Sam Hobbs ·
If you run your own website, email server or other services like OwnCloud at home then you may find yourself in need of a SSL certificate. When you install Apache, it generates a self-signed "snakeoil" certificate that can be used to encrypt your session. However, while this certificate is useful for testing purposes, it falls short in a couple of important ways:
- The snakeoil certificate has not been signed by an authority that your browser trusts, so your browser will throw an error when you connect.
- The common name on the certificate probably doesn't match your domain name. Another browser error.
- Short of manually inspecting the certificate's checksum, you have no guarantee that you are communicating with your own server - it could easily be an imposter using another self-signed certificate.
This tutorial will show you how to generate your own SSL certificate, and get it signed by the community driven SSL certificate signing authority CAcert. Once you have imported the certificate into your browser or into your operating system's root filesystem, your computer will automatically verify the identity of the server and you will enjoy error-free secure communications. Oh, and CAcert is free of charge!
Before we start: a quick note about filename extensions
As far as I can tell, Linux is not at all bothered about what you name your certificate and certificate key files. You could use the .magic extension for your cert if you liked and it would probably still work. From what I've read, file name extensions seem to only matter on Windows, whereas on Linux they're just descriptive.
However, it's probably worth noting that there are lots of different types of certificate encoding styles, which have been summarised neatly here. Some extensions such as .pem and .der imply that the file is encoded in a certain way.
Since we are able to choose whatever extension we like, I've chosen the following:
- .csr for the certificate signing request (CSR)
- .crt for the signed certificate file
- .key for the key file
These have the benefit of not implying any particular encoding. The first time I did this on my Pi, I used .pem for everything and got in a muddle, forgetting which file was which. This should make things much easier!
Generate your certificate
We are going to use a two step process to generate your certificate. First, run this command, which will generate a private key:
openssl genrsa -out <filename for your private key>.key 4096
Now we will generate a new certificate signing request (CSR) from your private key:
openssl req -new -key <filename for your private key>.key -out <filename for the CSR>.csr
This stage requires user input, a series of questions about what information you would like to be on the certificate. Since CAcert is an automated service, it discards most of the information on the certificate (so that it doesn't certify the information it is unable to verify), leaving only the essentials: the email address and the common name. Here is the information you will be asked for:
- Country Name (use a two letter code e.g. GB)
- State or Province Name (e.g. Surrey)
- Locality Name (e.g. Guildford)
- Organisational Name (e.g. Sam Hobbs' Personal Website)
- Organisational Unit Name (e.g. Website)
- Common Name (your domain name - see note below - e.g. samhobbs.co.uk)
- Email Address (the contact address for your administrator e.g. webmaster@samhobbs.co.uk)
Don't set a password - leave it blank when asked. We will keep the key file private by setting appropriate permissions.
The common name is important here: most websites rewrite https://
to https://www.
or vice versa. If your website is available at https://yourdomain.com
then you should use yourdomain.com
as the common name; if your website is at https://www.yourdomain.com
then your common name should be www.yourdomain.com
or *.yourdomain.com
(the wildcard will match any subdomain, meaning you can use the same cert for https://mail.yourdomain.com
and https://www.yourdomain.com
, which is handy).
Personally, I use a wildcard certificate. If you were paying for a normal certificate authority to sign your certificate then a wildcard cert would be more expensive, but CAcert is of course free so you might as well take advantage of it!
Install the CAcert root certificate
Every operating system comes pre-loaded with a set of certificates that are seen as trusted by the OS. This includes certificates from verisign and other big name certificate signing authorities. Very few OSes trust CAcert by default, although a couple of Linux distributions do.
The CAcert website provides https using a certificate that was signed by the CAcert root. Since you are going to be sending sensitive information to the website during registration, it makes sense to install the CAcert root certificate now so that you can use the site without browser errors.
To install the CAcert root certificate from the commandline, you can use these commands:
cd ~ wget http://www.cacert.org/certs/root.txt sudo cp root.txt /etc/ssl/certs/cacert-root.crt
Those commands will download the CAcert root certificate into your home directory, and then copy it to your certificates folder.
If you look in your certs directory (ls -l /etc/ssl/certs
) you will see that all of the certs have sensible certificate names like GeoTrust_Global_CA.pem, but there are also a load of symbolic links with names like 2c543cd1.0 that point to the certificate files with the human readable names.
Those symlink names like 2c543cd1.0 are hashes of the certificate files, and are there to enable programs on your computer to quickly check whether the root certificate is in your computer's certificate directory or not. Some programs manage to recognise that the certificate is installed just fine without the symlinks, but some of them do not. Openssl is one of the ones that doesn't.
