GODaddy SSL Certificate

39 posts / 0 new
Last post
#1 Tue, 07/17/2007 - 16:53
gte451f

GODaddy SSL Certificate

I've been working on installing a godaddy certificate and was wondering if anyone else has done the same with Virtualmin? This is one of those funky (but cheap) intermediate certificates. See this thread for more background: http://www.virtualmin.com/forums/general-discussion/certificate-options....

Anyway, the idea is to install 2 certificates as part of your "Chain". Your certificate as well as an intermediate cert. from Godaddy. I'm having trouble translating their instructions to a Virtualmin setup.

1. Copy your issued certificate, intermediate certificate and key file (generated when you created the Certificate Signing Request (CSR)) into the directory that you will be using to hold your certificates. 2. Open the Apache ssl.conf file and add the following directives: * SSLCertificateFile /path to certificate file/your issued certificate * SSLCertificateKeyFile /path to key file/your key file * SSLCertificateChainFile /path to intermediate certificate/gd_intermediate_bundle.crt 3. Save your ssl.conf file and restart Apache.

Basically, instead of copying the files to a directory on the webserver, I installed my new cert via the "Mange SSL Certificate->New Certificate" menu.

But how do I install the intermediate cert? I have created this directive in my ssl.conf file. * SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

Will Apache know to use this for my certificate? Will it interfere with other certificates? Whill the Atlanta Hawks ever field a decent basketball team?<br><br>Post edited by: JimJenkins, at: 2007/07/17 16:54

Wed, 07/18/2007 - 01:01
Joe
Joe's picture

Hey Jim,

Yep, it's been done. You're using one here at Virtualmin.com. We're cheap, and we know how to use chained certificates. It's a dangerous combination. ;-)

That said, I set ours up manually before any of the SSL handling stuff in Virtualmin had gotten reasonable (it still needs a little bit more work).

Here's the relevant VirtualHost section on our system (note that I said VirtualHost--the chain file probably ought to be set per-domain, though I can't be sure that's necessary, as it is the same for all that are purchased from the same folks...godaddy in my case and yours):

SSLEngine on
SSLCertificateFile /home/virtualmin/etc/certs/certfile.pem
SSLCertificateKeyFile /home/virtualmin/etc/certs/keyfile.pem
SSLCertificateChainFile /home/virtualmin/virtualmin/certs/sf_issuing.crt

Virtualmin's SSL management doesn't yet handle chained certs (I'll ask Jamie to add it), so the SSLCertificateChainFile will need to be added manually.

And, no, I'm guessing the Hawks will not field a decent team in our lifetime. (But, ya'know, the Houston Rockets were an also-ran until 1993...and now have become an also-ran again. Things change.) ;-)

Oh, yeah, you can also use this kind of cert for Postfix with these directives:

smtpd_tls_cert_file = /etc/postfix/virtualmin.pem
smtpd_tls_CAfile = /etc/postfix/sf_issuing.crt

Though it looks like I combined the key and the cert into a pem for Postfix use (I don't think this is necessary...not sure why I went that route.)

And Dovecot:

ssl_cert_file = /home/virtualmin/etc/certs/virtualmin-chained.cert
ssl_key_file = /home/virtualmin/etc/certs/keyfile.cert

Same story here, only with the chain and the cert combined--I think this one was actually necessary to make Dovecot use the chain.

cat sf_issuing.crt certfile.pem &gt; chained.cert

I don't use FTP, but you could do the same for ProFTPd with the TLSCertificateChainFile directive.&lt;br&gt;&lt;br&gt;Post edited by: Joe, at: 2007/07/18 01:02

--

Check out the forum guidelines!

Tue, 03/11/2008 - 08:03 (Reply to #2)
jayandran

dear joe,
i bought Godaddy turbo ssl cert and i dont know how to use it for my webmin.. can you guide me on how to install this cert from scratch. I been trying to install for past one week and all the time it fails!

thanks in advance.

Tue, 09/09/2008 - 18:38 (Reply to #3)
lance

<b>SteveACup wrote:</b>
<div class='quote'>If I may add a few tidbits that may save someone like me a few hours:
...
2) if you already have a passworded private key file, use this command to remove the password: openssl rsa -in key.pem -out keyout.pem

Hope this helps someone </div>

This helped me out. Thanks!

