Jiger's picture
Jiger - Tue, 2013/10/22 - 15:38

Hi,

I have a Tkl file server version 12.0.

I want to install the ssl certificate for the webmin console https://<ipaddress>

For this, I am following the below steps:

1) Create a Pem file from the key and cer file using the cat command:

    Command used: cat abc.domain.com.key abc.domain.com.cer > cert.pem

2) Create a Pem file from the Root and the Intermediate certificates using the cat command:

   Command used: cat abc.domain.com.key abc.domain.com.cer intermediatecer01.cer      

                              intermediatecer02.cer rootcer.cer > chainedcert.pem

3) Copied the above certificates in the directory: /etc/ssl/certs

4) Go to directory /etc/lighttpd/conf-available and click the file 10-ssl.conf

 
                 Configured the settings to:
                 $SERVER["socket"] == "0.0.0.0:443" {
                 ssl.engine  = "enable"
                 ssl.pemfile = "/etc/ssl/certs/cert.pem"
                 ssl.ca-file = "/etc/ssl/certs/chainedcert.pem"
 
                 ssl.honor-cipher-order = "enable"
}
 
5) Restart the webserver:

              root@tkl# /etc/init.d/lighttpd restart

              Stopping web server: lighttpd.
              Starting web server: lighttpd.
 
At last when i type in the ip address of my server in the browser to check the webmin using ssl:
 
https://<ipaddress --> I am still getting the ssl warning page which I believe should not be displayed after installing the ssl certificate.
 
Can somebody please guide me as to what I need to change or correct in the above settings? Or may be some other steps to follow.
 
Thanks.
Forum: 
Support
Jiger's picture

Jiger - Wed, 2013/10/23 - 01:39

Hi friends,

I am sure many of you experts out there would have installed the ssl certs successfully on the Tkl Fileservers. I would appreciate if you guys can please look at my problem description and help me out.

 

Thanks

JN

Jeremy Davis's picture

Jeremy Davis - Wed, 2013/10/23 - 05:57

TKL appliances come with auto generated self signed certificates - so you don't need to do anything if that is what you are after.

If you are trying to get rid of the SSL warning when you contact the site via HTTPS, then you'll need to purchase a cert that is signed by a Certificate Authority (CA). Security certs will always give a warning unless they are signed by a recognised third party (i.e. a CA).

Jiger's picture

Jiger - Wed, 2013/10/23 - 06:34

Hi Jeremy,

Thanks for the reply.

Requirement is to install an Ssl certificate which is signed by a CA. 

The certs are being signed by our company's Internal CA.

 

Out of the steps mentioned in my previous post, do you think any steps are incorrect or missing?

 

Thanks,

JN

Jeremy Davis's picture

Jeremy Davis - Wed, 2013/10/23 - 07:21

But Alon did do a blog post on it. It was quite a while ago, but I wouldn't think that it has changed that much...

One other thing though... Did I get you right in that you are trying to install a cert for Webmin? If so, keep in mind that Webmin uses it's own miniserver now (as of TKL v11.x IIRC). I have no idea how (or even if) that handles SSL certs. You may need to proxy it through LigHTTPd perhaps? I'd check the Webmin docs/support first (as perhaps you can configure the Webmin miniserver to take care of it itself...?)

Jiger's picture

Jiger - Wed, 2013/10/23 - 08:04

Yeah, that's the post which I referred initially however the post doesn't include all the steps.

In any case, I have done the configurations based on that post itself.

I am aware that Lighttpd needs to be configured for this to work which is what I have done as mentioned in my first comment in this post.

JN

Jeremy Davis's picture

Jeremy Davis - Wed, 2013/10/23 - 09:25

Have you installed the module and configured it...? I don't see any mention of it in any of your posts... Although TBH I have no idea how (or if) the cert will work if you are acting as a proxy... Or are you just trying to get HTTPS working with LigHTTPd first and worry about how to hook it up to Webmin later?

Assuming that it is the latter, have you double checked the cert that you are getting in your browser? Regardless of whether it is giving an SSL error or not, you will be able to see if it is the cert you have (or are trying to) installed or not. So it will at least give you an idea of whether or not your server config is right... If it is then you have an issue with your internal CA and/or browser config... Also double check that you clear the cache on the browser you are using (I have had issues with HTTPS sites using cached certs before).

Jim Armstrong's picture

Jim Armstrong - Wed, 2013/10/23 - 08:57

I hope below enlisted FAQ can help you to reach on SSL certificate installation on your webmin server.

 

  • My browser complains about the Webmin certificate when in SSL mode

    This happens because the default SSL certificate that is generated by webmin is not issued by a recognized certificate authority. From a security point of view, this makes the certificate less secure because an attacker could theoretically redirect traffic from your server to another machine without you knowing, which is normally impossible if using a proper SSL certificate. Network traffic is still encrypted though, so you are safe against attackers who are just listening in on your network connection.

    If you want to be really sure that the Webmin server you are connecting to is really your own, the only solution is to order a certificate from an authority like Verisign that is associated with your server's hostname and will be recognized web browsers. This certificate should be placed in the file/etc/webmin/miniserv.pem and be in the same certifcate+key format as the existing miniserv.pem file.

    To request a certificate, follow these steps :

    • Run the command openssl genrsa -out key.pem 2048 . This will create the file key.pem which is your private key.
    • Run the command openssl req -new -key key.pem -out req.pem . When it asks for the common name, be sure to enter the full hostname of your server as used in the URL, like www.yourserver.com. This will create the file req.pem, which is the certificate signing request (CSR)
    • Send the CSR to your certificate authority by whatever method they use. They should send you back a file that starts with -----BEGIN CERTIFICATE----- which can be put in the file cert.pem.
    • Combine the private key and certificate with the command cat key.pem cert.pem >/etc/webmin/miniserv.pem.
    • Re-start webmin (making sure it is in SSL mode) to use the new key.

Sr. SSL Security Specilist at RapidSSLOnline

Jeremy Davis's picture

Jeremy Davis - Wed, 2013/10/23 - 09:32

But I was under the impression that you could set up your own internal CA (which is my understanding of what Jiger has done). If that is the case, then you could create your own certs, signed by your internal CA and as long as your OS and/or browser was configured to accept your internal CA as authorative then it should all just work...!?

Jim Armstrong's picture

Jim Armstrong - Wed, 2013/10/23 - 09:49

Not sure about your Internal CA cert, but yes if you signed authorized Certificate Authorities which i have mentioned in my previous comment then i assure you will have success with https..!

Sr. SSL Security Specilist at RapidSSLOnline

Add new comment