Adding SSL

Soliva Andrea soliva at comcept.ch
Thu Jul 30 09:37:49 CEST 2015 

Hi

based on CentOS 7 (same for CentOS 6):

        # cp /opt/CA-SSL/kolab.comcept.ch.key /etc/pki/tls/private/
        # cp /opt/CA-SSL/kolab.comcept.ch.crt /etc/pki/tls/certs/


        NOTE The files in this example "comcept.ch.bundle.pem" and 
"comcept.ch.ca-chain.pem" are only needed if you use a
             intermediate cert.  If you do not use a "intermediate" cert 
this step for the mentioned files are not needed!
             In my case I use a Self-Sign cert!

        # cp -p /opt/CA-SSL/ca.crt /etc/pki/tls/certs/startcom-ca.pem

        # cat /etc/pki/tls/certs/kolab.comcept.ch.crt \
        /etc/pki/tls/private/kolab.comcept.ch.key \
        /etc/pki/tls/certs/startcom-ca.pem \
        > /etc/pki/tls/private/comcept.ch.bundle.pem

        # cat /etc/pki/tls/certs/startcom-ca.pem \
        > /etc/pki/tls/certs/comcept.ch.ca-chain.pem


        # chmod 640 /etc/pki/tls/private/* \
        /etc/pki/tls/certs/*

        # chown root:mail /etc/pki/tls/certs/kolab.comcept.ch.crt
        # chown root:mail /etc/pki/tls/private/kolab.comcept.ch.key

If you like that a "Self-Sign" is also trusted locally use following 
with the PEM formated CA-Server file:

        # cp -p /opt/CA-SSL/ca.crt 
/etc/pki/ca-trust/source/anchors/ca.cert
        # update-ca-trust enable
        # update-ca-trust

For Apache mod_ssl use following (in this step mod_nss will be 
deactivated):

        # systemctl stop httpd.service
        # rm -rf /etc/httpd/conf.d/nss.conf

        # yum install mod_ssl


        # vi /etc/httpd/conf.d/ssl.conf

        --------------- /etc/httpd/conf.d/ssl.conf ---------------

        LoadModule ssl_module modules/mod_ssl.so

        #
        # When we also provide SSL we have to listen to the
        # the HTTPS port in addition.
        #
        Listen 443

        #   SSL Protocol support:
        # List the enable protocol levels with which clients will be able 
to
        # connect.  Disable SSLv2 access by default:
        #SSLProtocol All -SSLv2
        SSLProtocol All -SSLv2 -SSLv3

        #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate.
        #   See the mod_ssl documentation for a complete list.
        #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
        SSLCipherSuite 
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

        #   Speed-optimized SSL Cipher configuration:
        #   If speed is your main concern (on busy HTTPS servers e.g.),
        #   you might want to force clients to specific, performance
        #   optimized ciphers. In this case, prepend those ciphers
        #   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
        #   Caveat: by giving precedence to RC4-SHA and AES128-SHA
        #   (as in the example below), most connections will no longer
        #   have perfect forward secrecy - if the server's key is
        #   compromised, captures of past or future traffic must be
        #   considered compromised, too.
        SSLHonorCipherOrder on

        #   Server Certificate:
        # Point SSLCertificateFile at a PEM encoded certificate.  If
        # the certificate is encrypted, then you will be prompted for a
        # pass phrase.  Note that a kill -HUP will prompt again.  A new
        # certificate can be generated using the genkey(1) command.
        SSLCertificateFile /etc/pki/tls/certs/kolab.comcept.ch.crt

        #   Server Private Key:
        #   If the key is not combined with the certificate, use this
        #   directive to point at the key file.  Keep in mind that if
        #   you've both a RSA and a DSA private key you can configure
        #   both in parallel (to also allow the use of DSA ciphers, etc.)
        SSLCertificateKeyFile /etc/pki/tls/private/kolab.comcept.ch.key

        #   Server Certificate Chain:
        #   Point SSLCertificateChainFile at a file containing the
        #   concatenation of PEM encoded CA certificates which form the
        #   certificate chain for the server certificate. Alternatively
        #   the referenced file can be the same as SSLCertificateFile
        #   when the CA certificates are directly appended to the server
        #   certificate for convinience.
        #SSLCertificateChainFile 
/etc/pki/tls/certs/comcept.ch.ca-chain.pem

        --------------- /etc/httpd/conf.d/ssl.conf ---------------

        # systemctl start httpd.service

hope this helps..!

Kind regards

Andrea Soliva

Email: andrea.soliva at comcept.ch

Am 30-07-2015 09:02, schrieb Lebmann, Paul:
> Hey Paul!
> 
> I think I had the same issue. I had to add the paths to the cert, key
> and chainfile in the default-ssl.conf site configuration. Since I use
> Debian I can't tell you the path on centos. On my system it's
> /etc/apache2/sites-available/default-ssl.conf . I think you should
> find it under /etc/httpd/sites-available .
> 
> Am 2015-07-30 01:55, schrieb Paul Bronson:
>> Guys,
>> 
>> I don't know why I am having this stupid issue.. I want to add an SSL
>> cert to my kolab server but it seems that it wants to keep using a
>> self signed certificate.
>> 
>> kolab 3.4
>> centos 6.5
>> 
>> I followed https://docs.kolab.org/howtos/secure-kolab-server.html [1]
>> 
>> For some reason, when I go to my webmail or web admin I am still
>> seeing a self signed certificate.
>> 
>> 
>> 
>> Links:
>> ------
>> [1] https://docs.kolab.org/howtos/secure-kolab-server.html
>> 
>> _______________________________________________
>> users mailing list
>> users at lists.kolab.org
>> https://lists.kolab.org/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users

More information about the users mailing list