GODaddy SSL Certificate

I’ve been working on installing a godaddy certificate and was wondering if anyone else has done the same with Virtualmin? This is one of those funky (but cheap) intermediate certificates. See this thread for more background: http://www.virtualmin.com/forums/general-discussion/certificate-options.html

Anyway, the idea is to install 2 certificates as part of your “Chain”. Your certificate as well as an intermediate cert. from Godaddy. I’m having trouble translating their instructions to a Virtualmin setup.

1. Copy your issued certificate, intermediate certificate and key file (generated when you created the Certificate Signing Request (CSR)) into the directory that you will be using to hold your certificates.
2. Open the Apache ssl.conf file and add the following directives:
* SSLCertificateFile /path to certificate file/your issued certificate
* SSLCertificateKeyFile /path to key file/your key file
* SSLCertificateChainFile /path to intermediate certificate/gd_intermediate_bundle.crt
3. Save your ssl.conf file and restart Apache.

Basically, instead of copying the files to a directory on the webserver, I installed my new cert via the "Mange SSL Certificate->New Certificate" menu.

But how do I install the intermediate cert? I have created this directive in my ssl.conf file.
* SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

Will Apache know to use this for my certificate? Will it interfere with other certificates? Whill the Atlanta Hawks ever field a decent basketball team?<br><br>Post edited by: JimJenkins, at: 2007/07/17 16:54

Hey Jim,

Yep, it’s been done. You’re using one here at Virtualmin.com. We’re cheap, and we know how to use chained certificates. It’s a dangerous combination.

That said, I set ours up manually before any of the SSL handling stuff in Virtualmin had gotten reasonable (it still needs a little bit more work).

Here’s the relevant VirtualHost section on our system (note that I said VirtualHost–the chain file probably ought to be set per-domain, though I can’t be sure that’s necessary, as it is the same for all that are purchased from the same folks…godaddy in my case and yours):

SSLEngine on
SSLCertificateFile /home/virtualmin/etc/certs/certfile.pem
SSLCertificateKeyFile /home/virtualmin/etc/certs/keyfile.pem
SSLCertificateChainFile /home/virtualmin/virtualmin/certs/sf_issuing.crt

Virtualmin’s SSL management doesn’t yet handle chained certs (I’ll ask Jamie to add it), so the SSLCertificateChainFile will need to be added manually.

And, no, I’m guessing the Hawks will not field a decent team in our lifetime. (But, ya’know, the Houston Rockets were an also-ran until 1993…and now have become an also-ran again. Things change.)

Oh, yeah, you can also use this kind of cert for Postfix with these directives:

smtpd_tls_cert_file = /etc/postfix/virtualmin.pem
smtpd_tls_CAfile = /etc/postfix/sf_issuing.crt

Though it looks like I combined the key and the cert into a pem for Postfix use (I don’t think this is necessary…not sure why I went that route.)

And Dovecot:

ssl_cert_file = /home/virtualmin/etc/certs/virtualmin-chained.cert
ssl_key_file = /home/virtualmin/etc/certs/keyfile.cert

Same story here, only with the chain and the cert combined–I think this one was actually necessary to make Dovecot use the chain.

cat sf_issuing.crt certfile.pem > chained.cert

I don’t use FTP, but you could do the same for ProFTPd with the TLSCertificateChainFile directive.<br><br>Post edited by: Joe, at: 2007/07/18 01:02

I’m planning on getting a GoDaddy SSL cert this week, any update to the above?

Another related question, if I get the cert for www.MyDomain.com should I spec that as my POP3/SMTP servers in my mail client (as opposed to mail.MyDomain.com or just MyDomain.com)?

I believe chained certs are now configurable in Virtualmin. If not, they will be soon (and the above docs should get you there).

Yes, if your cert is www.domain.tld, then everything that uses the cert needs to be talking to www.domain.tld, or it will result in a security warning.

