Services/Web

From popdata
Jump to: navigation, search

Apache Config

General

  • /etc/apache2/sites-available - definitions for websites
  • /etc/apache2/sites-enable - links to sites-available for websites that are enabled
  • /etc/apache2/mods-available - available apache modules
  • /etc/apache2/mods-enabled - modules actually enabled
  • /etc/apache2/ssl - SSL certificates

SSL Certificates

Lately boughts from www.ssls.com. To get a new one:

  • generate a CSR (certificate signing request). On any machine:
% openssl req -nodes -newkey rsa:2048 -keyout snagserver.key -out snagserver.csr
Generating a 2048 bit RSA private key
...+++
......................................................................+++
writing new private key to 'snagserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:British Columbia
Locality Name (eg, city) []:Vancouver
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SNAG
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.snag.ubc.ca
Email Address []:jim@popdata.bc.ca

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

This creates two files: snagserver.key which is the private key for the webserver, and snagserver.csr which is the CSR file needed by the SSL provider. It is just a text file, and is pasted in when buying the certificate. (The format is Apache/Openssl) They will send a verification to one of the addresses for the domain (like admin@snag.ubc.ca or root@snag.ubc.ca)

  • Install certificate in the webserver

You will receive a zip attachement from the SSL provider by email:

% unzip -l www_snag_ubc_ca.zip 
Archive:  www_snag_ubc_ca.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     1521  2000-05-30 10:48   AddTrustExternalCARoot.crt
     1952  2000-05-30 10:48   COMODORSAAddTrustCA.crt
     2151  2014-02-12 00:00   COMODORSADomainValidationSecureServerCA.crt
     1895  2015-01-13 00:00   www_snag_ubc_ca.crt
---------                     -------
     7519                     4 files

The first three are the intermediate and root CA certificates, they need to be combined into one file:

cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt OMODORSADomainValidationSecureServerCA.crt > snag-chain.pem

Then copy the files into the /etc/apaches/ssl directory:

cp snag-chain.pem /etc/apache2/ssl/snag-chain.pem
cp www_snag_ubc_ca.crt /etc/apache2/ssl/snag-cert.pem
cp snagserver.key /etc/apache2/ssl/snag-key.pem

Then add these lines to one of the websites in /etc/apache2/sites-available:

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/snag-cert.pem
    SSLCertificateKeyFile /etc/apache2/ssl/snag-key.pem
    SSLCertificateChainFile /etc/apache2/ssl/snag-chain.pem

Generate SSL for Cisco

Cisco needs the certificate in a different format, and it has to have a password on it.

openssl pkcs12 -export -in STAR_popdata_bc_ca.crt -inkey popdatserver.key -certfile AddTrustExternalCARoot.crt -certfile COMODORSAAddTrustCA.crt -certfile COMODORSADomainValidationSecureServerCA.crt -out popdata-cisco.p12

popdataserver.key is the private key, STAR_popdata_bc_ca.crt is the certificate from the provider, the other .crt files are the intermediate files. Enter a password and remember it. Then you can use the Cisco ASA web interface to add a new identity certificate using the popdata-cisco.p12 generated above. Then change the VPN anyconnect access interfaces to use that trustpoint.

Install certificate in Zimbra

As root backup old one:

cp /opt/zimbra/ssl/zimbra/commercial/commercial.key .
cp /opt/zimbra/ssl/zimbra/commercial/commercial.crt .

Install new one

/opt/zimbra/bin/zmcertmgr verifycrt comm popdatserver.key popdata2015-cert.pem popdata2015-chain.pem
cp popdatserver.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm popdata2015-cert.pem popdata2015-chain.pem
/opt/zimbra/bin/zmcertmgr viewdeployedcrt