Submitted by fuggi on Thu, 07/26/2012 - 17:32
Hi,
from my point of view, it would be quite useful, if I could simply enter the address/path of the new certificate files (certificate, private key, CA certificate, and, if applicable, intermediate CA certificate), which are on the server, on the "New Certificate" tab on the "Manage SSL Certificate" page of an virtual server. Thus, existing files on the server would not become redundant.
Best regards,
fuggi
Status:
Closed (fixed)
Comments
Submitted by JamieCameron on Thu, 07/26/2012 - 20:22 Comment #1
This is kind of tricky, as the domain owner could abuse this feature to read certificate files outside the domain's home, or potentially crash Apache.
What is your use case for this feature?
Submitted by fuggi on Sun, 07/29/2012 - 16:43 Comment #2
That would be no security problem, if you let domain/server administrators select only files located in their home directory. But this restriction should not be applied to the master admin, because it is useful for multi-domain certificates (avoid copying the certificate several times).
The use case is simple: I created the key and the CSR manually by OpenSSL on the server and saved my certificate from the CA, the intermediate certificate, and CA's root certificate also in files on the server. Consequently, I had all required files already on the server and could not use any of the forms provided by Virtualmin. So I replaced the key and the self-signed certificate, which were automatically created by Virtualmin at virtual server creation (ssl.cert and ssl.key), by equally-named symlinks to my files. Then I changed SSL/TLS configuration files of Dovecot, Postfix, and ProFTP manually to use these files. Additionally, I had to add the intermediate certificate and root certificate to Apache's configuration file by hand and create certificate chain files for the other servers and add them in their resp. configuration files, too. Hence, quite some work - although the most annoying part was to figure out which kind of certificate chain the different servers can handle.
Submitted by JamieCameron on Mon, 07/30/2012 - 01:24 Comment #3
I'll look into this some more, and update this ticket if and when it gets done..
Submitted by fuggi on Mon, 07/30/2012 - 05:43 Comment #4
Thanks!
Submitted by helpmin on Thu, 08/02/2012 - 18:25 Comment #5
regarding
Additionally, I had to add the intermediate certificate and root certificate to Apache's configuration file by handSee also the reladted issue https://www.virtualmin.com/node/22492 (which is marked as private, but basically says that
SSLCertificateChainFileis missing inSSL options)Submitted by JamieCameron on Sun, 08/12/2012 - 00:11 Comment #6
This will be fixed in the 3.94 Virtualmin release.
Submitted by fuggi on Sun, 08/12/2012 - 06:27 Comment #7
Good news! Looking forward to release 3.94!
Are the intermediate certificates going to be copied in appropriate ways to other servers (Dovecot, Postfix, ProFTP) either, if one clicks a respective button on the "Manage SSL Certificate" page?
Submitted by JamieCameron on Sun, 08/12/2012 - 19:53 Comment #8
The next Virtualmin release will also copy the CA cert to Dovecot and Postfix.
Submitted by Issues on Sun, 08/26/2012 - 20:08 Comment #9
Automatically closed -- issue fixed for 2 weeks with no activity.