Purchased SSL Cert with OwnCloud

[John C. Reid]

I have been searching for hours and I can not seem to figure this out. I know it must be simple, but I cannot find a workable instruction to follow.

I am running FreeNAS-9.3-STABLE-201511280648 on a Dell PowerEdge 2950. I have OwnCloud 8.2.1 installed via the plugin (the installed plugins page states PBI owncloud-8.2.1-amd64)

Currently it is working and exposed to the Internet via a domain name. It is using SSL and only allow connection via https. It is currently working with a self-signed cert that was taken care of by the plugin install. Now I need to replace the self signed cert with a purchased one. I already generated the CSR and purchased the cert from GoDaddy. I have received the zip file with the two crt files, one of them is a bundle.

The issue is that I can't figure out at this point what to do with those files to install them on the server, and have it use the cert from the trusted authority rather than the self signed one. I am feeling a bit like an idiot at the moment. Any help would be greatly appreciated.

Thank you.

 

[Joshua Parker Ruehlig]

The plugin uses apache. Probably would be easiest to replace /usr/pbi/owncloud-amd64/etc/apache24/server.crt and /usr/pbi/owncloud-amd64/etc/apache24/server.key

Here's the code where the self-signed cert is generated.
https://github.com/josh4trunks/free...gins/owncloud/scripts/post-install.sh#L49-L62

 

[John C. Reid]

I tried fixing this on my own my modifying /usr/pbi/owncloud-amd64/etc/apache24/extra/httpd-ssl.conf because I finally found the path and I did not get an e-mail about your response, even though I am subscribed to the thread. I never got it to work.

After reading your reply I renamed the server.crt and server.key files and replaced them, them I restored my backup of /usr/pbi/owncloud-amd64/etc/apache24/extra/httpd-ssl.conf. However, now that I have done that I am not able to start Apache anymore. I get the following when I try

Performing sanity check on apache24 configuration:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK
Starting apache24.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
/usr/local/etc/rc.d/apache24: WARNING: failed to start apache24

 

[Joshua Parker Ruehlig]

I tried fixing this on my own my modifying /usr/pbi/owncloud-amd64/etc/apache24/extra/httpd-ssl.conf because I finally found the path and I did not get an e-mail about your response, even though I am subscribed to the thread. I never got it to work.

After reading your reply I renamed the server.crt and server.key files and replaced them, them I restored my backup of /usr/pbi/owncloud-amd64/etc/apache24/extra/httpd-ssl.conf. However, now that I have done that I am not able to start Apache anymore. I get the following when I try

Performing sanity check on apache24 configuration:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK
Starting apache24.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
/usr/local/etc/rc.d/apache24: WARNING: failed to start apache24

would might want to check the cert+key you put there are have the same ownership and permissions as the ones you replaced. you may also want to try enabling debug logging in Apache and see if it tells you why it can't start. maybe the key+cert don't match, or the key isn't decrypted?

 

[John C. Reid]

The permissions are the same and there is nothing when I start the server with debug logging. It just don't start.

New question, there is nothing needed on the current install. If I were to delete this jail and create a new one. can I use the certs I already got from GoDaddy, or would the fact that the CSR was created on what is essentially a different machine throw a wrench in the works? If I were to start over, how do I want to go about that? If just having a copy of the CSR, and the zip file that was send back from GoDaddy enough? If not what else to I need to receive from the old machine before I scrap it?

If I can start over and use the purchased key rather than self signed that would work for me.

 

[Joshua Parker Ruehlig]

The permissions are the same and there is nothing when I start the server with debug logging. It just don't start.

New question, there is nothing needed on the current install. If I were to delete this jail and create a new one. can I use the certs I already got from GoDaddy, or would the fact that the CSR was created on what is essentially a different machine throw a wrench in the works? If I were to start over, how do I want to go about that? If just having a copy of the CSR, and the zip file that was send back from GoDaddy enough? If not what else to I need to receive from the old machine before I scrap it?

If I can start over and use the purchased key rather than self signed that would work for me.

the certs and key are portable to any server.

