You are here
Hi
I am new to trunkey appliances, but a EC2 user for 4-5 years. I hope I can explain myself is a correct way.
I installed TK OwnCloud appliance 12.1 and had no problem with windows desktop client 1.41, then I installed did a EC2 new instance of Debian (wheezy) and installed OwnCloud by my self (5.012) and had no problems with the windows client. But when I installed the TK appliance 13.0rc I had problems with the windows desktop client.
"Server certificate was missing commonName Attribute....."
The TK appliance I did the update to 5.0.12, I have no idea if I am doing something wrong by updating, or if its just a bug that need to be taken care, it actualy says 13.0rc is in development. I even tryed to create my own sertificate thru webmin but still same problem.
Thanks to anyone that can point me to the right direction to solve the issue.
Thanks
Bjorn,
Thxs very much for pointing me to the right direction.
Got it fix now.
cheers!
Thanks for this post
I have modified the above post as you suggested. Thanks again...
Also I have updated an old issue/bug about this problem and included a link back to this thread and the above post...
I ran into this error ...
while testing the ownCloud appliance for a possible application. Couldn't figure out why it refused to sync until I googled the error message and found this thread. Having just had to regenerate a bunch of ssl certs because of Heartbleed, it got me wondering if the 15regen-sslcert script could be made a little more intelligent by including the actual host name and domain name. The startup scripts would have to be modified to prompt the user for host and domain or FDQN during first boot. I would first make a dhcp request and use the values (if any) as the defaults, but allow the user to override them if desired. I'm too busy right now to work on it, but if there is any interest I'd be willing to give it a go later in the year.
Information is free, knowledge is acquired, but wisdom is earned.
Nice idea John
I think it's a nice idea, especially for the ownCloud appliance.
The only thing I'm not 100% sure about is the best way of doing it... Obviously the script needs to be able to run without interaction too, although I guess it could be done like the other inithooks that require input. Although for appliances that require the FQDN to be set, it'd be nice if the inithooks only asked once...
FWIW you can find the existing script in 'common' on GitHub.
Try a patched version of the script
Nelson,
The existing script on GitHub that Jeremy linked to is the original script that ran on first boot. It generates a cert that won't work with OwnCloud because the CN is left blank. I've patched the script to set CN=$(hostname) which satisfies OwnCloud. I also changed the key length to 2048 which is now the minimum recommended RSA key length.
You can find my patched file at https://github.com/Dude4Linux/common/blob/update_regen_sslcert/overlays/...
I haven't submitted a pull request yet because I'm looking at some other changes and because I haven't fully tested a complete build. Please try this version and let me know if there are any problems.
PS: The raw script file can be downloaded from https://raw.githubusercontent.com/Dude4Linux/common/update_regen_sslcert...
Information is free, knowledge is acquired, but wisdom is earned.
pull request
Great work! We are gearing up for the 13.1 maintenance release, and I'd like to include both of your commits. I could merge manually, but would be great if you could send a pull request...
How soon do you need the pull
How soon do you need the pull request? I started working on a script to query DNS for the hostname (rather than DHCP). If a hostname is defined in DNS it uses that, otherwise it defaults to the appliance name (current behavior). If you can wait a week or two, I'll try to finish the script and test it.
Information is free, knowledge is acquired, but wisdom is earned.
The sooner the better! :)
But I imagine that within the next couple of weeks should be fine! :)
Let's go for the small win first
I propose we merge the current commits (2048 bits, hostname --fqdn), and then merge the enhanced version when its ready and tested.
Done
Submitted pull request as you suggested.
Do you have any thoughts on the advisibility of setting the hostname using a reverse DNS query? It works for me in my envirionment because I've setup a series of virtual hosts with fixed IP addresses and DNS names. I'm concerned it might not work in all the other environments where TurnKey Linux is used.
The script I'm proposing would
The script would run on firstboot before the ssl cert is generated so the correct name would be used in the certificate.
Information is free, knowledge is acquired, but wisdom is earned.
What to do next?
The instructions at https://github.com/turnkeylinux-apps/tkldev/blob/master/docs/development... don't explain what to do after the pull request has been generated and accepted. I did get a suggestion that I should delete the branch and re-sync (? can't remember the exact message) with the upstream source. I want to start a new branch and work on another issue, but I don't want to lose the changes I made so far.
Suggestions on how to proceed would be appreciated.
Information is free, knowledge is acquired, but wisdom is earned.
Think I figured it out
For future reference, I ran the following commands.
Information is free, knowledge is acquired, but wisdom is earned.
Easier github pull/push configurations
For what it's worth it's possible to configure Git so that it automatically associates a local branch with a remote. That can simplify things somewhat.
Here's a script I use to register GitHub remotes so that I can pull or push from them with just one command:
Firstly all those should be https (not http)
And I think that may solve your issue there (hopefully). As for the other thing about asking for a passphrase on boot, I'm not 100% sure about that one... I haven't come across that before, although TBH I haven't used ownCloud much either...
15regen-sslcert
The original 15regen-sslcert script uses a crude hack to generate a cert without a password. It first creates a certificate with a default password='<blank>'. The default can be overridden by setting an environment variable (there may be cases where this is desired). It then checks, and if the default was not changed, it removes the password. I didn't attempt to modify this part of the script since it has been working for a long time. I modified only two lines to increase the key length to 2048 and to add the host name or fully qualified domain name to the certificate.
The proper way to download and run the script is:
If that still does not work, then check the value of the $KEYPASS environment variable to see if you have it set.
Note: The update_regen_sslcert branch has been deleted after the change was accepted into core, breaking the link above. Use the link below instead.
https://raw.githubusercontent.com/Dude4Linux/common/master/overlays/turn...
Information is free, knowledge is acquired, but wisdom is earned.
Sorry about that ...
The git branch got deleted after Liraz accepted the change into core. That broke the link and I didn't notice. The following link should work:
https://raw.githubusercontent.com/Dude4Linux/common/master/overlays/turn...
Information is free, knowledge is acquired, but wisdom is earned.
You're welcome
The .pem file is just a concatenation of the .crt and .key files. I think it was setup this way because of shell-in-a-box, which wants a single file with both cert and key. Shell-in-a-box is problematic in that it needs a valid, default cert/key file in order to start, but it then tends to generate it's own certs, one for each http header it encounters. I tried generating a SAN (subject alternate name) cert, but it wouldn't recognize anything other than the Common Name.
I've been working on a more general approach for generating certs over at https://github.com/Dude4Linux/common/tree/create-ssl-cert-with-subject-a.... I found the cert that was generated was accepted by the ownCloud client and by Firefox, but I've had problems getting Chrome, Chromium, and Safari to permanently recognize the cert as valid. Have you noticed any issues with the cert/key you generated using the method you linked too? If possible, could you check using one of the three browsers I mentioned and let me know if they will accept the cert permanently? TIA
Information is free, knowledge is acquired, but wisdom is earned.
Add new comment