Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] SSL Certificate for Apache + netqmail + courier-imap
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
PatG
n00b
n00b


Joined: 27 Oct 2003
Posts: 62
Location: texas

PostPosted: Tue Aug 28, 2007 12:41 pm    Post subject: [HOWTO] SSL Certificate for Apache + netqmail + courier-imap Reply with quote

After struggling through this once, forgetting most of it and then doing it a second time I figured that I better document what needs to be done to create, obtain and install server certificates for web and email servers that I build. The initial installation follows the netqmail HOWTO in the Gentoo documentation.

http://www.gentoo.org/doc/en/qmail-howto.xml

For my experience I am using GoDaddy as they are the cheapest (non-free) Certificate Authority (CA). The nice thing about GoDaddy is that they are included by default in Windows clients eliminating the need for manual installation of CA certificates. GoDaddy also provides a turbo 'wildcard' certificate that allows you to secure as many variations of your domain name as needed. With this you get a single cert for *.mydomain.com. Note that this does not extend to multiple name based virtual hosts under Apache.

http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2

Prerequisites: You should have a completed install of Apache, netqmail and courier-imap. If you have iptables configured then you should have opened at least ports 443, 993 and 995.

Now for the process:

1. Generate your primary key. (you should be working as root or sudo all commands below)

Code:
# cd /root


with password*
Code:
# openssl genrsa -des3 -out mydomain.key 1024


or without password
Code:
# openssl genrsa -out mydomain.key 1024


*Note that if you generate a des3 encrypted key you will be required to supply a password when your init.d daemons start up. You will HAVE to be at the console of the server during reboot to supply this password or the boot process WILL NOT complete.

2. generate certificate signing request
Code:
# openssl req -new -nodes -key mydomain.key -out mydomain.csr


You will be prompted with several questions for input on the csr generation.

For more information see the following links

http://openssl.org/docs/apps/genrsa.html#
http://sial.org/howto/openssl/csr/

3. Check the domain registered contact email address and be sure you can read messages for this account.

GoDaddy turbo certificates are verified with email responses. If you do not have access to the email account listed for the domain registration you will not be able to complete the process. Of course, other CA processes will differ.

4. Submit CSR to CA.

This will vary by CA but at some point you will submit the mydomain.csr created in step 2. If you are not sure how to process your csr at the CA website get the support phone number and give them a call. Since this is a paid service they tend to have good support lines to help bring the revenue in. I have found the GoDaddy support lines to be very knowledgeable and helpful on their certificate issuing processes.

5. Obtain server key.

Depending on the complexity (verification level) of the certificate request you may have to respond to email and/or phone calls and there will be some processing time (hours or days). Eventually, if all goes well, you will get your server cert. For GoDaddy you can login to your account, manage certificates and once selecting the correct domain name you can click "Reissue" to view your certificate. However the key is delivered, you want to save it to a file on your server. For my case of a wildcard cert I named this file "_.mydomain..com.crt". If you obtain a single cert it would make sense to call it "www.mydomain.com.crt" or something similar.

6. Obtain keychain files. This includes the "Intermediate certificate" and "Root certificate" mentioned below. For GoDaddy the keychain can be obtained as a single download from here --> https://certificates.godaddy.com/Repository.go. I saved mine as gd_intermediate_bundle.crt. Your case may be different so adjust accordingly.

7. Protect your files.

As the domain cert defines your identity on the internet you must safeguard the files. First copy (backup) your files a safe location other than the server. Then on the server you should insure that the cert files are available only to root or other privileged users.

Code:
# chown root:root ~/mydomain.key
# chown root:root ~/mydomain.csr
# chown root:root ~/_.mydomain.com.crt
# chmod 400 ~/mydomain.key
# chmod 400 ~/mydomain.csr
# chmod 400 ~/_.mydomain.com.crt


8. Apache SSL Configuration
Code:
# nano /etc/apache2/modules.d/41_mod_ssl.default-vhost.conf


Add the following lines under the appropriate sections

SSLCertificateFile /root/_.mydomain.com.crt
..
SSLCertificateKeyFile /root/mydomain.key
..
SSLCertificateChainFile /root/gd_intermediate_bundle.crt

Save the file when complete.