It looks like it knows about chained certificates:
Virtualmin->Server Configuration->Manage SSL Certificate->CA Certificate

I’ll find out and report back in a couple of days.

On the mail servers question, if I wanted to maintain both a ‘www.’ cert for browsers and a ‘mail.’ cert for POP/SMTP/IMAP would your interface allow this, or is it back to the command line?

More GoDaddy info.

They offer ‘Single’ certs that, they say, if issued after 2006 will secure the domain name, with or without the www prefix. Has anyone tried this? See: http://help.godaddy.com/article.php?article_id=850&topic_id=234

They also offer ‘Multiple Domain (UCC)’ and ‘Wildcard’ certificates for A LOT more money. Multiple would be a single certificate for many separate domains!? And Wildcard seems to let you use just one certificate for how ever many subdomains your domain has.

Both are interesting. But it would still be cheaper to have two singles at $19/year. And if Virtualmin could plug-in two (www and mail) it would be a no brainer.

Easier than I can believe.

Virtualmin->Server Configuration->Manage SSL Certificate->Signing Request
Fill in the blanks (‘Server name in URL’ needs the ‘www’ but not ‘http://’), click ‘Generate Now’, copy the result
Log in to GoDaddy, buy a certificate credit, use the credit to request a certificate (they have instructions)
Paste in the CSR you got from clicking ‘Generate Now’
They e-mail you a link to a zip file containing your cert and a chain called ‘gd_intermediate_bundle.crt’
Unzip the file
Virtualmin->Server Configuration->Manage SSL Certificate->New Certificate
Upload your cert into ‘Signed SSL certificate’
Virtualmin->Server Configuration->Manage SSL Certificate->CA Certificate
Upload the chain into ‘CA certificate file’
Restart Apache

Dovecot
Webmin->Servers->Dovecot->SSL Configuration (No chain needed?)
SSL certificate file /home/YOURDOMAIN/ssl.cert
SSL private key file /home/YOURDOMAIN/ssl.key
Save, Restart Dovecot

Postfix
Webmin->Servers->Postfix->SMTP Authentication
Enable TLS encryption? Yes
TLS certificate file /home/YOURDOMAIN/ssl.cert
TLS private key file /home/YOURDOMAIN/ssl.key
TLS certificate authority /home/YOURDOMAIN/ssl.ca
Save, Restart Postfix

ProFTPd
This takes just a bit more effort. It requires the chain file (now residing at /home/YOURDOMAIN/ssl.ca) and your cert together. Login to your system and
cat ssl.ca ssl.cert > ssl.chained.cert
Webmin->Servers->ProFTPD Server->Edit Config Files
(Explanation at: http://www.castaglia.org/proftpd/modules/mod_tls.html)

FIND THIS SECTION (ABOUT HALF WAY DOWN):
<IfModule mod_tls.c>
TLSEngine off
</IfModule>

AND CHANGE IT TO READ:
##<IfModule mod_tls.c>
##TLSEngine off
##</IfModule>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /home/YOURDOMAIN/ssl.chained.cert
TLSRSACertificateKeyFile /home/YOURDOMAIN/ssl.key
TLSCipherSuite ALL:!ADH:!DES

Save, Restart ProFTPd

Forgot one, Webmin itself.

Webmin->Webmin->Webmin Configuration->SSL Encryption

Private key file /home/YOURDOMAIN/ssl.key
Certificate file Separate file: /home/YOURDOMAIN/ssl.cert
Redirect non-SSL Yes
Additional cert /home/YOURDOMAIN/ssl.ca

Prolly time to add this to the Wiki . . .

Dovecot DOES need the chaining certificate.

Webmin->Servers->Dovecot->Edit Config File
(Tap PageDown about 5 times)
ssl_ca_file = /home/YOURDOMAIN/ssl.ca

(Would be nice if this had a Webmin field like Postfix)

Awesome research Transmobius! Definitely going in the wiki. And I’ll bug Jamie again about getting all of this a bit easier to configure in the respective Webmin modules, and probably in Virtualmin itself–since the mail services can only really have one certificate, it makes sense to have a single place to configure it for Webmin’s “default” (Webmin can serve other certs on other IPs, though), the mail servers and ProFTPd on the default IP.

