FreeIPA request certificate with cname - ssl

I while ago I was wondering how I could create an ssl-certificate for a cname. This came up as we always use generic a-records for our virtual machines. Services running on those virtual machines should be accessed by users by their service name over SSL. We use FreeIPA as our Certificate Authority.

Sometimes you search for an answer for ages, and find the answer on multiple websites which are not very clear. I will explain my answer by means of an example to show the differences in requesting a certificate from FreeIPA with a cname and without a cname.
We make an imaginary virtual machine with an a-record being abc955-xy.example.com. On this machine we will run postgres. So, out of convenience, the cname will be postgresql.example.com. First we create a certificate for abc955-xy.example.com, which is only valid for the fqdn. Second, we create a certificate for the cname, which is also valid for the fqdn.
Certificate without a cname
# Generate a private key
openssl genrsa -out abc955-xy.example.com.key 4096
# Add the host to FreeIPA
ipa host-add abc955-xy.example.com --force
# Create a host principal for the service HTTP
ipa service-add HTTP/abc955-xy.example.com
# Add the host principal to the host
ipa service-add-host HTTP/abc955-xy.example.com --host abc955-xy.example.com
# Request a certificate for the host, using the principal and private key
ipa-getcert request -r -f abc955-xy.example.com.crt -k abc955-xy.example.com.key \
-K HTTP/abc955-xy.example.com -D abc955-xy.example.com
Cerfificate including a cname
# Generate a private key
openssl genrsa -out postgresql.example.com.key 4096
# Add the host to FreeIPA, using the cname
ipa host-add postgresql.example.com --force
# Create a host principal for the service HTTP
ipa service-add HTTP/abc955-xy.example.com
# Create a principal for the service HTTP with the cname
ipa service-add HTTP/postgresql.example.com --force
# Add the cname principal to the host
ipa service-add-host HTTP/postgresql.example.com --host abc955-xy.example.com
# Request a certificate for the host, using the principal and private key and cname
ipa-getcert request -r -f postgresql.example.com.crt -k postgresql.example.com.key\
-K HTTP/postgresql.example.com -D postgresql.example.com -D abc955-xy.example.com
Other than some naming differences, the main difference between both options is that you add the HTTP-principal with the cname to the host instead of the HTTP-principal with the fqdn.
Note: since browsers such as Chrome and Chromium only accept certificates with a Subject Alternative Name (SAN) as of version 65, you need to add a Subject Alternative Name to certificates without a cname too. This is where the option -D comes from in the ipa-getcert request. For certificates without a cname, you have to supply the fqdn.

# Set variables
DOMAIN=domain.name
CNAME=cname
DEST_MACHINE=dest-machine
# Add CNAME DNS-record
# $CNAME => $DEST_MACHINE
ipa dnsrecord-add $DOMAIN $CNAME --cname-hostname=$DEST_MACHINE
# Generate a private key
## to /etc/pki/tls/private
## or another dir (*selinux fcontext* of that dir should be *cert_t*)
sudo openssl genrsa -out /etc/pki/tls/private/$CNAME\_$DEST_MACHINE.key 4096
# Create HTTP service for $DEST_MACHINE\.$DOMAIN
ipa service-add HTTP/$DEST_MACHINE\.$DOMAIN
# Add alias HTTP/$CNAME\.$DOMAIN for HTTP/$DEST_MACHINE\.$DOMAIN
ipa service-add-principal HTTP/$DEST_MACHINE\.$DOMAIN HTTP/$CNAME\.$DOMAIN
# Request a certificate for HTTP/$DEST_MACHINE\.$DOMAIN
# for a DNSNAMEs:
## $DEST_MACHINE\.$DOMAIN
## $CNAME\.$DOMAIN
sudo ipa-getcert request -r \
-f /etc/pki/tls/private/$CNAME\_$DEST_MACHINE.crt \
-k /etc/pki/tls/private/$CNAME\_$DEST_MACHINE.key \
-K HTTP/$DEST_MACHINE\.$DOMAIN \
-D $DEST_MACHINE\.$DOMAIN \
-D $CNAME\.$DOMAIN
# Show info about certificate requests
sudo ipa-getcert list
# List content of certificates dir
ls /etc/pki/tls/private/
# Now just use that certificates with your web-services