Another tidbit: If you do have your pem file passworded, you can do &quot;/etc/rc5.d/S99webmin start&quot; as root in the console and enter the PEM password to start webmin.

Fri, 12/05/2008 - 07:31 (Reply to #4)
Transmobius

Hi adamcharnock, sorry about the delay in replying.

First, my /home/$DOMAIN/ssl.chained.cert does NOT have trailing ^M characters
so I would probably start by (backing up and) rebuilding that file.

Also, the error, and your '/xxx/xxx/xxx/xxx.key', look like you may be
pointing to the wrong file. Or maybe it's just one too many /xxx in your
obfuscated path. My ssl files are in /home/$DOMAIN/, perhaps your's are
in /home/$DOMAIN/ssl/ ? Hmmm, that'd be a bit cleaner, may do that . . .

Next, this is the appropriate section from my /etc/proftpd/proftpd.conf
it is somewhat changed from my earlier post:
----------------------------------------------------------------------
&lt;IfModule mod_tls.c&gt;
TLSEngine on
TLSRequired on
TLSVerifyClient on
TLSProtocol SSLv23
TLSRSACertificateFile /home/$DOMAIN/ssl.chained.cert
TLSRSACertificateKeyFile /home/$DOMAIN/ssl.key
TLSCipherSuite ALL:!ADH:!DES
TLSLog /var/log/proftpd/tls.log
##TLSOptions NoCertRequest
&lt;/IfModule&gt;
----------------------------------------------------------------------
(Obviously, you must replace $DOMAIN with your actual domain)

Note that the above ONLY allows encrypted connections, to also allow
non-encrypted sessions use 'TLSRequired off'.

A good reference page for the ProFTPd TLS stuff is at
http://www.castaglia.org/proftpd/modules/mod_tls.html

Cheers

Wed, 05/06/2009 - 14:53 (Reply to #5)
kato

Did this ever make it in the wiki? I'm having trouble, though I've followed all the steps here and hoping a doc may help.

Wed, 05/06/2009 - 16:03 (Reply to #6)
andreychek

What sorts of trouble are you having?

Adding a GoDaddy cert in general, or getting it to work with ProFTP?
-Eric

Sun, 06/07/2009 - 07:53 (Reply to #7)
mrwilder

The most common certs are only good for one host, so if you generate your CSR with &quot;ssl.domain.com&quot; you'd want to use that host in the setup for your mail client.

The instructions listed here work flawlessly for adding a cert to a domain - plus the kluges for using a single cert for webmin and virtualmin work as well- however, in addition to setting up the domain itself, webmin, and virtualmin, I recommend adding the same SSL setting for the Usermin setup, too!

I also added a couple entries to httpd.conf

ServerAlias webmail.nonsecuredomain.com

RewriteCond %{HTTP_HOST} =webmail.nonsecuredomain.com
RewriteRule ^(.*) https://secureddomain.com:20000/ [R]

This way I can get my webmail at any domain on the box and it routes to the real SSL certified domain without those irritating security warnings.

Wed, 11/07/2007 - 19:59
Transmobius

I'm planning on getting a GoDaddy SSL cert this week, any update to the above?

Another related question, if I get the cert for www.MyDomain.com should I spec that as my POP3/SMTP servers in my mail client (as opposed to mail.MyDomain.com or just MyDomain.com)?

Wed, 11/07/2007 - 22:32 (Reply to #9)
Joe
Joe's picture

I believe chained certs are now configurable in Virtualmin. If not, they will be soon (and the above docs should get you there).

Yes, if your cert is www.domain.tld, then everything that uses the cert needs to be talking to www.domain.tld, or it will result in a security warning.

--

Check out the forum guidelines!

Thu, 11/08/2007 - 05:52
Transmobius

It looks like it knows about chained certificates:
<b>Virtualmin-&gt;Server Configuration-&gt;Manage SSL Certificate-&gt;CA Certificate</b>
<div class='quote'>&quot;If your virtual server's SSL certificate is from a certificate authority that is not directly known to major browsers, you may need to upload the CA's certificate using this form.&quot;</div>

I'll find out and report back in a couple of days.

