SSL Certificate Signing with CAcert for Raspberry Pi, Ubuntu & Debian

Powered by Drupal
Submitted by Sam Hobbs on

CAcert logo If you run your own website, email server or other services like OwnCloud at home then you may find yourself in need of a SSL certificate. When you install Apache, it generates a self-signed "snakeoil" certificate that can be used to encrypt your session. However, while this certificate is useful for testing purposes, it falls short in a couple of important ways:

  1. The snakeoil certificate has not been signed by an authority that your browser trusts, so your browser will throw an error when you connect.
  2. The common name on the certificate probably doesn't match your domain name. Another browser error.
  3. Short of manually inspecting the certificate's checksum, you have no guarantee that you are communicating with your own server - it could easily be an imposter using another self-signed certificate.

This tutorial will show you how to generate your own SSL certificate, and get it signed by the community driven SSL certificate signing authority CAcert. Once you have imported the certificate into your browser or into your operating system's root filesystem, your computer will automatically verify the identity of the server and you will enjoy error-free secure communications. Oh, and CAcert is free of charge!

Before we start: a quick note about filename extensions

As far as I can tell, Linux is not at all bothered about what you name your certificate and certificate key files. You could use the .magic extension for your cert if you liked and it would probably still work. From what I've read, file name extensions seem to only matter on Windows, whereas on Linux they're just descriptive. However, it's probably worth noting that there are lots of different types of certificate encoding styles, which have been summarised neatly here. Some extensions such as .pem and .der imply that the file is encoded in a certain way. Since we are able to choose whatever extension we like, I've chosen the following:

  • .csr for the certificate signing request (CSR)
  • .crt for the signed certificate file
  • .key for the key file

These have the benefit of not implying any particular encoding. The first time I did this on my Pi, I used .pem for everything and got in a muddle, forgetting which file was which. This should make things much easier!

Generate your certificate

We are going to use a two step process to generate your certificate. First, run this command, which will generate a private key:

openssl genrsa -out <filename for your private key>.key 4096

Now we will generate a new certificate signing request (CSR) from your private key:

openssl req -new -key <filename for your private key>.key -out <filename for the CSR>.csr

This stage requires user input, a series of questions about what information you would like to be on the certificate. Since CAcert is an automated service, it discards most of the information on the certificate (so that it doesn't certify the information it is unable to verify), leaving only the essentials: the email address and the common name. Here is the information you will be asked for:

  • Country Name (use a two letter code e.g. GB)
  • State or Province Name (e.g. Surrey)
  • Locality Name (e.g. Guildford)
  • Organisational Name (e.g. Sam Hobbs' Personal Website)
  • Organisational Unit Name (e.g. Website)
  • Common Name (your domain name - see note below - e.g. samhobbs.co.uk)
  • Email Address (the contact address for your administrator e.g. webmaster@samhobbs.co.uk)

Don't set a password - leave it blank when asked. We will keep the key file private by setting appropriate permissions. The common name is important here: most websites rewrite https:// to https://www. or vice versa. If your website is available at https://yourdomain.com then you should use yourdomain.com as the common name; if your website is at https://www.yourdomain.com then your common name should be www.yourdomain.com or *.yourdomain.com (the wildcard will match any subdomain, meaning you can use the same cert for https://mail.yourdomain.com and https://www.yourdomain.com, which is handy). Personally, I use a wildcard certificate. If you were paying for a normal certificate authority to sign your certificate then a wildcard cert would be more expensive, but CAcert is of course free so you might as well take advantage of it!

Install the CAcert root certificate

Every operating system comes pre-loaded with a set of certificates that are seen as trusted by the OS. This includes certificates from verisign and other big name certificate signing authorities. Very few OSes trust CAcert by default, although a couple of Linux distributions do. The CAcert website provides https using a certificate that was signed by the CAcert root. Since you are going to be sending sensitive information to the website during registration, it makes sense to install the CAcert root certificate now so that you can use the site without browser errors. To install the CAcert root certificate from the commandline, you can use these commands:

cd ~
wget http://www.cacert.org/certs/root.txt
sudo cp root.txt /etc/ssl/certs/cacert-root.crt