Related

MQTT and SSL/TLS

I registered for an account on a mqtt server provider.
They provide 3 ports:
port: 1xxxx
ssl port: 2xxxx
websockets(TLS only): 3xxxx
I am publishing and receiving data from port 1xxx.
I would like to add encryption though. The mqtt server provider gives a "shared" subdomain but says:
If you want to use a custom domain for your instance you have to provide your own certificate to use with MQTT+TLS and Websockets. Certificates must be PEM encoded and the privte key unencrypted. Certs are only stored on your dedicated instance. When certs are installed you can point your domain as a CNAME to hairdresser.cloudmqtt.com.
I added a CNAME on my domain panel which I call it (mqtt.mydomain.com) and resolves to the above subdomain.
On my domain panel also I added ssl from letsenrypt(free) to my subdomain mqtt.mydomain.com(which points to mqtt server domain).
After adding the ssl I downloaded a zip file from the domain panel which contains 3 files:
mqtt.mydomain.com.ca
mqtt.mydomain.com.cert
mqtt.mydomain.com.key
I paste the contents of ca file to CA chain, cert file to Certificate and key file to Private key
Saved everything and restarted instance(mqtt server).
Then I tried from my computer:
mosquitto_pub -h "mqtt.mydomain.com" -p 1xxxx -i test1 -u test1 -P pass1 -t mytopics/test1 -m "hi everyone" -d -c
works but since its port 1xxxx its not SSL.
Trying the ssl:
mosquitto_pub -h "mqtt.mydomain.com" -p 2xxxx -i test1 -u test1 -P pass1 -t mytopics/test1 -m "hi everyone" -d -c --cafile C:\Users\CT\Downloads\certs\mqtt.mydomain.com.ca
gives me error on cmd:
OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: A TLS error occurred.
Tried many different commands like passing cert file appart from ca and even key file(which is probably wrong i guess) and I am getting different errors on the server logs like:
OpenSSL Error: error:14094418:SSL routine
s:ssl3_read_bytes:tlsv1 alert unknown ca
OpenSSL Error: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Client connection from xx.xx.xx.xx failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.

How to install Zimbra certification?

I have this error when I want install a commercial SSL in Zimbra
Your certificate was not installed due to the error : system failure:
exception executing command: zmcertmgr verifycrtkey comm
/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key
/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt with
{RemoteManager: mail.mydomain.com->zimbra#mail.mydomain.com:22}
Use below script for SSL install in Zimbra.
#!/bin/bash -x
# SSL certificate installation in Zimbra
# with SSL certificate provided by Let's Encrypt (letsencrypt.org)
# Author: Subhash (serverkaka.com)
# Check if running as root
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
read -p 'letsencrypt_email [xx#xx.xx]: ' letsencrypt_email
read -p 'mail_server_url [xx.xx.xx]: ' mail_server_url
# Check All variable have a value
if [ -z $mail_server_url ] || [ -z $letsencrypt_email ]
then
echo run script again please insert all value. do not miss any value
else
# Installation start
# Stop the jetty or nginx service at Zimbra level
su - zimbra -c 'zmproxyctl stop'
su - zimbra -c 'zmmailboxdctl stop'
# Install git and letsencrypt
cd /opt/
apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
# Get SSL certificate
./letsencrypt-auto certonly --standalone --non-interactive --agree-tos --email $letsencrypt_email -d $mail_server_url --hsts
cd /etc/letsencrypt/live/$mail_server_url
cat <<EOF >>chain.pem
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
EOF
# Verify commercial certificate
mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/$mail_server_url/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
ls -la /opt/zimbra/ssl/letsencrypt/
su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem'
# Deploy the new Let's Encrypt SSL certificate
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem'
# Restart Zimbra
su - zimbra -c 'zmcontrol restart'
# setting auto https redirect
cd /opt && touch https-redirect.sh && chown zimbra:zimbra https-redirect.sh && chmod +x https-redirect.sh
cat <<EOF >>/opt/https-redirect.sh
zmprov ms $mail_server_url zimbraReverseProxyMailMode redirect
EOF
su - zimbra -c '/opt/https-redirect.sh'
rm /opt/https-redirect.sh
fi
For more reference check this link: https://github.com/SubhashPatel/Install-Zimbra-mail-server-ubuntu/blob/master/configure-ssl-zimbra.sh
You should try using CLI to install SSL certificate for Zimbra. Also you need to verify that you have the same certificate which you have downloaded from the certificate authority.
For commercial.crt you need to copy one certificate downloaded from the authority. For commercial_ca.crt, there must be one CA bundle file, you will have from certificate authority.
Private key, you need to verify during generating your CSR and also verify with the hosting. After that restart the Zimbra by command
zmcontrol restart
finally i found the solution.
you shouldn't fill the subject alternative name when you want create csr!
thats all.
Every other year I spend hours on renewing the ssl certificates on zimbra with the help of hopeless outdated tutorials. A tedious process that I don't do often enough to remember how I did it. I learned the hard way that it is easier to use the admin console, than using CLI and messing around with concatinating the different certificates.
Hereby the steps that I take:
Please note that this is a walkthrough, dedicated to the
GoGetSSL Sectigo PositiveSSL Wildcard certificate, and may not work for other SSL providers.
Zimbra version: 8.8.15
We use the wildcard certificate on several servers, but we generate the CSR always(!) on the zimbra server. So go to admin console > Configure > Certificates, click the domain in the list and then in top right corner, choose install certificate. Choose the generate CSR option (second of the 3 options). Make sure that in the common name field you use the wildcard symbol: e.g.
*.example.com
Also check the checkbox that it concerns a wildcard common name
Fill out the rest of the info according to your situation. At the bottom, there's option to add other names; remove all of them (if any). Go to next page and download the CSR, finish the wizard.
on the GoGetSSL page create the new/renew the SSL certificate with the by Zimbra generated CSR. Finish up the entire process, including the validation. All the way up to that the certificate is issued and files can be downloaded. Choose to download the 'All files' zip file. extract on your local system.
browse to: https://www.gogetssl.com/wiki/intermediate-certificates/sectigo-intermediate-root-certificates/
On this page download the file: DV RSA Files > RSA DV Bundle with SHA-1 (TXT file)
go back to admin console > Configure > Certificates, click the domain in the list and then in top right corner, choose install certificate. This time you choose the 3rd option: install commercial signed certificate. First screen of the wizard shows the info you entered earlier for the CSR. The info may show up empty. For me this didn't give me any problems, so I left it. On the next screen: You have to upload 3 certificate files by default, but we need to upload 4, so we need to do Add Intermediate CA for the fourth file.
Choose files as follows:
Certificate: server certificate from the zip file: e.g. _example.com.crt
Root CA: RSA DV Bundle with SHA-1 (TXT file), from the link above
Intermediate CA: USERTrust_RSA_Certification_Authority.crt from zip file
(Added) Intermediate CA: AAA_Certificate_Services.crt
NOTE: I can't remember which Intermediate CA I chose first, so if any problems, try switching the last 2 mentioned files around.
Finish the wizard and test by sending and receiving email.
Then I take the certificates and update other servers with these certificates. (e.g. nginx, apache2, etc). Note: you may need to get the commercial.key file for use on other servers. On linux this file is located in: /opt/zimbra/ssl/zimbra/commercial/
If permission denied, you may use root account or do: sudo su - zimbra
I hope this helps for people struggling with the same certificate and zimbra

