GODaddy SSL Certificate

Hey Jim,

Yep, it's been done. You're using one here at Virtualmin.com. We're cheap, and we know how to use chained certificates. It's a dangerous combination. ;-)

That said, I set ours up manually before any of the SSL handling stuff in Virtualmin had gotten reasonable (it still needs a little bit more work).

Here's the relevant VirtualHost section on our system (note that I said VirtualHost--the chain file probably ought to be set per-domain, though I can't be sure that's necessary, as it is the same for all that are purchased from the same folks...godaddy in my case and yours):

SSLEngine on SSLCertificateFile /home/virtualmin/etc/certs/certfile.pem SSLCertificateKeyFile /home/virtualmin/etc/certs/keyfile.pem SSLCertificateChainFile /home/virtualmin/virtualmin/certs/sf_issuing.crt

Virtualmin's SSL management doesn't yet handle chained certs (I'll ask Jamie to add it), so the SSLCertificateChainFile will need to be added manually.

And, no, I'm guessing the Hawks will not field a decent team in our lifetime. (But, ya'know, the Houston Rockets were an also-ran until 1993...and now have become an also-ran again. Things change.) ;-)

Oh, yeah, you can also use this kind of cert for Postfix with these directives:

smtpd_tls_cert_file = /etc/postfix/virtualmin.pem smtpd_tls_CAfile = /etc/postfix/sf_issuing.crt

Though it looks like I combined the key and the cert into a pem for Postfix use (I don't think this is necessary...not sure why I went that route.)

And Dovecot:

ssl_cert_file = /home/virtualmin/etc/certs/virtualmin-chained.cert ssl_key_file = /home/virtualmin/etc/certs/keyfile.cert

Same story here, only with the chain and the cert combined--I think this one was actually necessary to make Dovecot use the chain.

cat sf_issuing.crt certfile.pem > chained.cert

I don't use FTP, but you could do the same for ProFTPd with the TLSCertificateChainFile directive.<br><br>Post edited by: Joe, at: 2007/07/18 01:02

I'm planning on getting a GoDaddy SSL cert this week, any update to the above?

Another related question, if I get the cert for www.MyDomain.com should I spec that as my POP3/SMTP servers in my mail client (as opposed to mail.MyDomain.com or just MyDomain.com)?

It looks like it knows about chained certificates: Virtualmin->Server Configuration->Manage SSL Certificate->CA Certificate "If your virtual server's SSL certificate is from a certificate authority that is not directly known to major browsers, you may need to upload the CA's certificate using this form."

I'll find out and report back in a couple of days.

On the mail servers question, if I wanted to maintain both a 'www.' cert for browsers and a 'mail.' cert for POP/SMTP/IMAP would your interface allow this, or is it back to the command line?

More GoDaddy info.

They offer 'Single' certs that, they say, if issued after 2006 will secure the domain name, with or without the www prefix. Has anyone tried this? See: [url]http://help.godaddy.com/article.php?article_id=850&topic_id=234[/url]

They also offer 'Multiple Domain (UCC)' and 'Wildcard' certificates for A LOT more money. Multiple would be a single certificate for many separate domains!? And Wildcard seems to let you use just one certificate for how ever many subdomains your domain has.

Both are interesting. But it would still be cheaper to have two singles at $19/year. And if Virtualmin could plug-in two (www and mail) it would be a no brainer.

Easier than I can believe.

Virtualmin->Server Configuration->Manage SSL Certificate->Signing Request Fill in the blanks ('Server name in URL' needs the 'www' but not 'http://'), click 'Generate Now', copy the result Log in to GoDaddy, buy a certificate credit, use the credit to request a certificate (they have instructions) Paste in the CSR you got from clicking 'Generate Now' They e-mail you a link to a zip file containing your cert and a chain called 'gd_intermediate_bundle.crt' Unzip the file Virtualmin->Server Configuration->Manage SSL Certificate->New Certificate Upload your cert into 'Signed SSL certificate' Virtualmin->Server Configuration->Manage SSL Certificate->CA Certificate Upload the chain into 'CA certificate file' Restart Apache

Dovecot Webmin->Servers->Dovecot->SSL Configuration (No chain needed?) SSL certificate file /home/YOURDOMAIN/ssl.cert SSL private key file /home/YOURDOMAIN/ssl.key Save, Restart Dovecot

Postfix Webmin->Servers->Postfix->SMTP Authentication Enable TLS encryption? Yes TLS certificate file /home/YOURDOMAIN/ssl.cert TLS private key file /home/YOURDOMAIN/ssl.key TLS certificate authority /home/YOURDOMAIN/ssl.ca Save, Restart Postfix

ProFTPd This takes just a bit more effort. It requires the chain file (now residing at /home/YOURDOMAIN/ssl.ca) and your cert together. Login to your system and cat ssl.ca ssl.cert > ssl.chained.cert Webmin->Servers->ProFTPD Server->Edit Config Files

(Explanation at: http://www.castaglia.org/proftpd/modules/mod_tls.html)

FIND THIS SECTION (ABOUT HALF WAY DOWN): <IfModule mod_tls.c> TLSEngine off </IfModule>

AND CHANGE IT TO READ:

<IfModule mod_tls.c>

TLSEngine off

</IfModule>

TLSEngine on TLSRequired on TLSRSACertificateFile /home/YOURDOMAIN/ssl.chained.cert TLSRSACertificateKeyFile /home/YOURDOMAIN/ssl.key

TLSCipherSuite ALL:!ADH:!DES

Save, Restart ProFTPd

Forgot one, Webmin itself.