Those commands will download the CAcert root certificate into your home directory, and then copy it to your certificates folder. If you look in your certs directory (ls -l /etc/ssl/certs) you will see that all of the certs have sensible certificate names like GeoTrust_Global_CA.pem, but there are also a load of symbolic links with names like 2c543cd1.0 that point to the certificate files with the human readable names. Those symlink names like 2c543cd1.0 are hashes of the certificate files, and are there to enable programs on your computer to quickly check whether the root certificate is in your computer's certificate directory or not. Some programs manage to recognise that the certificate is installed just fine without the symlinks, but some of them do not. Openssl is one of the ones that doesn't. So, we need to make use of one more command to create a symlink for the newly installed cacert-root.crt (this will also refresh the symlinks for the rest of the certs in the folder):

sudo c_rehash /etc/ssl/certs

Now that the CAcert root cert is installed, almost all software on your system will recognise it (chromium, rekonq etc.). The exception to this is Mozilla software such as the Firefox web browser and Thunderbird email client. Mozilla software has its own certificate database, which has both advantages and disadvantages. For example, if you're using a system where you don't have admin rights, you can still easily import the CAcert root to Firefox. The disadvantage is that if you are an administrator, you can't do a one-stop installation: you have to import it separately to Firefox. To install the certs, open Firefox and navigate to the root certificate downloads page and click on the links for the class 1 and class 3 .pem encoded root certificates. You will be prompted to decide whether to import them or not. To install to Android, follow this tutorial of mine.

Required Email Address

CAcert verifies that you own the domain it is signing a certificate for by sending a verification link to one of the following email addresses:

  • root@yourdomain.com
  • webmaster@yourdomain.com
  • postmaster@yourdomain.com

You therefore need to be able to receive email to one of these addresses. You can set up your own email server, or failing that some domain name registrars provide email forwarding capabilities. If you used my tutorials to set up your email server then you may want to add some aliases to your server so that emails to those addresses above are delivered to your username. Here's how: Edit /etc/aliases and add:

postmaster: yourusername
webmaster: yourusername
root: yourusername

Now run this command to load the new aliases:

sudo newaliases

And reload Postfix:

sudo service postfix reload

Submitting the CSR to CAcert

First things first, you will need to go to the CAcert website and create an account: Please note that CAcert has signed its own SSL certificate, so your browser may throw an error if you haven't imported the root cert yet. cacert-registration.png After you have created your account and logged in, navigate to server certificates --> new. On your server, use cat to print the the Certificate Signing Request (CSR) you created earlier and then copy & paste it into the box:

cat <filename for the CSR>.csr

...and click submit. The result will be displayed on screen, and you will also be emailed the certificate. Copy and paste it into a file with the .crt extension, e.g. using nano:

sudo nano <path to your cert>.crt

...then CTRL+SHIFT+V to paste, CTRL+X, save when prompted. Note: the BEGIN CERTIFICATE and END CERTIFICATE lines are part of the cert, so copy those too!

Certificate File Locations

Assuming your certificates and key file are in your home directory, it's a good idea to move them to the proper locations

  • Your key file should be stored at /etc/ssl/private/samhobbs.key.
  • Your certificate file should be stored at /etc/ssl/certs/samhobbs.crt.
  • You can get rid of your CSR, or keep it for reference if you like.

Permissions & Ownership

Your key file is secret. It should be owned by root, and your permissions should be set so that only the root user can read and write to it. This command will set it to be owned by root:

sudo chown root:root /etc/ssl/private/samhobbs.key

And this command will set it so that only the root user can read and modify it:

sudo chmod 600 /etc/ssl/private/samhobbs.key

Most services like Apache, Postfix etc. require root privileges to start up. They read the certs when they start and store them in RAM, so that they can still use them when they drop to their normal users ( e.g. www-datafor Apache). Unlike your key file, your signed certificate file is not a secret (it is sent to users when establishing a secure session). You want all users to be able to read the cert, but only the root user to have write access to it. As before, this command will set it to be owned by root:

sudo chown root:root /etc/ssl/certs/samhobbs.crt

And this command will set it to be readable by everyone, but only modified by root:

sudo chmod 644 /etc/ssl/certs/samhobbs.crt

Some common SSL cert configuration parameters: Apache, Postfix, Dovecot

This section is a quick reference for where to find SSL parameters for Apache, Postfix and Dovecot.