godaddy shared hosting acme.sh

I am trying setup a free HTTPS on my godaddy shared hosting (its cPanel enabled) following the info on https://github.com/Neilpang/acme.sh from my mac.
However I am stuck...
What I have done so far:
Established an SSH connection to the server
Installed the acme as documented:
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install
3.Closed the connection and reestablished (was required as indicated for getting the paths right or something)
4.Issues the certificate:
acme.sh --issue -d mydomain.com -w www --debug
I found that www is the directory in which my website resides...
After approx 10seconds the command says "Cert success"
Then I am lost...
The acme website says "3. Install the issued cert to Apache/Nginx etc."
with a command like:
--apache--
acme.sh --installcert -d example.com \
--certpath /path/to/certfile/in/apache/cert.pem \
--keypath /path/to/keyfile/in/apache/key.pem \
--fullchainpath /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd "service apache2 restart"
or
-nginx-
acme.sh --installcert -d example.com \
--keypath /path/to/keyfile/in/nginx/key.pem \
--fullchainpath /path/to/fullchain/nginx/cert.pem \
--reloadcmd "service nginx restart"
I guess godaddy is using apache?
What are these /path/to/certfile/in/ directories? What are they for my godaddy installation?
If you are using godaddy shared hosting, you can not restart/reload apache to enable the cert, since you are not root user.
So, you can not use acme.sh --installcert ... command.
Please copy the cert and key, and set the cert/key in you cpanel dashboard.
Thanks.

