How would I replace all certificates used by EVA with proper ones?

Questions and answers about how to do stuff
Post Reply
ovizii
Posts: 463
Joined: 11 May 2016 08:08

How would I replace all certificates used by EVA with proper ones?

Post by ovizii »

Say for example from startssl.com?
And where are they all being used?

i.e.
- apache2
- postfix
- anywhere else?

anywhere else?
How about a GUI where we can copy/paste our certificate/key and save it for EFa to use?

Or maybe is a solution using letsencrypt coming "soonish" ? => viewtopic.php?t=1480
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How would I replace all certificates used by EVA with proper ones?

Post by shawniverson »

That's it, just postfix and apache.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: How would I replace all certificates used by EVA with proper ones?

Post by ovizii »

OK, cool, thanks for confirming. I can manually handle those two, maybe but a GUI solution into your feature-suggestions list :-)
bob.lenz
Posts: 12
Joined: 29 Jun 2015 22:33

Re: How would I replace all certificates used by EVA with proper ones?

Post by bob.lenz »

What is the procedure for this? Linux noob here... :)

Do I just replace the .crt files? What about if I have intermediate certificates from the author? What is the path for Postfix and Apache certs?

Thanks for any help! Appreciate EFA!
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: How would I replace all certificates used by EVA with proper ones?

Post by ovizii »

sorry missed this, look into: /etc/postfix/main.cf and find

Code: Select all

smtp_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
for whatever reason, smtpd_tls_CAfile is in there twice.

for apache I couldn't find the configs so I looked into webmin and it lists:
Certificate/private key file: /etc/pki/tls/certs/localhost.crt
Private key file: /etc/pki/tls/private/localhost.key
maybe someone can confirm this is correct.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: How would I replace all certificates used by EVA with proper ones?

Post by ovizii »

I've just implemented a certificate from letsencrypt via acme.sh and here are my steps adapted from another forum. Original thread is here: https://www.howtoforge.com/community/th ... 097/page-2 I am not claiming any originality.

1. Login as root on your server
2. Go to a dir where you want to clone to (I like /usr/local/src) and clone the repo:

Code: Select all

git clone https://github.com/Neilpang/acme.sh.git
3. Got into the dir an install it. There's a simple install command but I'd prefer to provide a few more options. Find all options here: https://github.com/Neilpang/acme.sh/wik ... stallation.

Code: Select all

cd acme.sh
./acme.sh --install --certhome /etc/acme.sh --accountemail "user@domain.tld"
--certhome is where acme.sh saves the certs to
--accountemail is the email used to register the account to LE
The installation performs 3 actions:
a. create and copy the acme.sh into the given home dir
b. create alias for acme.sh
c. create everyday cron to check if renew is needed - check your crontab, cron will look like this:

Code: Select all

0 0 * * * /usr/local/acme.sh/acme.sh --cron --home /usr/local/acme.sh > /dev/null
to edit type: crontab -e
4. Issue a cert

Code: Select all

acme.sh --issue -d efa.domain.tld -w /var/www/html/
5. Install cert and reload/restart services

Code: Select all

acme.sh --installcert -d efa.domain.tld --certpath "/etc/pki/tls/certs/efa.domain.tld.crt" --keypath "/etc/pki/tls/private/efa.domain.tld.key" --fullchainpath "/etc/pki/tls/certs/efa.domain.tld.bundle"
6. Open Webmin and go to Servers => Apache Web Server => Existing Virtual Hosts and edit the one listening on port 443.
Select: SSl Options and adjust the paths for Certificate/private key file to the crt file /etc/pki/tls/certs/efa.domain.tld.crt and Private key file to /etc/pki/tls/private/efa.domain.tld.key then Certificate authorities file to /etc/pki/tls/certs/efa.domain.tld.bundle
7. Reload apache

Code: Select all

 /etc/init.d/httpd reload
8. Setup Auto-Upgrade

Code: Select all

acme.sh: acme.sh  --upgrade  --auto-upgrade
To edit Webmin certificate:
Go to EFA => Dashboard => TOOLS => Webmin => Webmin => Webmin configuration => SSL Encryption => SSL Settings
Private key file: /etc/pki/tls/private/efa.domain.tld.key
Certificate file => separate file: /etc/pki/tls/certs/efa.domain.tld.crt

Save, reload, done.

I just realized that webmin has a LETSENCRYPT tab which could possibly do this automatically?
Anyone want to have a look and give some feedback?
Go to EFA => Dashboard => TOOLS => Webmin => Webmin => Webmin configuration => SSL Encryption => SSL Settings => Let's Encrypt


For postfix simply edit /etc/postfix/main.cf to look like this:

Code: Select all

#smtp_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtp_tls_CAfile = /etc/pki/tls/certs/efa.domain.tld.bundle
#smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_key_file = /etc/pki/tls/private/efa.domain.tld.key
#smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/efa.domain.tld.crt
reload postfix: /etc/init.d/postfix reload
roxsman
Posts: 1
Joined: 15 Nov 2016 15:05

Re: How would I replace all certificates used by EVA with proper ones?

Post by roxsman »

You can do it all in Webmin for the GUI minded users.. I wrote up a quick how-to about how I did it.. Hope it helps someone

Goto Webmin (usually https://<address>:10000)
In the console open Webmin - Webmin Configuration - SSL Encryption and click Certificate Signing Request tab.

Fill in the servername FQDN (ie efa-3.domain.lan), Organization, Country code, etc. and click Create Now
Copy the CSR text into a text file and send it to your CA. If all is well you should receive a certificate file in return.
Copy the text inside the resulting certificate file into your clipboard.
In the SSL Encryption part of Webmin click the Upload Certificate tab and paste the text in the Certificate text box and select "Entered below"
If your CA also requires you to install intermediate certificates you should copy and paste the text of that certificate into the "Chained Certificate text" and enable the "Entered below" for that option. I didn't have to do that as I used my own CA to generate the certificate.
When you press "Save" it will tell you where it saved the key and certificate files.
For instance: "The supplied SSL key has been saved in /etc/webmin/miniserv.pem, and the certificate in /etc/webmin/miniserv.cert." Remember/copy these locations for the next part!

Goto Servers-Apache Webserver. Select the Virtual server with port 443 in the Existing Virtual hosts tab. Select SSL Options.
Using the example above: put /etc/webmin/miniserv.cert in the Certificate/private key box. Put /etc/webmin/miniserv.pem in the Private Key file box. Replace these values with the ones from the previous step.
Go back to Servers - Apache Webserver and click Apply changes (upper-right corner)

Check your website on HTTPS and check the certificate, it should display (and use) the newly added certificate. :clap:

ps. I only did this for Apache, but if you need the same in Postfix it probably requires the same steps but using Servers - Postfix - SMTP Authentication and Encryption instead.
Post Reply