Changes between Version 16 and Version 17 of Documentation/Community/HowTo/ZarafaSetupWithOutlookThunderbirdSync

Show
Ignore:
Timestamp:
02/07/12 00:41:55 (16 months ago)
Author:
bbking (IP: 213.235.204.99)
Comment:

a more detailed explanation of the certificate installation

Legend:

Unmodified
Added
Removed
Modified

  • Documentation/Community/HowTo/ZarafaSetupWithOutlookThunderbirdSync

    v16 v17  
    22Author(s): BBKing[[BR]] 
    33Date: 02 Oct 2011[[BR]] 
    4 Version(s): 2.0[[BR]] 
     4Version(s): 2.0, 2.2[[BR]] 
    55Zentyal profiles: Zarafa [[BR]] 
    66 
     
    181181I went to http://www.startssl.com and got my own, officially signed certificates for my Zentyal-Box. Here is a great howto (http://forum.zentyal.org/index.php/topic,616.msg2340.html#msg2340), regarding the installation of the signed certificates. 
    182182 
    183 I will quote Javier's howto here just to have all infos in one place: 
    184  
    185 {{{ 
    186 #!div class=quote style="border: 2pt solid; text-align: left;background-color:#336699" 
    187 - you cannot export your certificate in the CA module because you need a CA certificate to be able to issue other certificates 
    188  
    189 - to use your certificate as the certificate for web administration, you must: 
    190   1) put the certificate in the file /var/lib/ebox/conf/ssl.crt/ebox.cert 
    191  2) put the certficate key file in the file /var/lib/ebox/conf/ssl.key/ebox.key 
    192   3)create the pem file concatening the two previous files, lke this: 
    193  
    194    cat  /var/lib/ebox/conf/ssl.crt/ebox.cert /var/lib/ebox/conf/ssl.key/ebox.key > /var/lib/ebox/conf/ssl.pem/ebox.pem 
    195   chmod 0400 /var/lib/ebox/conf/ssl.pem/ebox.pem 
    196  
    197  4) restart the webserver with: 
    198   /etc/init.d/ebox apache restart 
    199  
    200 - to use your certficate in the mail server you need to proceed similarly: 
    201     1) put the certificate in the file /etc/postfix/sasl/smtpd.pem 
    202  2) put the certficate key file in the file /etc/postfix/sasl/smptd-key.pem 
    203   3)create the pem file concatenating the two previous files, lke this: 
    204  
    205    cat  /etc/postfix/sasl/smtpd.pem /etc/postfix/sasl/smtpd-key.pem > /etc/postfix/sasl/smtp.pem 
    206   chmod 0400 /etc/postfix/sasl/smtp.pem 
    207  
    208  4) restart the mail system with: 
    209   /etc/init.d/ebox mail restart 
    210  
    211 }}} 
    212  
    213  
    214 One remark: if you copy the .pem file created in step 2 to /etc/postfix/sasl/whatever.pem you don't have to repeat the steps later on. 
    215  
    216 TODO: check whether the certificates are in place after a reboot. 
    217  
    218  
     183I will use Javier's howto here and append my remarks to it:[[BR]] 
     184[[BR]] 
     185 
     186At first, you have to understand, that there are 2 different Apache instances running. One is doing the normal webpages, the other one is serving the web admin pages. These instances have 2 different config files. 
     187 
     188Securing webpages (Zarafa's webaccess, Roundcube, etc.):[[BR]] 
     1891) put the certificate in the file /etc/apache2/ssl/ssl.cert[[BR]] 
     1902) put the certficate key file in the file /etc/apache2/ssl/ssl.key[[BR]] 
     1913) create the pem file concatening the two previous files, like this:[[BR]] 
     192 
     193{{{ 
     194#!div class=conf style="border: 2pt solid; text-align: left;background-color:#AAAAAA" 
     195   cat /etc/apache2/ssl/ssl.cert /etc/apache2/ssl/ssl.key > /etc/apache2/ssl/ssl.pem[[BR]] 
     196   chmod 0400 /var/lib/ebox/conf/ssl.pem/ebox.pem 
     197}}} 
     198 
     199here I went over to the /usr/share/<ebox/zentyal>/stubs/webserver and added the following line to default-ssl.mas :[[BR]] 
     200 
     201 
     202{{{ 
     203#!div class=conf style="border: 2pt solid; text-align: left;background-color:#AAAAAA" 
     204SSLCertificateChainFile "/etc/apache2/ssl/sub.class1.server.ca.pem" 
     205}}} 
     206 
     207the sub.class1.server.ca.pem is issued by StartSSL, this will tell the browser who is the CA.[[BR]] 
     208 
     209Do a [[BR]] 
     210 
     211{{{ 
     212#!div class=conf style="border: 2pt solid; text-align: left;background-color:#AAAAAA" 
     213/etc/init.d/zentyal webserver restart 
     214}}} 
     215and your official certificates should be working.[[BR]] 
     216 
     217Securing the admin interface:[[BR]] 
     2181) put the certificate in the file /var/lib/ebox|zentyal/conf/ssl/ssl.cert[[BR]] 
     2192) put the certficate key file in the file /var/lib/ebox|zentyal/conf/ssl/ssl.key[[BR]] 
     2203) create the pem file concatening the two previous files, like this:[[BR]] 
     221 
     222{{{ 
     223#!div class=conf style="border: 2pt solid; text-align: left;background-color:#AAAAAA" 
     224   cat  /var/lib/ebox|zentyal/conf/ssl/ssl.cert /var/lib/ebox|zentyal/conf/ssl/ssl.key > /var/lib/ebox|zentyal/conf/ssl/ssl.pem[[BR]] 
     225   chmod 0400 /var/lib/ebox/conf/ssl.pem/ebox.pem 
     226}}} 
     227 
     228TODO: verify inserting official CA[[BR]] 
     229 
     230{{{ 
     231#!div class=conf style="border: 2pt solid; text-align: left;background-color:#AAAAAA" 
     232/etc/init.d/zentyal apache restart 
     233}}} 
     234 
     235will restart you admin interface, which will have the official certificates as well.[[BR]] 
     236 
     237Securing IMAP with an official certificate:[[BR]] 
     238 
     2391) put the certificate in the file /etc/postfix/sasl/smtpd.pem (Zentyal 2.0 or Ebox) or /etc/postfix/sasl/postfix.pem [[BR]] 
     240Create the .pem file according to above.[[BR]] 
     2412) restart the mail system with:[[BR]] 
     242{{{ 
     243#!div class=conf style="border: 2pt solid; text-align: left;background-color:#AAAAAA" 
     244/etc/init.d/zentyal mail restart 
     245}}} 
     246 
     247TODO: check whether the certificates are in place after a reboot. Explain the use of hooks.[[BR]] 
     248 
     249 
     250