Webmin->Webmin->Webmin Configuration->SSL Encryption

Private key file /home/YOURDOMAIN/ssl.key Certificate file Separate file: /home/YOURDOMAIN/ssl.cert Redirect non-SSL Yes Additional cert /home/YOURDOMAIN/ssl.ca

Prolly time to add this to the Wiki . . .

Dovecot DOES need the chaining certificate.

Webmin->Servers->Dovecot->Edit Config File (Tap PageDown about 5 times) ssl_ca_file = /home/YOURDOMAIN/ssl.ca

(Would be nice if this had a Webmin field like Postfix)

I am trying to follow along however I think I am an idiot when it comes to anything non-microsoft based. I have a Linux dedicated server through hosting.com and I am trying to install an SSL certificate onto a virtual server on this linux box from GoDaddy but have no idea how to generate the CSR and install the cert. Hosting.com gave me instruction for generating a CSR from the WEBMIN screen but i am not sure if that is correct. Please help.

-Damian

Without knowing what Hosting.com is telling you it is hard to say if the instructions are right or not. They don't seem to provide any doco without a login so I can't look it over.

That said, it is probably safe to assume that their own instructions are what you need to follow on their system . . .

What worked for me is detailed up the first page of this thread starting in post #8412. The shorthand for menu navigation that I am used to: Virtualmin->Server Configuration->Manage SSL Certificate->Signing Request Simply means you start on the Virtualmin screen, click on Server Configuration, click on Manage SSL Certificate, etc. If your host is giving you just Webmin (and not Virtualmin) then your path is obviously going to differ. Perhaps you could cut and paste a portion of it here and we could take a look?

The Hosting.com people also mention their Delightful Support. Have you tried them?

When I go into my domain in virtualmin, then choose the CA Certificate tab, and then either try to upload or point to the path on the server of my gd_intermediate_bundle.crt file, when I click "save certificate" I immediately get the message "File not found" in firefox and "the page cannot be found" in IE6...

Help!

If I may add a few tidbits that may save someone like me a few hours:

I generated my private key & request files at the unix command line with openssl, sent the csr into godaddy and got my new cert. The problem I had was that I used the -des3 option that adds a password to the private key. Passworded private keys do not work well in webmin or its managed servers. Most of the servers fail with no usable error message telling you a password was needed. Took me an hour to figure this out again this year when renewing certs.

To fix the problem (i.e. not put a password on your private key)

1) do not use the -des3 option when generating the keys.

or

2) if you already have a passworded private key file, use this command to remove the password: openssl rsa -in key.pem -out keyout.pem

Hope this helps someone

http://lists.debian.org/debian-security-announce/2008/msg00152.html

This effects Debian Etch (v4.0) but not Sarge (v3.0) and any Debian derived distributions like Ubuntu.

After your system has been patched, you still have to regenerate any of your keys that were generated with OpenSSL since 2005. Plan on revoking and issuing new keys (OpenSSH, OpenVPN, SSL certificates, etc.)

OUCH!

Hi Guys

I would really appreciate a 1.2.3 guide on how to set up TSL or SSL on postfix and dovecote to secure email on one virtual host. I have a godaddy ssl cert and have set up the domain to work on ssl. I have had a look about in the forums and in the Virtualmin docs and this topic seems a little light on documentation.

Cheers in advance for any pointers or input on this.

s

Hi Dude,

Why you go with chain root SSL certificate? Wanna go for Direct ROOT level SSL certificate. There are so many root level SSL providers are available.. www.thawte.com

Hi all

I also had trouble installing a GoDaddy SSL certificate. My problem was that I did not add the CA certificate from GoDaddy in virtualmin. This led to problems in FF but not in IE. I did not find the ca certificate on the pages of godaddy.com, a friend had to mail me the certificate.

Also the process of adding a seperate virtual ip for each ssl-domain is not well documented. I am not sure where in virtualmin a second ip should be entered to run correctly. It would be nice if there was more inline help from virtualmin or a wizard for setting up such things.

regards! Chris

Thanks to all who contributed to this, I've had the GoDaddy wildcard cert for a while (*.domain) and had just not got around to putting it all together. Thanks to this I got it all done and setup with a minimum of fuss.

One thing to either add to the wiki or for others to note : You'll also need to add the same details to the usermin section. It's fairly explanatory and is very similar to the webmin section.

Cheers, Nick

I really like the way Virtualmin makes it easy to install SSL certificates.

Maybe I glanced over it but I think its worth mentioning again...

The option... Virtualmin->Server Configuration->Manage SSL Certificate (as Transmobius pointed out in his 2007-11-18 post)

Is only available if you have Virtualmin->Edit Virtual Server->Enable Feature and select '[X] Select SSL website enabled?'

I've created the following google doc for now, until this gets into the Wiki; if there is a format I can export it as that will help (odt?), let me know.

Comments are enabled to the public, so you can add your own notes and I will revise it for now. I will also be revising over the next day or two while I go through this process myself.

https://docs.google.com/document/d/1kvj4VLq3NnkpiGMFY-E97N84m2310vPtrzRs...