I don't know much about Apache or godaddy's SSL, but want to do is possible with what you were given of performed correctly.

as long as you have a server+cert+key(decrypted) it's possible to setup SSL. though I don't know the particular details for Apache (I use haproxy with startssl)

 

[John C. Reid]

So the key I have from when I created the CSR. What GoDaddy send back was a zip with two files. One file has a cryptic name ending in .crt and when opened in a text editor it has a single block with
-----BEGIN CERTIFICATE-----
A Large Block of Characters
-----END CERTIFICATE-----

The other file is named gd_bundle-g2-g1.crt and when opened with a text editor contains three said blocks of said certificates one right after the other. Those are the only included files. GoDaddy refers to a intermediate certificate bundle.

I am not sure if I should be appending the three certificates in the bundle via copy and paste to the certificate issued, or if I should be using the Apache SSLCertificateChainFile directive. The self signed did not seen to use the chain file and I think that is where I messed everything up.

 

[Joshua Parker Ruehlig]

So the key I have from when I created the CSR. What GoDaddy send back was a zip with two files. One file has a cryptic name ending in .crt and when opened in a text editor it has a single block with
-----BEGIN CERTIFICATE-----
A Large Block of Characters
-----END CERTIFICATE-----

The other file is named gd_bundle-g2-g1.crt and when opened with a text editor contains three said blocks of said certificates one right after the other. Those are the only included files. GoDaddy refers to a intermediate certificate bundle.

I am not sure if I should be appending the three certificates in the bundle via copy and paste to the certificate issued, or if I should be using the Apache SSLCertificateChainFile directive. The self signed did not seen to use the chain file and I think that is where I messed everything up.

I believe you can either append them or modify apcahe's config to include the entire chain. The second method might be overwritten by plugin updates though.
This isn't a plugin/FreeNAS specific issue, if you can figure out how to do this with Apache on any other system you can do it with the plugin.

Did you still have the private key you used to sign your certificate signing request (CSR)? Apache needs this to use the cert. Also, it must be decrypted for apache to start without manually entering a password.

 

[John C. Reid]

I do have the key file created by the command:
openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr

Inside it is:
-----BEGIN RSA PRIVATE KEY-----
A Large Block of Characters
-----BEGIN RSA PRIVATE KEY-----

It does not include anything after the first comment like:
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,84E01D31C0A59D1F

It is just the key block. This would indicate it is already decrypted and does not use a password. Is this correct?

Again, thank you for all your assistance.

 

[Joshua Parker Ruehlig]

I do have the key file created by the command:
openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr

Inside it is:
-----BEGIN RSA PRIVATE KEY-----
A Large Block of Characters
-----BEGIN RSA PRIVATE KEY-----

It does not include anything after the first comment like:
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,84E01D31C0A59D1F

It is just the key block. This would indicate it is already decrypted and does not use a password. Is this correct?

Again, thank you for all your assistance.

Yeah, I think that means it's already decrypted. So maybe apache isn't starting because you didn't tell it where the intermediae certificate is.
But you might want to try just combining the intermediate certificate with your domain cert

Code:

cat domain.crt godaddy_intermediate.crt > domain.crt

 

[John C. Reid]

Thank you. I just deleted and readded the plugin jail. I am gonna get SSH setup so that I can use SCP for my file transfer. Then I will try this again by replacing the existing files and concatenating the intermediate certificates in. I will report back with my results.

 

[John C. Reid]

I did just as I stated in the post just prior to this one. That method worked.

To summarize: I started with a new, from scratch install of the plugin. I backed up server.key and server.crt. I concatenated the three certificates into the server certificate for my domain. I renamed the new concatenated .crt file server.crt and renamed the key server.key. I copied the two files into /usr/pbi/owncloud-amd64/etc/apache24 and restarted the service from the plugins tab in the FreeNAS GUI.

All I have left to do is get the forced redirect to the https version of the page working again. It worked before, and not it is not, but that is another thread. Thank you again.

 

[Joshua Parker Ruehlig]

I did just as I stated in the post just prior to this one. That method worked.

To summarize: I started with a new, from scratch install of the plugin. I backed up server.key and server.crt. I concatenated the three certificates into the server certificate for my domain. I renamed the new concatenated .crt file server.crt and renamed the key server.key. I copied the two files into /usr/pbi/owncloud-amd64/etc/apache24 and restarted the service from the plugins tab in the FreeNAS GUI.

All I have left to do is get the forced redirect to the https version of the page working again. It worked before, and not it is not, but that is another thread. Thank you again.

Glad it worked!