Updated on | #ssl, #domain, #gogetssl | 0 User comments

SSL Certificate for Zentyal - HaProxy, Apache2 and Stunnel

The use of an SSL Certificate prevents online hijacking of web sites or connections to encrypted data. The value of a SSL certificate is not only the secure transfer of details between the end user and the web server. A significant benefit lies in the validation procedures used to check if the requester of the certificate is legitimate. In this tutorial I will show you, how you can generate your own Certificate Signing Request (CSR), in order to get an Intermediate and Primary Certificate for your own homepage.

Over the last few years the number of organizations using SSL Certificates has increased dramatically. There are new, low cost alternatives in which certificates can now be issued quickly. These certificates verify that the certificate holder is the owner of that domain, ensuring customers that the owner of the certificate is who they claim to be. Domain validated SSL certificates are server security certificates that provide the lowest level of validation available from commercial certificate authorities. I recommend to use cheap Domain validation SSL certificates for small websites (e.g. private homepages). Mostly these websites don't need a high priority task for end-user's.

Create your Certificate Signing Request

I personally use GOGETSSL, which is a very fast and cheap service. You will receive your Domain Validation SSL Certificate within just 2-3 minutes of ordering. Domain Validated SSL Certificate products are authenticated using the Approver E-Mail verification system. In this case, create a new folder under /etc/ssl:

  1. sudo mkdir /etc/ssl/gogetssl
  2. sudo mkdir /etc/ssl/gogetssl/downloaded
  3. cd /etc/ssl/gogetssl/downloaded

In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. You can create a CSR by running this commands:

  1. cd /etc/ssl/gogetssl
  2. openssl req -new -sha256 -nodes -keyout {DOMAIN}.{TLD}.key -out {DOMAIN}.{TLD}.csr -newkey rsa:2048

OpenSSL needs some information about you and your domain. Especially the point Common Name is very important. Here you can find an example:

  • Country Name (2 letter code) [AU]: DE
  • State or Province Name (full name) [Some-State]: NRW
  • Locality Name (eg, city) []: Gummersbach
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]: Thomas Ludwig
  • Organizational Unit Name (eg, section) []: IT
  • Common Name (e.g. server FQDN or YOUR name) []: {DOMAIN}.{TLD}
  • Email Address []: hostmaster at {DOMAIN}.{TLD}
  • A challenge password []:
  • An optional company name []:

In the next step you have to create an account at a SSL Reseller in order to buy a certificate (e.g. Comodo Positive SSL). Copy your CSR file (cat /etc/ssl/gogetssl/{DOMAIN}.{TLD}.csr) inside the gogetssl input box and generate your certificate. More information about this you can find here: SSL Installation Manuals. After a successful domain validation you can download your SSL certificates under the SSL Certificate Details tab. Copy the zip file to /etc/ssl/gogetssl and unzip it with:

  1. sudo unzip /etc/ssl/gogetssl/downloaded/*.zip

After this, you can find three files in your folder:

TypeFilenameDescription
Root CertificateAddTrustExternalCARoot.crtRoot Certificates are one of the fundamental pieces of public key cryptography used by browsers and other services to validate certain types of encryption
Intermediate CertificateCOMODORSAAddTrustCA.crtThe intermediate certificate bundle "chains" your SSL certificate to our trusted root certificates, letting your certificate secure connections with older browsers that might have only our original Valicert root certificate installed.
Intermediate CertificateCOMODORSADomainValidationSecureServerCA.crtComodo root certificate used as an intermediate
Your SSL Certificate{DOMAIN}_{TLD}.crtThis certificate is an electronic "passport" for your website or domain

Apache

If you want to use the certificate in Apache you have to do the following: Create an all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order:

  1. cat /etc/ssl/gogetssl/downloaded/COMODORSADomainValidationSecureServerCA.crt \
  2. /etc/ssl/gogetssl/downloaded/COMODORSAAddTrustCA.crt \
  3. /etc/ssl/gogetssl/downloaded/AddTrustExternalCARoot.crt > /etc/ssl/gogetssl/{DOMAIN}.{TLD}.apache.pem

Configure Apache in Zentyal

At first you have to copy the Zentyal Webserver template to your custom templates folder with (more info):

  1. sudo mkdir /etc/zentyal/stubs/webserver
  2. sudo cp /usr/share/zentyal/stubs/webserver/default-ssl.mas /etc/zentyal/stubs/webserver/

After this, you can edit the /etc/zentyal/stubs/webserver/default-ssl.mas file. Find SSLCertificateChainFile inside the file and insert there:

  1. SSLCertificateFile      /etc/ssl/gogetssl/downloaded/{DOMAIN}_{TLD}.crt
  2. SSLCertificateKeyFile   /etc/ssl/gogetssl/{DOMAIN}.{TLD}.key
  3. SSLCertificateChainFile /etc/ssl/gogetssl/{DOMAIN}.{TLD}.apache.pem

Now you are able to restart your Zentyal Webserver with:

  1. sudo service zentyal webserver restart

HaProxy

HAProxy is a very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. Since Zentyal 3.4, a load balance HaProxy is used. Hence, Apache don't need anymore an SSL Certificate. A pem file looks like this in HaProxy:

  1. -----BEGIN RSA PRIVATE KEY-----
  2. -----END RSA PRIVATE KEY----
  3. -----BEGIN MY CERTIFICATE-----
  4. -----END MY CERTIFICATE-----
  5. -----BEGIN INTERMEDIATE CERTIFICATE-----
  6. -----END INTERMEDIATE CERTIFICATE-----
  7. -----BEGIN INTERMEDIATE CERTIFICATE-----
  8. -----END INTERMEDIATE CERTIFICATE-----
  9. -----BEGIN ROOT CERTIFICATE-----
  10. -----END ROOT CERTIFICATE-----