So, we need to make use of one more command to create a symlink for the newly installed cacert-root.crt (this will also refresh the symlinks for the rest of the certs in the folder):
sudo c_rehash /etc/ssl/certs
Now that the CAcert root cert is installed, almost all software on your system will recognise it (chromium, rekonq etc.). The exception to this is Mozilla software such as the Firefox web browser and Thunderbird email client. Mozilla software has its own certificate database, which has both advantages and disadvantages. For example, if you're using a system where you don't have admin rights, you can still easily import the CAcert root to Firefox. The disadvantage is that if you are an administrator, you can't do a one-stop installation: you have to import it separately to Firefox.
To install the certs, open Firefox and navigate to the root certificate downloads page and click on the links for the class 1 and class 3 .pem encoded root certificates. You will be prompted to decide whether to import them or not.
To install to Android, follow this tutorial of mine.
Required Email Address
CAcert verifies that you own the domain it is signing a certificate for by sending a verification link to one of the following email addresses:
- root@yourdomain.com
- webmaster@yourdomain.com
- postmaster@yourdomain.com
You therefore need to be able to receive email to one of these addresses. You can set up your own email server, or failing that some domain name registrars provide email forwarding capabilities.
If you used my tutorials to set up your email server then you may want to add some aliases to your server so that emails to those addresses above are delivered to your username. Here's how:
Edit /etc/aliases
and add:
postmaster: yourusername webmaster: yourusername root: yourusername
Now run this command to load the new aliases:
sudo newaliases
And reload Postfix:
sudo service postfix reload
Submitting the CSR to CAcert
First things first, you will need to go to the CAcert website and create an account:
Please note that CAcert has signed its own SSL certificate, so your browser may throw an error if you haven't imported the root cert yet.
After you have created your account and logged in, navigate to server certificates --> new.
On your server, use cat
to print the the Certificate Signing Request (CSR) you created earlier and then copy & paste it into the box:
cat <filename for the CSR>.csr
...and click submit.
The result will be displayed on screen, and you will also be emailed the certificate. Copy and paste it into a file with the .crt extension, e.g. using nano:
sudo nano <path to your cert>.crt
...then CTRL+SHIFT+V to paste, CTRL+X, save when prompted.
Note: the BEGIN CERTIFICATE and END CERTIFICATE lines are part of the cert, so copy those too!
Certificate File Locations
Assuming your certificates and key file are in your home directory, it's a good idea to move them to the proper locations
- Your key file should be stored at
/etc/ssl/private/samhobbs.key
. - Your certificate file should be stored at
/etc/ssl/certs/samhobbs.crt
. - You can get rid of your CSR, or keep it for reference if you like.
Permissions & Ownership
Your key file is secret. It should be owned by root, and your permissions should be set so that only the root user can read and write to it.
This command will set it to be owned by root:
sudo chown root:root /etc/ssl/private/samhobbs.key
And this command will set it so that only the root user can read and modify it:
sudo chmod 600 /etc/ssl/private/samhobbs.key
Most services like Apache, Postfix etc. require root privileges to start up. They read the certs when they start and store them in RAM, so that they can still use them when they drop to their normal users ( e.g. www-datafor Apache).
Unlike your key file, your signed certificate file is not a secret (it is sent to users when establishing a secure session). You want all users to be able to read the cert, but only the root user to have write access to it.
As before, this command will set it to be owned by root:
sudo chown root:root /etc/ssl/certs/samhobbs.crt
And this command will set it to be readable by everyone, but only modified by root:
sudo chmod 644 /etc/ssl/certs/samhobbs.crt
Some common SSL cert configuration parameters: Apache, Postfix, Dovecot
This section is a quick reference for where to find SSL parameters for Apache, Postfix and Dovecot.
Apache
You can tell Apache to use a specific certificate file in your SSL virtualhost configuration (e.g /etc/apache2/sites-available/default-ssl
) with these parameters:
SSLEngine on SSLCertificateFile /etc/ssl/certs/samhobbs.crt SSLCertificateKeyFile /etc/ssl/private/samhobbs.key
Then reload Apache:
sudo service apache2 reload
Postfix
Postfix' SSL cert configuration can be found in /etc/postfix/main.cf
:
smtpd_tls_cert_file=/etc/ssl/certs/samhobbs.crt smtpd_tls_key_file=/etc/ssl/private/samhobbs.key
...and reload Postfix:
sudo service postfix reload
Dovecot
Dovecot's SSL configuration is in /etc/dovecot/conf.d/10-ssl.conf
:
ssl_cert = </etc/ssl/certs/samhobbs.crt ssl_key = </etc/ssl/private/samhobbs.key
NB: the < at the start of the path isn't an error, if you miss it out Dovecot won't load.