Note that the default Gentoo Apache install starts as root and then runs its processes under the apache user. This configuration is compatable with the restrictive file permissions set in step 7.

9. qmail - Assemble the parts

qmail requires a file in a completely assembled format. This file is stored with a "pem" extension in the format as follows:
Code:
-----BEGIN RSA PRIVATE KEY-----
(Private Key: mydomain.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Primary SSL certificate: mydomain.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate)
-----END CERTIFICATE-----


First you should make a copy of any existing file that would have been created in the initial install of qmail (if you followed the gentoo netqmail HOWTO or other similar document)
Code:
# rename /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak


Now copy your real cert info into a new pem file.
Code:
# cat ~/mydomain.key ~/_.mydomain.com.crt ~/gd_intermediate_bundle.crt > /var/qmail/control/servercert.pem


Make sure that the file is readable by qmail.
Code:
# chown qmaild:qmail /var/qmail/control/servercert.pem
# chmod 400 /var/qmail/control/servercert.pem


10. Courier-imap

For courier-imap the "pem" file created for qmail can be reused.

First look at the contents of the courier-imap directory.
Code:
# ls /etc/courier-imap


If there are existing pem files you will have to rename or delete them before the next step. Note any existing imapd.pem or pop3d.pem files and issue the following commands accordingly.
Code:
# rename /etc/courier-imap/imapd.pem /etc/courier-imap/imapd.pem.bak
# rename /etc/courier-imap/pop3d.pem /etc/courier-imap/pop3d.pem.bak


Now create links to the previously generated qmail pem files.
Code:
# ln -s /var/qmail/control/servercert.pem /etc/courier-imap/imapd.pem
# ln -s /var/qmail/control/servercert.pem /etc/courier-imap/pop3d.pem


11. Restart daemons
Code:
# /etc/init.d/courier-imapd-ssl restart
# /etc/init.d/courier-pop3d-ssl restart
# /etc/init.d/svscan restart
# /etc/init.d/apache2 restart


When finished you can test your certificate installation with the following:
Code:

# openssl s_client -connect localhost:443
ctrl-d
# openssl s_client -connect localhost:993
ctrl-d
# openssl s_client -connect localhost:995
ctrl-d


You should see the server certificate and the certificate chain terminating in the Root CA information. If you see "Automatically-generated" anywhere you still have old, self-signed certificates in the configuration.
Back to top
View user's profile Send private message
d2_racing
Moderator
Moderator


Joined: 25 Apr 2005
Posts: 13046
Location: Ste-Foy,Canada

PostPosted: Tue Aug 28, 2007 2:04 pm    Post subject: Reply with quote

Thanks for that howto :)
_________________
Sysadmin of GentooQuébec.org
Wiki
Signature
IRC on Freenode : #gentoo-quebec


Last edited by d2_racing on Mon Feb 25, 2008 12:26 pm; edited 1 time in total
Back to top
View user's profile Send private message
r00t440
Tux's lil' helper
Tux's lil' helper


Joined: 14 Sep 2005
Posts: 89

PostPosted: Sun Feb 24, 2008 6:27 am    Post subject: Reply with quote

Hello... Firstly, I must admit that I am a n00b at SSL certificates that's why I'm here. I want to ask if a "challenge password" is required or optional. I was asked for a challenged password after doing step 2. What are the implications of a "challenge password"? Please elaborate a little, I'm sure there are users out there that don't know these stuff. Thanks for this great guide!
Back to top
View user's profile Send private message
jbcrawford
n00b
n00b


Joined: 02 May 2008
Posts: 1

PostPosted: Fri May 02, 2008 4:42 pm    Post subject: Reply with quote

I also had to update /usr/local/share/imapd.pem on Debian, you can link it to the qmail servercert.pem file...

ln -s /var/qmail/control/servercert.pem /usr/local/share/imapd.pem

Then restart everything accordingly.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum