- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-07-2019 05:57 AM
Hi,
I'm in the process of hardening Expedetion (v 1.1.2) using the Expedition-Hardening-Guide. Everything is going well, expect when I attempt to update the SSL certificate the changes do not seem to take effect. I've even gone so far as to remove the old *snakeoil* files and replace them with new ones.
Does anyone have advice on how to update to either a new self-signed certificate or trusted certificate?
Thanks,
01-09-2019 04:44 AM
I just tried to run the 2 commands from the hardening guide and worked for me, Have you tried to use another browser to see if it gets the new certificate?
You can check in the config file if your apache is pointing to those certificates?
go to /etc/apache/sites-enabled
and edit the file "default-ssl.conf and check for
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Regards
01-09-2019 04:04 AM
Probably you did but Have you restarted the apache daemon after the changes?
01-09-2019 04:16 AM
Thanks for the feedback. Yes I restarted both the service and the VM, it didn't seem to have any impact.
01-09-2019 04:44 AM
I just tried to run the 2 commands from the hardening guide and worked for me, Have you tried to use another browser to see if it gets the new certificate?
You can check in the config file if your apache is pointing to those certificates?
go to /etc/apache/sites-enabled
and edit the file "default-ssl.conf and check for
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Regards
01-09-2019 05:10 AM
Thanks, a different browser picked up the new cert.
Appreciate it!
04-01-2021 10:34 AM
Let's create a new certificate for Expedition!
First we need to create a CSR to get signed by an external CA. Copy the stanza below and edit for your
Expeditions' settings. Save it as req.conf.
expedition@Expedition:~$ mkdir ssl && cd ssl
expedition@Expedition:~/ssl$ vi req.conf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = OR
L = Portland
O = RiceCasa
OU = Tooling
CN = expedtion.example.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = expedition.example.com
DNS.2 = expedition
IP.1 = 10.1.0.34
With the req.conf configured, create the CSR:
expedition@Expedition:~/ssl$ openssl req -new -out expedition.csr -newkey rsa:2048 -nodes -sha256 -keyout expedition.key -config req.conf
Generating a 2048 bit RSA private key
..................................................+++
........+++
writing new private key to 'expedition.key'
-----
expedition@Expedition:~/ssl$ ls -l
total 20
drwxrwxr-x 2 expedition expedition 4096 Apr 1 11:49 ./
drwxr-xr-x 6 expedition expedition 4096 Apr 1 11:49 ../
-rw-rw-r-- 1 expedition expedition 1167 Apr 1 11:49 expedition.csr
-rw-rw-r-- 1 expedition expedition 1704 Apr 1 11:49 expedition.key
-rw-rw-r-- 1 expedition expedition 386 Apr 1 11:48 req.conf
expedition@Expedition:~/ssl$
Copy the content of the expedition.csr and submit it to your CA:
expedition@Expedition:~/ssl$ more expedition.csr
-----BEGIN CERTIFICATE REQUEST-----
..... removed .....
-----END CERTIFICATE REQUEST-----
Get that signed, and save the signed cert as expedition.crt
Change the permissions of the private key:
expedition@Expedition:~/ssl$ chmod 400 expedtion.key
Move the certs to the proper locations:
expedition@Expedition:~/ssl$ sudo mv expedition.key /etc/ssl/private/
expedition@Expedition:~/ssl$ sudo mv expedition.crt /etc/ssl/certs/
Edit Apache's config:
expedition@Expedition:~/ssl$ sudo vi /etc/apache2/sites-enabled/default-ssl.conf
Find these lines:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Edit them to:
SSLCertificateFile /etc/ssl/certs/expedition.crt
SSLCertificateKeyFile /etc/ssl/private/expedition.key
Restart apache.
expedition@Expedition:~/ssl$ sudo service apache2 restart
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!