On the mail servers question, if I wanted to maintain both a 'www.' cert for browsers and a 'mail.' cert for POP/SMTP/IMAP would your interface allow this, or is it back to the command line?

Thu, 11/08/2007 - 06:43
Transmobius

More GoDaddy info.

They offer 'Single' certs that, they say, if issued after 2006 will secure the domain name, with or without the www prefix. Has anyone tried this? See: [url]http://help.godaddy.com/article.php?article_id=850&amp;topic_id=234[/url]

They also offer 'Multiple Domain (UCC)' and 'Wildcard' certificates for A LOT more money. Multiple would be a single certificate for many separate domains!? And Wildcard seems to let you use just one certificate for how ever many subdomains your domain has.

Both are interesting. But it would still be cheaper to have two singles at $19/year. And if Virtualmin could plug-in two (www and mail) it would be a no brainer.

Fri, 11/09/2007 - 20:55
Transmobius

Easier than I can believe.

Virtualmin-&gt;Server Configuration-&gt;Manage SSL Certificate-&gt;Signing Request
Fill in the blanks ('Server name in URL' needs the 'www' but not 'http://'), click 'Generate Now', copy the result
Log in to GoDaddy, buy a certificate credit, use the credit to request a certificate (they have instructions)
Paste in the CSR you got from clicking 'Generate Now'
They e-mail you a link to a zip file containing your cert and a chain called 'gd_intermediate_bundle.crt'
Unzip the file
Virtualmin-&gt;Server Configuration-&gt;Manage SSL Certificate-&gt;New Certificate
Upload your cert into 'Signed SSL certificate'
Virtualmin-&gt;Server Configuration-&gt;Manage SSL Certificate-&gt;CA Certificate
Upload the chain into 'CA certificate file'
Restart Apache

<b>Dovecot</b>
Webmin-&gt;Servers-&gt;Dovecot-&gt;SSL Configuration (No chain needed?)
SSL certificate file /home/YOURDOMAIN/ssl.cert
SSL private key file /home/YOURDOMAIN/ssl.key
Save, Restart Dovecot

<b>Postfix</b>
Webmin-&gt;Servers-&gt;Postfix-&gt;SMTP Authentication
Enable TLS encryption? Yes
TLS certificate file /home/YOURDOMAIN/ssl.cert
TLS private key file /home/YOURDOMAIN/ssl.key
TLS certificate authority /home/YOURDOMAIN/ssl.ca
Save, Restart Postfix

<b>ProFTPd</b>
This takes just a bit more effort. It requires the chain file (now residing at /home/YOURDOMAIN/ssl.ca) and your cert together. Login to your system and
cat ssl.ca ssl.cert &gt; ssl.chained.cert
Webmin-&gt;Servers-&gt;ProFTPD Server-&gt;Edit Config Files
(Explanation at: http://www.castaglia.org/proftpd/modules/mod_tls.html)
--------------------------------------------------------------------------------
FIND THIS SECTION (ABOUT HALF WAY DOWN):
&lt;IfModule mod_tls.c&gt;
TLSEngine off
&lt;/IfModule&gt;

AND CHANGE IT TO READ:
##&lt;IfModule mod_tls.c&gt;
##TLSEngine off
##&lt;/IfModule&gt;
TLSEngine on
TLSRequired on
TLSRSACertificateFile /home/YOURDOMAIN/ssl.chained.cert
TLSRSACertificateKeyFile /home/YOURDOMAIN/ssl.key
TLSCipherSuite ALL:!ADH:!DES
--------------------------------------------------------------------------------
Save, Restart ProFTPd

Wed, 11/26/2008 - 06:48 (Reply to #13)
adamcharnock

Thanks for the great info Transmobius. I have yet to get PROFTPD to work properly though. I kept getting the following in my tls log:

Nov 26 11:19:45 mod_tls/2.1.2[24181]: error loading TLSRSACertificateKeyFile '/xxx/xxx/xxx/xxx.key':
(1) error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Which seemed odd because everything was working fine with apache, so I can only conclude that I made a mistake when creating the chained crt file.