You can generate the intermediate bundle with

  1. cat /etc/ssl/gogetssl/downloaded/COMODORSADomainValidationSecureServerCA.crt \
  2. /etc/ssl/gogetssl/downloaded/COMODORSAAddTrustCA.crt \
  3. /etc/ssl/gogetssl/downloaded/AddTrustExternalCARoot.crt > /etc/ssl/gogetssl/{DOMAIN}.{TLD}.intermediate.bundle

and your PEM with

  1. cat /etc/ssl/gogetssl/{DOMAIN}.{TLD}.key \
  2. /etc/ssl/gogetssl/downloaded/{DOMAIN}_{TLD}.crt \
  3. /etc/ssl/gogetssl/{DOMAIN}.{TLD}.intermediate.bundle > /etc/ssl/gogetssl/{DOMAIN}.{TLD}.haproxy.pem

If you want to use your gogetssl certificate for your domain, you have to edit the haproxy.cfg.mas file.

  1. sudo mkdir /etc/zentyal/stubs/core
  2. sudo cp /usr/share/zentyal/stubs/core/haproxy.cfg.mas /etc/zentyal/stubs/core/

After this, you can edit the /etc/zentyal/stubs/core/haproxy.cfg.mas file. Find

  1. bind <% $bindaddress %>:<% $port %> ssl <% $certificates %> ciphers HIGH:MEDIUM

inside the file and replace it with

  1. bind <% $bindaddress %>:<% $port %> ssl <% $certificates %> crt /etc/ssl/gogetssl/{DOMAIN}.{TLD}.haproxy.pem ciphers HIGH:MEDIUM no-sslv3

You can restart your Zentyal HaProxy Service with:

  1. sudo service zentyal haproxy restart

Chipper

In order to secure your SSL connection you can use the following chippers:

TLSv1+HIGH:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!MD5:!ADH:!EXP:!LOW:!RC2:!DES:!3DES:!aNULL:!eNULL:+RC4:@STRENGTH

I'm using these chipers in HaProxy. You can find an analysis of this SSL configuration on Qualys SSL Test Page.

In your /etc/zentyal/stubs/core/haproxy.cfg.mas:

  1. bind <% $bindaddress %>:<% $port %> ssl <% $certificates %> crt /etc/ssl/gogetssl/{DOMAIN}.{TLD}.haproxy.pem no-tls-tickets ciphers TLSv1+HIGH:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!MD5:!ADH:!EXP:!LOW:!RC2:!DES:!3DES:!aNULL:!eNULL:+RC4:@STRENGTH no-sslv3

At the end of this line you can find "no-sslv3", which is connected to the POODLE attack.

HSTS

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections. HSTS is supported in Google Chrome, Firefox 4, and the popular NoScript Firefox extension. You can add your website on the HSTS Preload List in order to register your domain.

Therefore, you have to add the following commands in your /etc/zentyal/stubs/core/haproxy.cfg.mas file:

  1. # Mark all cookies as secure if sent over SSL
  2. rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure
  3.  
  4. # HSTS header
  5. rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload

Stunnel

Stunnel is designed to work as an SSL encryption wrapper between remote client and local or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP3, SMTP and IMAP servers. You need to create a pem file containing your certificate, intermediate certificate and root certificate, in that exact order. This is important, because otherwise it would not work:

  1. cat /etc/ssl/gogetssl/downloaded/{DOMAIN}_{TLD}.crt \
  2. /etc/ssl/gogetssl/downloaded/COMODORSADomainValidationSecureServerCA.crt \
  3. /etc/ssl/gogetssl/downloaded/COMODORSAAddTrustCA.crt \
  4. /etc/ssl/gogetssl/downloaded/AddTrustExternalCARoot.crt > /etc/ssl/gogetssl/{DOMAIN}.{TLD}.stunnel.pem

Edit your config in /etc/stunnel/stunnel.conf:

  1. ; Certificate/key is needed in server mode and optional in client mode
  2. cert = /etc/ssl/gogetssl/{DOMAIN}.{TLD}.stunnel.pem
  3. key = /etc/ssl/gogetssl/{DOMAIN}.{TLD}.key
  4.  
  5. ; Protocol version (all, SSLv2, SSLv3, TLSv1)
  6. sslVersion = all
  7. options = NO_SSLv2
  8. options = NO_SSLv3
  9.  
  10. ; Some performance tunings
  11. socket = l:TCP_NODELAY=1
  12. socket = r:TCP_NODELAY=1
  13.  
  14. ; Useful for troubleshooting
  15. ;debug = 7
  16. ;output = /var/log/stunnel4/stunnel.log
  17.  
  18. [smtp-tls-wrapper]
  19. accept = 11125
  20. client = yes
  21. connect = smtp.mailserver.com:465

Restart Stunnel by using:

  1. sudo service stunnel4 restart

Test your certificate

GoGetSSL Check for Webservers

Go to the website Check SSL Installation and check your SSL installation. This Validator will show the types of SSL certificate along with the expiration date key size, signature algorithm and issuer. It is free to do this check and very quick. If you want to verify that certificate has been installed correctly and to diagnose any problems you just have to enter your server name ({DOMAIN}.{TLD}).

Qualys SSL Webserver Test

One of the best SSL certificate checker is provided by Qualys.

Well, what do you think?

Comments powered by LudwigDisqus for ModX