Letsencrypt add domain to existing certificate [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I am just simply trying to add the domain test.example.com to the certificate that already exists for example.com. How do I add a domain to my existing certificate and replace the old certificate?
I have tried these few commands
./letsencrypt-auto certonly --cert-path /etc/letsencrypt/archive/example.com --expand -d test.example.com
./letsencrypt-auto certonly -d example.com --expand -d test.example.com
Result: both created a brand new cert in a new folder test.example.com-0001
./letsencrypt-auto certonly --renew-by-default --expand -d test.example.com
Result: error folder test.example.com already exists.
./letsencrypt-auto renew --expand -d orange.fidka.com
Result: error, I can only renew if my certificate is expired.
You need to specify all of the names, including those already registered.
I used the following command originally to register some certificates:
/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \
--email me#example.com \
--expand -d example.com,www.example.com
... and just now I successfully used the following command to expand my registration to include a new subdomain as a SAN:
/opt/certbot/certbot-auto certonly --webroot --agree-tos -w /srv/www/letsencrypt/ \
--expand -d example.com,www.example.com,click.example.com
From the documentation:
--expand "If an existing cert covers some subset of the requested names, always expand and replace it with the additional names."
Don't forget to restart the server to load the new certificates if you are running nginx.
Apache on Ubuntu, using the Apache plugin:
sudo certbot certonly --cert-name example.com -d m.example.com,www.m.example.com
The above command is vividly explained in the Certbot user guide on changing a certificate's domain names. Note that the command for changing a certificate's domain names applies to adding new domain names as well.
Edit
If running the above command gives you the error message
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
follow these instructions from the Let's Encrypt Community
This is how i registered my domain:
sudo letsencrypt --apache -d mydomain.com
Then it was possible to use the same command with additional domains and follow the instructions:
sudo letsencrypt --apache -d mydomain.com,x.mydomain.com,y.mydomain.com
You can replace the certificate by just running the certbot again with ./certbot-auto certonly
You will be prompted with this message if you try to generate a certificate for a domain that you have already covered by an existing certificate:
-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/<domain>.conf)
It contains these names: <domain>
You requested these names for the new certificate: <domain>,
<the domain you want to add to the cert>.
Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
Just chose Expand and replace it.
I was able to setup a SSL certificated for a domain AND multiple subdomains by using using --cert-name combined with --expand options.
See official certbot-auto documentation at https://certbot.eff.org/docs/using.html
Example:
certbot-auto certonly --cert-name mydomain.com.br \
--renew-by-default -a webroot -n --expand \
--webroot-path=/usr/share/nginx/html \
-d mydomain.com.br \
-d www.mydomain.com.br \
-d aaa1.com.br \
-d aaa2.com.br \
-d aaa3.com.br
this worked for me
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d
domain.com -d www.domain.com

Docker Registry incorrectly claims an expired CA cert

I followed the Docker Registry installation docs precisely, and have a registry running on a remote Ubuntu VM. On that VM, the Docker container is running with the following command:
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
registry:2
On the remote VM, I have the following directory structure:
/home/myuser/
certs/
registry.crt
registry.key
/etc/docker/certs.d/myregistry.example.com:5000/
ca.crt
ca.key
The ca.crt is the same exact cert as ~/certs/registry.crt (just renamed); same goes for ca.key and registry.key being the same/just renamed. I created the ca* files per a suggestion from the error output you'll see below.
I am almost 100% sure the CA cert is still valid, although any help ruling that out (e.g. how can I actually tell?) would be appreciated. When I start the container and look at the Docker logs, I don't see any errors.
I then attempt to login from my local laptop (Mac):
docker login myregistry.example.com:5000
It queries me for my username, password and email (although I don't recall ever specifying an email when setting up Basic Auth). After entering these correctly (I have checked and double checked...) I get the following error:
myuser#mymachine:~/tmp$docker login myregistry.example.com:5000
Username: my_ciuser
Password:
Email: myuser#example.com
Error response from daemon: invalid registry endpoint https://myregistry.example.com:5000/v0/:
unable to ping registry endpoint https://myregistry.example.com:5000/v0/ v2 ping attempt failed with error:
Get https://myregistry.example.com:5000/v2/: x509: certificate has expired or is not yet valid
v1 ping attempt failed with error: Get https://myregistry.example.com:5000/v1/_ping: x509:
certificate has expired or is not yet valid. If this private registry supports only HTTP or
HTTPS with an unknown CA certificate, please add
`--insecure-registry myregistry.example.com:5000` to the daemon's
arguments. In the case of HTTPS, if you have access to the registry's CA
certificate, no need for the flag; simply place the CA certificate
at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
So from my perspective, I guess the following are possible:
The CA cert is invalid (if so, why?!?)
The CA cert is an intermediary cert (if so, how can I tell?)
The CA cert is expired (if so, how do I tell?)
This is a bad error message, and some other facet of the registry is not configured properly (if so, how do I troubleshoot further?)
Perhaps my cert is not located in the correct place on the server, or doesn't have the right permissions set (if so, where does the cert need to be?)
Something else that I would never expect in a million years
Any ideas/thoughts?
As said in the error message:
... In the case of HTTPS, if you have access to the registry's CA
certificate, no need for the flag; simply place the CA certificate
at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
where myregistry.example.com:5000 - your CN with port.
You should copy your ca.crt into each Docker Daemon that will connect to your Docker Registry and put it in this folder: /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
After this action you need to restart Docker daemon, for example, via sudo service docker stop && service docker start on CentOS (or call similar procedure on your OS).
I had the similar error:
Then I added my private registry to the insecureregistries list.
See below image for docker-desktop