Also, I am not sure if this will help anyone, but the chained file I crated seemed to have the dos-style (^M) line endings, so I passed it thourgh the dos2unix command but it did not seem to help (in my case, anyway).

It is not a big deal for me at the moment, I have bigger fish to fry, but I will report back if I find a solution.

Thanks again,

Adam

Sat, 11/10/2007 - 07:18
Transmobius

Forgot one, Webmin itself.

Webmin-&gt;Webmin-&gt;Webmin Configuration-&gt;SSL Encryption

Private key file /home/YOURDOMAIN/ssl.key
Certificate file Separate file: /home/YOURDOMAIN/ssl.cert
Redirect non-SSL Yes
Additional cert /home/YOURDOMAIN/ssl.ca

Prolly time to add this to the Wiki . . .

Sat, 11/10/2007 - 08:40
Transmobius

Dovecot DOES need the chaining certificate.

Webmin-&gt;Servers-&gt;Dovecot-&gt;Edit Config File
(Tap PageDown about 5 times)
ssl_ca_file = /home/YOURDOMAIN/ssl.ca

(Would be nice if this had a Webmin field like Postfix)

Sat, 11/10/2007 - 12:16 (Reply to #16)
Joe
Joe's picture

Awesome research Transmobius! Definitely going in the wiki. And I'll bug Jamie again about getting all of this a bit easier to configure in the respective Webmin modules, and probably in Virtualmin itself--since the mail services can only really have one certificate, it makes sense to have a single place to configure it for Webmin's &quot;default&quot; (Webmin can serve other certs on other IPs, though), the mail servers and ProFTPd on the default IP.

--

Check out the forum guidelines!

Sat, 11/17/2007 - 13:57
dstalls

I am trying to follow along however I think I am an idiot when it comes to anything non-microsoft based. I have a Linux dedicated server through hosting.com and I am trying to install an SSL certificate onto a virtual server on this linux box from GoDaddy but have no idea how to generate the CSR and install the cert. Hosting.com gave me instruction for generating a CSR from the WEBMIN screen but i am not sure if that is correct. Please help.

-Damian

Mon, 11/19/2007 - 13:31 (Reply to #18)
Joe
Joe's picture

As Transmobius mentioned, the process is different depending on whether you're using Virtualmin or Webmin.

I'll take this opportunity to point out that Virtualmin GPL is free for Hosting.com to use...since you're a customer, you might mention it to them, if they are still just offering Webmin. If they need help with deployment, get them in touch with us. Offering just Webmin for hosting, when Virtualmin is so much easier to use for the purpose, is rather silly. Webmin is a wonderful tool for system administration, but it makes no claims to being a great tool for virtual hosting administration--it wasn't designed for that purpose, and Virtualmin is. We developed both, so we can say stuff like that. ;-)

--

Check out the forum guidelines!

Thu, 11/27/2008 - 10:10 (Reply to #19)
KevinP

Damian,

you wanna go with SSL provider's website? there do offer live chat SSL installation support. I have experienced with Rapidsslonline.com. I got RapidSSL only at $15 and they do live chat support. I hope these guys can help you.. Wanna try?

X Kevin.......

Sun, 11/18/2007 - 06:07
Transmobius

Without knowing what Hosting.com is telling you it is hard to say if the instructions are right or not. They don't seem to provide any doco without a login so I can't look it over.

That said, it is probably safe to assume that their own instructions are what you need to follow on their system . . .

What worked for me is detailed up the first page of this thread starting in post #8412. The shorthand for menu navigation that I am used to:
<i>Virtualmin-&gt;Server Configuration-&gt;Manage SSL Certificate-&gt;Signing Request</i>
Simply means you start on the Virtualmin screen, click on Server Configuration, click on Manage SSL Certificate, etc. If your host is giving you just Webmin (and not Virtualmin) then your path is obviously going to differ. Perhaps you could cut and paste a portion of it here and we could take a look?

The Hosting.com people also mention their <a href='http://www.hosting.com/customer-care/delightful-support/' target='_blank'>Delightful Support</a>. Have you tried them?

