ClearOS and StartSSL

Posted

Update 3/21/12: I’ve revised the instructions so that Webconfig serves the entire StartCom chain. This prevents some browsers, particularly Android, from distrusting an an otherwise-valid certificate.

As previously described, I use ClearOS as an all-purpose small business server. There are two public-facing components: Webconfig (remote admin) and SOGo (groupware, proxied thru Apache). By default, ClearOS secures both with self-signed SSL certificates. While this works, it’s unprofessional and inconvenient to make users add a security exception to every browser they connect from.

Inspired by this post, I decided to try a Class 1 cert from StartCom. They provide free certs valid for one year (more info at SSL Shopper). Once you’ve signed up with StartCom and validated your domain ownership:

  1. Change the default message digest parameter in /etc/ssl/openssl.cnf from MD5 to SHA1:
    default_md = sha1 (both lines)
  2. Delete the System Certificate
  3. Create a CSR for the System Certificate
  4. Provide the CSR to StartCom and retrieve the cert.
  5. Upload the cert into Webconfig. This will create /etc/ssl/sys-0-cert.pem and /etc/ssl/private/sys-0-key.pem

You can now configure Apache (web pages and SOGo):

  1. Download the certificate chain (ca.pem and sub.class1.server.ca.pem) to /etc/ssl
  2. Modify /etc/httpd/conf.d/ssl.conf:
    SSLCertificateFile /etc/ssl/sys-0-cert.pem
    SSLCertificateKeyFile /etc/ssl/private/sys-0-key.pem
    SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem
    SSLCACertificateFile /etc/ssl/ca.pem
  3. Restart Apache: 
    service httpd restart

Webconfig uses a different Apache instance with configuration files in /usr/webconfig/conf.

  1. Overwrite the self-signed cert and key and set proper ownership: 
    cp /etc/ssl/sys-0-cert.pem /usr/webconfig/conf/server.crt
cp /etc/ssl/private/sys-0-key.pem /usr/webconfig/conf/server.key
chown root /usr/webconfig/conf/server.*
  2. Copy the StartCom chain and set proper ownership: 
    cp /etc/ssl/ca.pem /usr/webconfig/conf/
cp /etc/ssl/sub.class1.server.ca.pem /usr/webconfig/conf/
chown root /usr/webconfig/conf/*.pem
  3. Modify /usr/webconfig/conf/extra/httpd-ssl.conf:
    SSLCertificateFile /usr/webconfig/conf/sys-0-cert.pem
    SSLCertificateKeyFile /usr/webconfig/conf/private/sys-0-key.pem
    SSLCertificateChainFile /usr/webconfig/conf/sub.class1.server.ca.pem
    SSLCACertificateFile /usr/webconfig/conf/ca.pem
  4. Restart Webconfig: 
    service webconfig restart

Use the SSL Checker to verify that Apache is serving the entire chain for both sites.

If you connect to the IMAP server (Cyrus) directly:

  1. Copy the files and set proper ownership: 
    cp /etc/ssl/sys-0-cert.pem /etc/imapd.d/cert.pem
cp /etc/ssl/private/sys-0-key.pem /etc/imapd.d/key.pem
chown cyrus:root /etc/imapd.d/*.pem
  2. Restart Cyrus 
    service cyrus-imapd restart

If you connect to the SMTP server (Postfix) directly:

  1. Copy the files and set proper ownership: 
    cp /etc/ssl/sys-0-cert.pem /etc/postfix/cert.pem
cp /etc/ssl/private/sys-0-key.pem /etc/postfix/key.pem
chown root:root /etc/postfix/*.pem
  2. Restart Postfix 
    service postfix restart

Leave a Reply

Your email address will not be published. Required fields are marked *