanks for any help! Appreciate EFA!
Do I just replace the .crt files? What about if I have intermediate certificates from the author? What is the path for Postfix and Apache certs?
Thanks for any help! Appreciate EFA!
Re: How would I replace all certificates used by EVA with proper ones?
sorry missed this, look into: /etc/postfix/main.cf and find
for whatever reason, smtpd_tls_CAfile is in there twice.
for apache I couldn't find the configs so I looked into webmin and it lists:
Code: Select all
smtp_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
for apache I couldn't find the configs so I looked into webmin and it lists:
maybe someone can confirm this is correct.Certificate/private key file: /etc/pki/tls/certs/localhost.crt
Private key file: /etc/pki/tls/private/localhost.key
Re: How would I replace all certificates used by EVA with proper ones?
I've just implemented a certificate from letsencrypt via acme.sh and here are my steps adapted from another forum. Original thread is here: https://www.howtoforge.com/community/th ... 097/page-2 I am not claiming any originality.
1. Login as root on your server
2. Go to a dir where you want to clone to (I like /usr/local/src) and clone the repo:
3. Got into the dir an install it. There's a simple install command but I'd prefer to provide a few more options. Find all options here: https://github.com/Neilpang/acme.sh/wik ... stallation.
--certhome is where acme.sh saves the certs to
--accountemail is the email used to register the account to LE
The installation performs 3 actions:
a. create and copy the acme.sh into the given home dir
b. create alias for acme.sh
c. create everyday cron to check if renew is needed - check your crontab, cron will look like this:
to edit type: crontab -e
4. Issue a cert
5. Install cert and reload/restart services
6. Open Webmin and go to Servers => Apache Web Server => Existing Virtual Hosts and edit the one listening on port 443.
Select: SSl Options and adjust the paths for Certificate/private key file to the crt file /etc/pki/tls/certs/efa.domain.tld.crt and Private key file to /etc/pki/tls/private/efa.domain.tld.key then Certificate authorities file to /etc/pki/tls/certs/efa.domain.tld.bundle
7. Reload apache
8. Setup Auto-Upgrade
To edit Webmin certificate:
Go to EFA => Dashboard => TOOLS => Webmin => Webmin => Webmin configuration => SSL Encryption => SSL Settings
Private key file: /etc/pki/tls/private/efa.domain.tld.key
Certificate file => separate file: /etc/pki/tls/certs/efa.domain.tld.crt
Save, reload, done.
I just realized that webmin has a LETSENCRYPT tab which could possibly do this automatically?
Anyone want to have a look and give some feedback?
Go to EFA => Dashboard => TOOLS => Webmin => Webmin => Webmin configuration => SSL Encryption => SSL Settings => Let's Encrypt
For postfix simply edit /etc/postfix/main.cf to look like this:
reload postfix: /etc/init.d/postfix reload
1. Login as root on your server
2. Go to a dir where you want to clone to (I like /usr/local/src) and clone the repo:
Code: Select all
git clone https://github.com/Neilpang/acme.sh.git
Code: Select all
cd acme.sh
./acme.sh --install --certhome /etc/acme.sh --accountemail "user@domain.tld"
--accountemail is the email used to register the account to LE
The installation performs 3 actions:
a. create and copy the acme.sh into the given home dir
b. create alias for acme.sh
c. create everyday cron to check if renew is needed - check your crontab, cron will look like this:
Code: Select all
0 0 * * * /usr/local/acme.sh/acme.sh --cron --home /usr/local/acme.sh > /dev/null
4. Issue a cert
Code: Select all
acme.sh --issue -d efa.domain.tld -w /var/www/html/
Code: Select all
acme.sh --installcert -d efa.domain.tld --certpath "/etc/pki/tls/certs/efa.domain.tld.crt" --keypath "/etc/pki/tls/private/efa.domain.tld.key" --fullchainpath "/etc/pki/tls/certs/efa.domain.tld.bundle"
Select: SSl Options and adjust the paths for Certificate/private key file to the crt file /etc/pki/tls/certs/efa.domain.tld.crt and Private key file to /etc/pki/tls/private/efa.domain.tld.key then Certificate authorities file to /etc/pki/tls/certs/efa.domain.tld.bundle
7. Reload apache
Code: Select all
/etc/init.d/httpd reload
Code: Select all
acme.sh: acme.sh --upgrade --auto-upgrade
Go to EFA => Dashboard => TOOLS => Webmin => Webmin => Webmin configuration => SSL Encryption => SSL Settings
Private key file: /etc/pki/tls/private/efa.domain.tld.key
Certificate file => separate file: /etc/pki/tls/certs/efa.domain.tld.crt
Save, reload, done.
I just realized that webmin has a LETSENCRYPT tab which could possibly do this automatically?
Anyone want to have a look and give some feedback?
Go to EFA => Dashboard => TOOLS => Webmin => Webmin => Webmin configuration => SSL Encryption => SSL Settings => Let's Encrypt
For postfix simply edit /etc/postfix/main.cf to look like this:
Code: Select all
#smtp_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtp_tls_CAfile = /etc/pki/tls/certs/efa.domain.tld.bundle
#smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_key_file = /etc/pki/tls/private/efa.domain.tld.key
#smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/efa.domain.tld.crt
Re: How would I replace all certificates used by EVA with proper ones?
You can do it all in Webmin for the GUI minded users.. I wrote up a quick how-to about how I did it.. Hope it helps someone
Goto Webmin (usually https://<address>:10000)
In the console open Webmin - Webmin Configuration - SSL Encryption and click Certificate Signing Request tab.
Fill in the servername FQDN (ie efa-3.domain.lan), Organization, Country code, etc. and click Create Now
Copy the CSR text into a text file and send it to your CA. If all is well you should receive a certificate file in return.
Copy the text inside the resulting certificate file into your clipboard.
In the SSL Encryption part of Webmin click the Upload Certificate tab and paste the text in the Certificate text box and select "Entered below"
If your CA also requires you to install intermediate certificates you should copy and paste the text of that certificate into the "Chained Certificate text" and enable the "Entered below" for that option. I didn't have to do that as I used my own CA to generate the certificate.
When you press "Save" it will tell you where it saved the key and certificate files.
For instance: "The supplied SSL key has been saved in /etc/webmin/miniserv.pem, and the certificate in /etc/webmin/miniserv.cert." Remember/copy these locations for the next part!
Goto Servers-Apache Webserver. Select the Virtual server with port 443 in the Existing Virtual hosts tab. Select SSL Options.
Using the example above: put /etc/webmin/miniserv.cert in the Certificate/private key box. Put /etc/webmin/miniserv.pem in the Private Key file box. Replace these values with the ones from the previous step.
Go back to Servers - Apache Webserver and click Apply changes (upper-right corner)
Check your website on HTTPS and check the certificate, it should display (and use) the newly added certificate.
ps. I only did this for Apache, but if you need the same in Postfix it probably requires the same steps but using Servers - Postfix - SMTP Authentication and Encryption instead.
Goto Webmin (usually https://<address>:10000)
In the console open Webmin - Webmin Configuration - SSL Encryption and click Certificate Signing Request tab.
Fill in the servername FQDN (ie efa-3.domain.lan), Organization, Country code, etc. and click Create Now
Copy the CSR text into a text file and send it to your CA. If all is well you should receive a certificate file in return.
Copy the text inside the resulting certificate file into your clipboard.
In the SSL Encryption part of Webmin click the Upload Certificate tab and paste the text in the Certificate text box and select "Entered below"
If your CA also requires you to install intermediate certificates you should copy and paste the text of that certificate into the "Chained Certificate text" and enable the "Entered below" for that option. I didn't have to do that as I used my own CA to generate the certificate.
When you press "Save" it will tell you where it saved the key and certificate files.
For instance: "The supplied SSL key has been saved in /etc/webmin/miniserv.pem, and the certificate in /etc/webmin/miniserv.cert." Remember/copy these locations for the next part!
Goto Servers-Apache Webserver. Select the Virtual server with port 443 in the Existing Virtual hosts tab. Select SSL Options.
Using the example above: put /etc/webmin/miniserv.cert in the Certificate/private key box. Put /etc/webmin/miniserv.pem in the Private Key file box. Replace these values with the ones from the previous step.
Go back to Servers - Apache Webserver and click Apply changes (upper-right corner)
Check your website on HTTPS and check the certificate, it should display (and use) the newly added certificate.
ps. I only did this for Apache, but if you need the same in Postfix it probably requires the same steps but using Servers - Postfix - SMTP Authentication and Encryption instead.