Tue, 01/29/2008 - 10:31
jmunjr

When I go into my domain in virtualmin, then choose the CA Certificate tab, and then either try to upload or point to the path on the server of my gd_intermediate_bundle.crt file, when I click &quot;save certificate&quot; I immediately get the message &quot;File not found&quot; in firefox and &quot;the page cannot be found&quot; in IE6...

Help!

Tue, 01/29/2008 - 10:35 (Reply to #22)
jmunjr

I hit a bug when I tried to edit but I wanted to add that I manually added the code to httpd.conf:

SSLCertificateChainFile /home/path/gd_intermediate_bundle.crt

and it works..

Tue, 05/06/2008 - 10:22
SteveAcup

If I may add a few tidbits that may save someone like me a few hours:

I generated my private key &amp; request files at the unix command line with openssl, sent the csr into godaddy and got my new cert. The problem I had was that I used the -des3 option that adds a password to the private key. Passworded private keys do not work well in webmin or its managed servers. Most of the servers fail with no usable error message telling you a password was needed. Took me an hour to figure this out again this year when renewing certs.

To fix the problem (i.e. not put a password on your private key)

1) do not use the -des3 option when generating the keys.

or

2) if you already have a passworded private key file, use this command to remove the password: openssl rsa -in key.pem -out keyout.pem

Hope this helps someone

Tue, 05/13/2008 - 09:12
Transmobius

<a href='http://lists.debian.org/debian-security-announce/2008/msg00152.html' target='_blank'>http://lists.debian.org/debian-security-announce/2008/msg00152.html</a>

This effects Debian Etch (v4.0) but not Sarge (v3.0) and any Debian derived distributions like Ubuntu.

After your system has been patched, <b>you still have to regenerate any of your keys that were generated with OpenSSL since 2005</b>. Plan on revoking and issuing new keys (OpenSSH, OpenVPN, SSL certificates, etc.)

OUCH!

Sun, 05/18/2008 - 23:26 (Reply to #25)
sgrayban

That security alert is NOT that insecure as they claim it to be. They posted it as a precaution. The odds of anyone hacking any system with the old keys or hacking your sites with ssl are so slim it's not worth the hassle.

The debian people only put un-needed stress to it's own users.

Sun, 05/18/2008 - 23:28 (Reply to #26)
sgrayban

Oh and only DEBIAN scared the crap out of its users. Not even RHEL people did anything about it.

Mon, 05/19/2008 - 02:10 (Reply to #27)
Joe
Joe's picture

That's because it only effected Debian and Ubuntu versions of OpenSSL.

RHEL was not impacted, because RHEL didn't break it in their packages. This was a very specific problem, caused by a very specific change made by a Debian developer to the Debian package. So, only Debian, and Ubuntu which is 90% the work of Debian developers, had the problem.

But, I do agree that the problem is possibly overblown. However, github reported seeing several identical keys from different people--which is a pretty serious problem. If that's the case in their relatively tiny userbase, then it would definitely be possible for a cracker to generate a few hundred keys using the buggy library, and then make a brute force attempt on millions of sites. They'd get a few hits, I reckon--though it would probably also take months. I don't know that any black hat will be determined enough to exploit this specific hole rather than going after lower hanging fruit (like Windows boxes running unpatched IE, Outlook, etc.) which can be found at a rate of hundreds or thousands per day of searching. But, if I had any keys impacted by this I would revoke them and make new ones. All of my keys, including the Virtualmin package signing keys, were made on Fedora systems.

--

Check out the forum guidelines!

Wed, 05/28/2008 - 05:39 (Reply to #28)
sgrayban

There is only 1(ONE) !!!! SSL provider that is offering a replacement cert for free because of this.

Try to sell that to the other 10 billion debian users that use godaddy or other cert providers that wont.

Tue, 06/10/2008 - 00:22 (Reply to #29)
sgrayban

A update to this.....

http://isc.sans.org/diary.html?storyid=4543

To quote:
So Where Are Those OpenSSH Key-based Attacks?

One of our readers contacted the handler on duty to see if we had seen any reports since then of active attacks concerning this attack vector. The standard SSH port (22/tcp) has been at normal levels for the past several weeks with one exception (on May 27-28) per the data at Dshield.