I am trying to follow along however I think I am an idiot when it comes to anything non-microsoft based. I have a Linux dedicated server through hosting.com and I am trying to install an SSL certificate onto a virtual server on this linux box from GoDaddy but have no idea how to generate the CSR and install the cert. Hosting.com gave me instruction for generating a CSR from the WEBMIN screen but i am not sure if that is correct. Please help.

-Damian

Without knowing what Hosting.com is telling you it is hard to say if the instructions are right or not. They don’t seem to provide any doco without a login so I can’t look it over.

That said, it is probably safe to assume that their own instructions are what you need to follow on their system . . .

What worked for me is detailed up the first page of this thread starting in post #8412. The shorthand for menu navigation that I am used to:
Virtualmin->Server Configuration->Manage SSL Certificate->Signing Request
Simply means you start on the Virtualmin screen, click on Server Configuration, click on Manage SSL Certificate, etc. If your host is giving you just Webmin (and not Virtualmin) then your path is obviously going to differ. Perhaps you could cut and paste a portion of it here and we could take a look?

The Hosting.com people also mention their Delightful Support. Have you tried them?

As Transmobius mentioned, the process is different depending on whether you’re using Virtualmin or Webmin.

I’ll take this opportunity to point out that Virtualmin GPL is free for Hosting.com to use…since you’re a customer, you might mention it to them, if they are still just offering Webmin. If they need help with deployment, get them in touch with us. Offering just Webmin for hosting, when Virtualmin is so much easier to use for the purpose, is rather silly. Webmin is a wonderful tool for system administration, but it makes no claims to being a great tool for virtual hosting administration–it wasn’t designed for that purpose, and Virtualmin is. We developed both, so we can say stuff like that.

When I go into my domain in virtualmin, then choose the CA Certificate tab, and then either try to upload or point to the path on the server of my gd_intermediate_bundle.crt file, when I click "save certificate" I immediately get the message "File not found" in firefox and "the page cannot be found" in IE6…

Help!

I hit a bug when I tried to edit but I wanted to add that I manually added the code to httpd.conf:

SSLCertificateChainFile /home/path/gd_intermediate_bundle.crt

and it works…

dear joe,
i bought Godaddy turbo ssl cert and i dont know how to use it for my webmin… can you guide me on how to install this cert from scratch. I been trying to install for past one week and all the time it fails!

thanks in advance.

If I may add a few tidbits that may save someone like me a few hours:

I generated my private key & request files at the unix command line with openssl, sent the csr into godaddy and got my new cert. The problem I had was that I used the -des3 option that adds a password to the private key. Passworded private keys do not work well in webmin or its managed servers. Most of the servers fail with no usable error message telling you a password was needed. Took me an hour to figure this out again this year when renewing certs.

To fix the problem (i.e. not put a password on your private key)

1. do not use the -des3 option when generating the keys.

or

2. if you already have a passworded private key file, use this command to remove the password: openssl rsa -in key.pem -out keyout.pem

Hope this helps someone

http://lists.debian.org/debian-security-announce/2008/msg00152.html

This effects Debian Etch (v4.0) but not Sarge (v3.0) and any Debian derived distributions like Ubuntu.

After your system has been patched, you still have to regenerate any of your keys that were generated with OpenSSL since 2005. Plan on revoking and issuing new keys (OpenSSH, OpenVPN, SSL certificates, etc.)

OUCH!

That security alert is NOT that insecure as they claim it to be. They posted it as a precaution. The odds of anyone hacking any system with the old keys or hacking your sites with ssl are so slim it’s not worth the hassle.

The debian people only put un-needed stress to it’s own users.

Oh and only DEBIAN scared the crap out of its users. Not even RHEL people did anything about it.