Apache

You can tell Apache to use a specific certificate file in your SSL virtualhost configuration (e.g /etc/apache2/sites-available/default-ssl) with these parameters:

SSLEngine on
SSLCertificateFile /etc/ssl/certs/samhobbs.crt
SSLCertificateKeyFile /etc/ssl/private/samhobbs.key

Then reload Apache:

sudo service apache2 reload

Postfix

Postfix' SSL cert configuration can be found in /etc/postfix/main.cf:

smtpd_tls_cert_file=/etc/ssl/certs/samhobbs.crt
smtpd_tls_key_file=/etc/ssl/private/samhobbs.key

...and reload Postfix:

sudo service postfix reload

Dovecot

Dovecot's SSL configuration is in /etc/dovecot/conf.d/10-ssl.conf:

ssl_cert = </etc/ssl/certs/samhobbs.crt
ssl_key = </etc/ssl/private/samhobbs.key

NB: the < at the start of the path isn't an error, if you miss it out Dovecot won't load. Reload dovecot:

sudo service dovecot reload

Hopefully you found that useful! If you have anything to add or a question, please feel free to leave a comment!

Tags

Comments

Hi,
Thank you for all yours tutorials !
Here a question :
In the "Certificate File Locations" chapter, are you sure of :
Your certificate file should be stored at /etc/ssl/certs/samhobbs.csr
Would it be
Your certificate file should be stored at /etc/ssl/certs/samhobbs.crt (or pem)
?

Hi Sam I have a problem during the registration at the CACert site, the error is:
"The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.
451 4.3.5 : Helo command rejected: Server configuration error"

And I've also noticed that i can not receive email from external domains on my Pi server.
Do you have any suggestion?
At the moment I'm using a free no-ip account for the dns.

Just tried connecting to your server (connected fine) and the first bits of your helo access restrictions work (if you don't ehlo you are prompted to do it) so the problem must be further down the list. Can you check your smtpd_helo_restrictions list, make sure you created and postmapped the /etc/postfix/helo_access file and that it contains no spelling mistakes? Sam

Thank you Sam I've fixed the issue in the main.cf file of postfix. Now I've installed a cert but there's a new error on squirrel mail. I can't accesso to my mail, the error is: ERROR: Connection dropped by IMAP server.
So I've checked the dovecot service whit this line of code:
dovecot -c /etc/dovecot/dovecot.conf
and the message that appears is: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 13: ssl_key: Can't open file /etc/ssl/private/serverkey.key: Permission denied

That file is probably owned by root, so the dovecot config test can't read it. If you want to use that command you should use sudo - these daemons start up as root and read those key files into memory before dropping privileges. sudo dovecot -c /etc/dovecot/donvecot.conf will give you what you were looking for. For the record, what was the error you fixed in the helo access restrictions? I've never seen that one before so it would be good to know exactly what caused it. Sam

The error was a mistake of mine, I've putted a semicolon after the check_helo_access like this check_helo_access hash:/etc/postfix/helo_access;
The imap error still remains when i try to login, so i've checked the error log file and this is the issue:
revolutionapp dovecot: imap-login: Fatal: Can't load ssl_cert: error:0906D066:PEM routines:PEM_read_bio:bad end line
I've fixed this mistake of concatenation into the cert file: -----END CERTIFICATE----------BEGIN CERTIFICATE----- in
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

Thank you sam for your support

Its irronic that when I try and view this page as a HTTPS I am getting an invalid certificate error... lol

Sam Hobbs

Sat, 07/12/2014 - 21:13

Permalink

That'll be because you haven't imported the CAcert root certificate. HTTPS on this site is not for you anyway, it's for me (you will notice that if you dismiss the warning and proceed to the HTTPS page, you are redirected to the HTTP page). Sam

Hi Sam,
I have followed your instructions on installing owncloud and it all works fine - its up to version 8.2 now.

