Edward Crawford's picture
Edward Crawford - Wed, 2017/04/19 - 17:14

I only know basic Linux commands, such as ls and cd, so I need pretty basic expaintion.  In addition, certificates are not my strong suite.

I have a wildcard certificate from GoDaddy.  I downloaded the .zip file after selecting Apache, and the .zip file contains two .crt files.  I understand that I need a .pem file and a .key file.  How do I get these?

I understand that the .pem and .key files need to be placed in /etc/ssl/private/new-cert.  Currently there is a.key file there, but no .pem file.  How do I copy files from my network to the server?

Forum: 
Support
Jeremy Davis's picture

Jeremy Davis - Thu, 2017/04/20 - 01:01

Welcome to TurnKey! :)

The easiest thing to do is to check what is inside the files. I recommend grep for that (grep searches text based files for specific patterns). I'll show you what I get from the default certificates that TurnKey produces. If what you have matches, then you're good to go. If not, then I can help you create the files that you need. Ours are created in such a way that the same certificate can be used for all our supported webservers (Apache, LigHTTPd and Nginx) as well as Webmin and Webshell.

So the default files are:

  • /etc/ssl/private/cert.pem
  • /etc/ssl/private/cert.key

Our default pem file contains the certificate, the key and the DH parameters. The default key file contains just the private key (the key is included twice, because some apps require a single file. others need 2 separate files by default). Lucky for us, each section of the file has a header and a footer which allows us to easily see what it is. Each header and footer is surrounded with five dashes (e.g. "-----"). So we'll use grep to search for that pattern like this:

grep -- ----- /etc/ssl/private/cert.pem

The double dash (straight after the grep) is to tell grep that the five dashes should be interpreted as the search string (for search terms which don't start with dashes, you don't need the extra double dash).

Anyway, this is what I get back:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----

And the keyfile:

grep -- ----- /etc/ssl/private/cert.key
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

So if you try the same commands on your files, hopefully you have something similar. If it's not exactly the same, post what you have and I'll tell you what you'll need to do.

Monte Armstrong's picture

Monte Armstrong - Sun, 2017/04/23 - 19:52

Hey Edward and Jeremy,

I am not experienced by any means, but I think Edward is asking what I need to ask too.

I have the same two files from GoDaddy, but I am not sure where to put them, or where to change the symbolic links or whatever needs to be done for the new certs to be in place. They are two .crt files. One named gd_bundle and the other a long alpha/numeric name. Do I change the .key file name and rename the default to .old? Should I put them inside the cert.pem? Like Edward mentioned, we do not have a .pem file from GoDaddy. 

I have moved the files to my server already. Edward, you will need to FTP or SSH your GoDaddy cert files to your server. I use this command: SCP filename user@serveraddress:/path/to/folder

To make it easier, I navigate to the folder where the file is first, then use the command. Replace user@serveraddress with the appropriate user name and server FQDN or IP address. You may leave everything blank after the : and then move it later with the mv command.

Also, the .key file will already be on the server that made the CSR request.

Thanks Jeremy for all your time and effort, this is my first post but I have been using turnkey appliances for a couple years and truly appreciate all that you do.

Jeremy Davis's picture

Jeremy Davis - Thu, 2017/04/27 - 02:50
If you use the grep commands that I posted above on the 2 crt files you have, then we'll know what you have.

The .pem/.key/.crt file extensions do by convention generally contain certain things. .pem files tend to be certificates, .key files tend to contain private certificate keys and strictly speaking, .cst files are "certificate request files".

So there is some convention on what the files contain, but essentially, they're just text files. Unlike Windows, on Linux, the actual file extension doesn't really matter. All that matters is what is in the files.

Also your post made me realise, that I actually have no idea how the certificate signing process works on GoDaddy. The only experience I've had with "proper" SSL certs is the free SSL certs that Let's Encrypt provide (that will be bundled with all v14.2 appliances). And those are in a different format - they give cert and fullchain (in .pem files) and the key (as .key).

I just did a quick google and found a tutorial on adding a GoDaddy cert to Ubuntu (not the same but close enough for my purposes). I see that you are right, basically, the way that this appears to work is that you create a .csr (certificate request) using your own key file. You then upload that to GoDaddy. They then sign your crs and return a zip file:

Basically it’s a zip file containing 2 files, the one that looks like a randomly generated hash is your secure certificate (let’s call it 6eba0aa5c1b8.crt for this article), while the one that starts with gd_bundle_ is your certificate chain file.

So it sounds like to get everything working as it should, we may need to bundle some of these together...

Monte Armstrong's picture

Monte Armstrong - Mon, 2017/04/24 - 01:44

Hi again,

I used the grep suggestion above but I do not have cert.pem or cert.key in the /etc/ssl/private folder. I did find them in the /etc/ssl/certs folder and got this from cert.pem:

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

and this from cert.key:

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----

So I am suspecting that I either have an older appliance with different defaults, or I am overlooking something entirely. I look forward to any insights. Thanks!

Jeremy Davis's picture

Jeremy Davis - Thu, 2017/04/27 - 02:55
As of v14.0 we moved the default SSL cert location (to /etc/ssl/private) and locked down the permissions a bit more.

So the location you will want to put your certs will be different, but otherwise the theory should remain the same...

Also as I hinted above, then new v14.2 appliances (will) come with a confconsole plugin to allow you to get free SSL certs via Let's Encrypt and that takes care of everything for you! Have a look at the v14.2 announcement here. The first batch of new appliances should be live within the next day or 2. :)

Monte Armstrong's picture

Monte Armstrong - Thu, 2017/04/27 - 06:50

Well, I was a bit hasty buying a 5 certificate bundle then. Since I was using a discount voucher I got 3 years too.  LOL.

Ok, the Let's Encrypt looks awesome. I am using the Wordpress appliance so I will happily wait for the new version. Means a lot of work to be done to switch over all my websites but it will be worth it in the end.

In the meantime, I may fart around with the cert.pem file and seeing if I can get the GoDaddy certs to work just because I have them. I will post any success I may have. 

Thanks again for all your amazing efforts. I manage 12+ very small Wordpress websites on turnkey wordpress appliances that are running in Proxmox. I would be happy to share any of my limited knowledge, or do some testing if it ever helps.

Jeremy Davis's picture

Jeremy Davis - Tue, 2017/05/02 - 00:59
Anyway you'd like to contribute is warmly welcomed. We generally do a fair bit of internal testing but we always appreciate feedback, especially constructive criticism (so we can be better). So please feel free to share your knowledge and experience and let us know if/when you hit any bugs or things that "shouldn't be". Or if you have ideas on what we could do better, please share.

The new WordPress appliance should be available any day (I'll announce in a blog post when we're ready). So if you'd like to keep an eye out for that and test it out that's be great. Any general feedback and ideas can be posted as a comment on the (yet to be published) blog post, here in the forums, or specific bugs or feature requests can be posted on our Issue Tracker.

Add new comment