End quote

I told you it was all hype -- not one ssl site has been hacked nor has there been any significant reports about any type ssh/ssl hacking.

Fri, 11/14/2008 - 06:59
colourbleu

Hi Guys

I would really appreciate a 1.2.3 guide on how to set up TSL or SSL on postfix and dovecote to secure email on one virtual host. I have a godaddy ssl cert and have set up the domain to work on ssl. I have had a look about in the forums and in the Virtualmin docs and this topic seems a little light on documentation.

Cheers in advance for any pointers or input on this.

s

Fri, 11/14/2008 - 10:07 (Reply to #31)
andreychek

Well, Transmobius's message at the beginning of this thread should take you from start to finish on a GoDaddy SSL cert:

http://www.virtualmin.com/forums/general-discussion/godaddy-ssl-certific...

I'm not sure if that information ever made it into the docs, but if not, it probably should :-)
-Eric

Thu, 11/27/2008 - 10:04
KevinP

Hi Dude,

Why you go with chain root SSL certificate? Wanna go for Direct ROOT level SSL certificate. There are so many root level SSL providers are available.. www.thawte.com<a href='http://' target='_blank'></a><a href='http://' target='_blank'></a><a href='http://' target='_blank'></a>

Thu, 11/27/2008 - 19:54 (Reply to #33)
Joe
Joe's picture

Hey guys, cut out the spamming of SSL providers. Not the place for it. ;-)

Chained certificates work fine, and it's what we use here at Virtualmin.com (from GoDaddy, even). I've never used one in ProFTPd, though, as I don't use FTP, so I don't have a lot of useful advice on the topic. But it looks like you're trying to use the wrong private key (or perhaps one that has a passphrase that isn't being provided) for your certificate. Double check your configuration to be sure you're providing a certificate, a key, and the CA (chained certificate authority) files.

--

Check out the forum guidelines!

Wed, 05/06/2009 - 23:49
Prefect

Hi all

I also had trouble installing a GoDaddy SSL certificate. My problem was that I did not add the CA certificate from GoDaddy in virtualmin. This led to problems in FF but not in IE. I did not find the ca certificate on the pages of godaddy.com, a friend had to mail me the certificate.

Also the process of adding a seperate virtual ip for each ssl-domain is not well documented. I am not sure where in virtualmin a second ip should be entered to run correctly. It would be nice if there was more inline help from virtualmin or a wizard for setting up such things.

regards!
Chris

Thu, 05/07/2009 - 06:34 (Reply to #35)
Joe
Joe's picture

<div class='quote'>It would be nice if there was more inline help from virtualmin or a wizard for setting up such things.</div>

But there is a wizard for SSL, I thought. And it includes a spot for the chain certificate.

How long ago was it that you had problems?

Anyway, this one is specific to ProFTPd, which does need better support for SSL in Virtualmin.

--

Check out the forum guidelines!

Thu, 05/14/2009 - 17:09
nickorr

Thanks to all who contributed to this, I've had the GoDaddy wildcard cert for a while (*.domain) and had just not got around to putting it all together. Thanks to this I got it all done and setup with a minimum of fuss.

One thing to either add to the wiki or for others to note : You'll also need to add the same details to the usermin section. It's fairly explanatory and is very similar to the webmin section.

Cheers,
Nick

Mon, 10/19/2009 - 02:38
sharprez

I really like the way Virtualmin makes it easy to install SSL certificates.

Maybe I glanced over it but I think its worth mentioning again...

The option... Virtualmin->Server Configuration->Manage SSL Certificate (as Transmobius pointed out in his 2007-11-18 post)

Is only available if you have Virtualmin->Edit Virtual Server->Enable Feature and select '[X] Select SSL website enabled?'

Wed, 11/23/2011 - 16:30
kato

I've created the following google doc for now, until this gets into the Wiki; if there is a format I can export it as that will help (odt?), let me know.

Comments are enabled to the public, so you can add your own notes and I will revise it for now. I will also be revising over the next day or two while I go through this process myself.

https://docs.google.com/document/d/1kvj4VLq3NnkpiGMFY-E97N84m2310vPtrzRs...

Topic locked