However, I cannot get HTTPS to go. I followed the instructions here and I get a certificate error in my internet explorer (address bar goes red etc.)
I have create keys, got he cacert signed etc. downloaded the ca root cert as instructed and I am now stuck.

Any hints?

I think it may be related to this: http://blog.cacert.org/2015/12/re-signing-root-certificate/
On Friday, 29th January 2016, the long-planned re-signing of CAcert’s root certificate will finally take place. This action has been overdue for quite some time now as several browser and OS vendors have dropped support for MD5-signed certificates or otherwise made such certificates unusable.
Since it's just a few days, your best bet is probably just to wait, so you may find it starts working after then (you may need to re-import the root cert after that date). Sam

According to that page, the resigning has been delayed, and there is no new date. As of 9th April https://www.cacert.org itself shows invalid certificate, and amusingly blogs.cacert.org gives an ssl protocol error, so an even more basic problem there.

So it seems to me that any cacert certificate is currently not worth the electrons it's printed on ;-)

Sam thanks for a very clear and easy to follow post.

I currently secure my RPI on my Lan as I use it to control some lighting and other things.
I use a snake oil cert but Safari doesn't like my cert when trying to do secure web sockets wss.
I also read that after After November 1, 2015 IP/Intranet certs won't be trusted.

I'm a cert nobo and not sure how to proceed any pointers?

Thanks in advance
Lawrence

Hi Lawrence CAcert can't do LAN only certs, see this page on the wiki:
CAcert only issues certificates for publicly registered DNS domains, it's not possible to get certificates for IP adresses or internal domains (like xxx.local, read FAQ/NoDomainName for further explanations).
Basically, CAcert can only sign a cert for you if it can validate that you own the domain name. Since .local doesn't resolve outside your LAN it can't do the automated check (plus, many other people have a .local domain too, which you don't control, so CAcert could never give you a cert because it would give you a cert for other peoples' local domains). What you probably need to do is create your own root cert for your local domain and use it to sign a cert for the Pi, and then install your root cert into all of the client machines. I take it you're using a Mac (you said you were using Safari?) Not sure what you mean by the intranet certs not being trusted, do you have a link to what you were reading? Sam

I didn't know that any CA ever issued certs for local domains. It doesn't make much sense, for the reasons I gave in my previous comment about why CAcert doesn't do it, also echoed in the article:
Without unique domain names that can be resolved in the context of the public internet, it is impossible for a Certification Authority to issue a trustworthy certificate. After all, it would work for any server with that name and that creates a security risk. For this reason, the leading Certification Authorities, including Symantec, that make up the Certification Authority/Browser Forum (CA/B Forum) have decided to cease issuing certificates without a Fully Qualified Domain Name (FQDN).
So, when they say that "SSL certificates on intranet sites with internal server names...may not work from 1 November 2015" what they actually mean is that if one of those certificate authorities did issue you with a certificate in the past, they won't re-issue it. This is a non-issue for CAcert because I don't think they have ever done this. Notice that the article you linked also lists my solution (generate your own root certificate and use it to sign certificates for your local domain, and then install your root cert on each client):
Use an enterprise/private CA to issue and trust certificates for non‐unique names
Sam

"Country Name (use a two letter code e.g. GB)
State or Province Name (e.g. Surrey)
Locality Name (e.g. Guildford)
Organisational Name (e.g. Sam Hobbs' Personal Website)
Organisational Unit Name (e.g. Website)
Common Name (your domain name - see note below - e.g. samhobbs.co.uk)
Email Address (the contact address for your administrator e.g. webmaster@samhobbs.co.uk)"

After this it asked me to type a password and now I don't think it can access it.
Any way to remove the password?

Thanks

I think there's a way to remove the password but I can't remember it, easiest to just delete it and create a new one. Leave the password blank (i.e. no password), it's just a pain if you set one because you have to tell Dovecot etc. what the PW is anyway, so there's no extra protection vs having the certificate key owned by root and not readable by other users (because the password would be in a Dovecot config file owned by root...). Sam

Where should I generate the certificate? I have done this many many times but I ain't getting through.. I think it have something to do with the change of where I am when connecting with FTP..

Thanks

Add new comment

The content of this field is kept private and will not be shown publicly.
About text formats

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.