Reload dovecot:
sudo service dovecot reload
Hopefully you found that useful! If you have anything to add or a question, please feel free to leave a comment!
Comments
LN · Permalink
Hi,
Hi,
Thank you for all yours tutorials !
Here a question :
In the "Certificate File Locations" chapter, are you sure of :
Your certificate file should be stored at /etc/ssl/certs/samhobbs.csr
Would it be
Your certificate file should be stored at /etc/ssl/certs/samhobbs.crt (or pem)
?
Sam Hobbs · Permalink
Well spotted! It should be
Well spotted! It should be .crt, not csr - I'll make the correction!
Thanks for the comment.
Sam
Tom Booth · Permalink
Certificate File Locations,
Certificate File Locations,
How do i move the files to the directory?
Sam Hobbs · Permalink
sudo mv
Hi Tom,
use the mv command:
Sam
Bruce Stelmar · Permalink
CACert Server Certificate Request Process
Just a heads up. CACert requires that you first add a domain before it will allow you to request a server certificate.
Fantastic articles by the way!!!!. Thanks!!!
Sam Hobbs · Permalink
Thanks Bruce
Bruce,
Thanks for pointing that out. Glad the article was helpful!
Sam
Alberto · Permalink
Hi Sam I have a problem
Hi Sam I have a problem during the registration at the CACert site, the error is:
"The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.
451 4.3.5 : Helo command rejected: Server configuration error"
And I've also noticed that i can not receive email from external domains on my Pi server.
Do you have any suggestion?
At the moment I'm using a free no-ip account for the dns.
Sam Hobbs · Permalink
What's your domain name?
Hi Alberto,
What's your domain name?
Sam
Alberto · Permalink
revolutionapp.ddns.net
revolutionapp.ddns.net
Thank you
Sam Hobbs · Permalink
Just tried connecting to your
Just tried connecting to your server (connected fine) and the first bits of your helo access restrictions work (if you don't ehlo you are prompted to do it) so the problem must be further down the list.
Can you check your
smtpd_helo_restrictions
list, make sure you created and postmapped the/etc/postfix/helo_access
file and that it contains no spelling mistakes?Sam
Alberto · Permalink
Thank you Sam I've fixed the
Thank you Sam I've fixed the issue in the main.cf file of postfix. Now I've installed a cert but there's a new error on squirrel mail. I can't accesso to my mail, the error is: ERROR: Connection dropped by IMAP server.
So I've checked the dovecot service whit this line of code:
dovecot -c /etc/dovecot/dovecot.conf
and the message that appears is: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 13: ssl_key: Can't open file /etc/ssl/private/serverkey.key: Permission denied
Sam Hobbs · Permalink
Use sudo
That file is probably owned by root, so the dovecot config test can't read it.
If you want to use that command you should use
sudo
- these daemons start up as root and read those key files into memory before dropping privileges.sudo dovecot -c /etc/dovecot/donvecot.conf
will give you what you were looking for.For the record, what was the error you fixed in the helo access restrictions? I've never seen that one before so it would be good to know exactly what caused it.
Sam
Alberto · Permalink
The error was a mistake of
The error was a mistake of mine, I've putted a semicolon after the check_helo_access like this
check_helo_access hash:/etc/postfix/helo_access;
The imap error still remains when i try to login, so i've checked the error log file and this is the issue:
revolutionapp dovecot: imap-login: Fatal: Can't load ssl_cert: error:0906D066:PEM routines:PEM_read_bio:bad end line
I've fixed this mistake of concatenation into the cert file:
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
in-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Thank you sam for your support
Dan3008 · Permalink
Irony
Its irronic that when I try and view this page as a HTTPS I am getting an invalid certificate error... lol
Sam Hobbs · Permalink
CAcert root
That'll be because you haven't imported the CAcert root certificate. HTTPS on this site is not for you anyway, it's for me (you will notice that if you dismiss the warning and proceed to the HTTPS page, you are redirected to the HTTP page).
Sam
Tim · Permalink
Certificate Error
Hi Sam,
I have followed your instructions on installing owncloud and it all works fine - its up to version 8.2 now.
However, I cannot get HTTPS to go. I followed the instructions here and I get a certificate error in my internet explorer (address bar goes red etc.)
I have create keys, got he cacert signed etc. downloaded the ca root cert as instructed and I am now stuck.
Any hints?
Sam Hobbs · Permalink
cacert root certificate resigning
I think it may be related to this:
http://blog.cacert.org/2015/12/re-signing-root-certificate/
Since it's just a few days, your best bet is probably just to wait, so you may find it starts working after then (you may need to re-import the root cert after that date).
Sam
Keith Oborn · Permalink
According to that page, the
According to that page, the resigning has been delayed, and there is no new date. As of 9th April https://www.cacert.org itself shows invalid certificate, and amusingly blogs.cacert.org gives an ssl protocol error, so an even more basic problem there.
So it seems to me that any cacert certificate is currently not worth the electrons it's printed on ;-)
Lawrence · Permalink
ssl cert for local server/ip address
Sam thanks for a very clear and easy to follow post.
I currently secure my RPI on my Lan as I use it to control some lighting and other things.
I use a snake oil cert but Safari doesn't like my cert when trying to do secure web sockets wss.
I also read that after After November 1, 2015 IP/Intranet certs won't be trusted.
I'm a cert nobo and not sure how to proceed any pointers?
Thanks in advance
Lawrence
Sam Hobbs · Permalink
Hi Lawrence
Hi Lawrence
CAcert can't do LAN only certs, see this page on the wiki:
Basically, CAcert can only sign a cert for you if it can validate that you own the domain name. Since .local doesn't resolve outside your LAN it can't do the automated check (plus, many other people have a .local domain too, which you don't control, so CAcert could never give you a cert because it would give you a cert for other peoples' local domains).
What you probably need to do is create your own root cert for your local domain and use it to sign a cert for the Pi, and then install your root cert into all of the client machines. I take it you're using a Mac (you said you were using Safari?)
Not sure what you mean by the intranet certs not being trusted, do you have a link to what you were reading?
Sam
Lawrence · Permalink
Sam thanks, found the
Sam thanks, found the solution to mobile safari either email or provide link to cert and then install.
This artical talks of changes that come in to effect Nov 1 2015
http://www.symantec.com/connect/blogs/important-changes-ssl-certificates...
Sam Hobbs · Permalink
Interesting
I didn't know that any CA ever issued certs for local domains. It doesn't make much sense, for the reasons I gave in my previous comment about why CAcert doesn't do it, also echoed in the article:
So, when they say that "SSL certificates on intranet sites with internal server names...may not work from 1 November 2015" what they actually mean is that if one of those certificate authorities did issue you with a certificate in the past, they won't re-issue it. This is a non-issue for CAcert because I don't think they have ever done this.
Notice that the article you linked also lists my solution (generate your own root certificate and use it to sign certificates for your local domain, and then install your root cert on each client):
Sam
Andreas · Permalink
Hi, in "/etc/dovecot/conf.d
Hi, in "/etc/dovecot/conf.d/10-ssl.conf" at the top..
The "ssl = yes" is commented out, should it be that or should I uncomment it? :)
Thanks
Sam Hobbs · Permalink
Mine is commented
Mine is commented, it may be that the default is yes (even if it is commented).
Sam
Andreas · Permalink
Generate your certificate
"Country Name (use a two letter code e.g. GB)
State or Province Name (e.g. Surrey)
Locality Name (e.g. Guildford)
Organisational Name (e.g. Sam Hobbs' Personal Website)
Organisational Unit Name (e.g. Website)
Common Name (your domain name - see note below - e.g. samhobbs.co.uk)
Email Address (the contact address for your administrator e.g. webmaster@samhobbs.co.uk)"
After this it asked me to type a password and now I don't think it can access it.
Any way to remove the password?
Thanks
Sam Hobbs · Permalink
Can't remember
I think there's a way to remove the password but I can't remember it, easiest to just delete it and create a new one.
Leave the password blank (i.e. no password), it's just a pain if you set one because you have to tell Dovecot etc. what the PW is anyway, so there's no extra protection vs having the certificate key owned by root and not readable by other users (because the password would be in a Dovecot config file owned by root...).
Sam
Andreas · Permalink
Where should I generate the
Where should I generate the certificate? I have done this many many times but I ain't getting through.. I think it have something to do with the change of where I am when connecting with FTP..
Thanks
Sam Hobbs · Permalink
Do you mean which directory should you be in?
Generate the cert it in your home directory, and then move the files when you are done.
I don't really get what you mean about FTP, do you mean SSH? Or are you using SSH to generate the cert and then FTP to move it?
Sam
Andreas · Permalink
Haha sorry.. I don't
Haha sorry.. I don't understand myself what I meant. But when I installed the FTP server I took the opportunity to change the directory to another when I connect with FTP and apparently it changes even when I connect using SSH.
Thanks again!
Andreas · Permalink
Thanks Sam!
Thanks Sam!
Pages
Add new comment