We need to get the new server we deployed to have a trusted CA Cert in the next month.
I am currently looking at this guide:
http://www.clearcenter.com/support/documentation/user_guide/certificate_manager
This seems reasonable however I am just wondering about my zarafa certificates that I've made. Do I need to re-create these certificates or can I import them if so how?
I am currently looking at this guide:
http://www.clearcenter.com/support/documentation/user_guide/certificate_manager
This seems reasonable however I am just wondering about my zarafa certificates that I've made. Do I need to re-create these certificates or can I import them if so how?
Share this post:
Responses (21)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
After alot of testing, researching I've been able to get the following done:
* Get webconfig to use SSL certificates
* Get httpd to use SSL certificates (This includes webapp/webaccess)
* Get zarafa to use SSL certificates (Outlook zarafa, gateway for imap & iCal)
* Get postfix to use SSL certificates for SMTP secure
Below is what I did (This is assuming you have the crt file and key already)
Apache
Once they give you the new csr do the following
cp /location/of/domain.crt /etc/pki/tls/certs/domain.crt
mv /location/of/domain.key /etc/pki/tls/certs/domain.key
We then need to edit the ssl.conf file in httpd
vi /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/domain.crt
SSLCertificateKeyFile /etc/pki/tls/certs/domain.key
Then
service httpd restart
ClearOS Webconfig
We need to edit a file in clearos.
vi /usr/clearos/sandbox/httpd/conf.d/framework.conf
SSLCertificateFile /etc/pki/tls/certs/domain.crt
SSLCertificateKeyFile /etc/pki/tls/certs/domain.key
Restart clearos webconfig
service webconfig restart
Zarafa Secure
First we need to convert the files into a pem and then move into zarafa
cat /etc/pki/tls/certs/domain.crt /etc/pki/tls/certs/domain.key > domain.pem
mv /etc/pki/tls/certs/domain.pem /etc/zarafa/ssl/
cp -a /etc/pki/tls/certs/domain.crt /etc/zarafa/ssl
Now we make changes to ical/server/gateway
vi /etc/zarafa/server.cfg
# Listen for SSL connections on this port
server_ssl_port = 237
# Required Server certificate, contains the certificate and the private key parts
server_ssl_key_file = /etc/zarafa/ssl/domain.pem
# Password of Server certificate
server_ssl_key_pass =
# Required Certificate Authority of server
server_ssl_ca_file = /etc/zarafa/ssl/domain.crt
# Path with CA certificates, e.g. /etc/ssl/certs
server_ssl_ca_path = /etc/zarafa/ssl/
# Accept SSLv2 only connections. Normally v3 connections are used.
server_ssl_enable_v2 = no
# Path of SSL Public keys of clients
sslkeys_path = /etc/zarafa/sslkeys
Then restart service
service zarafa-server restart
Now gateway
vi /etc/zarafa/gateway.cfg
# File with RSA key for SSL
ssl_private_key_file = /etc/zarafa/ssl/domain.pem
#File with certificate for SSL
ssl_certificate_file = /etc/zarafa/ssl/domain.crt
Finally ical
vi /etc/zarafa/ical.cfg
# ICAL SSL SETTINGS FOR INCOMING CONNECTIONS
# File with RSA key for SSL
ssl_private_key_file = /etc/zarafa/ssl/domain.pem
# File with certificate for SSL
ssl_certificate_file = /etc/zarafa/ssl/domain.crt
Restart both services
service zarafa-gateway restart
service zarafa-ical restart
Be sure to enable secure imap and secure ical in the gateway.cfg and ical.cfg
Postfix
Very simple change over for this
vi /etc/postfix/main.cf
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/domain.crt
smtpd_tls_key_file = /etc/pki/tls/certs/domain.key
smtpd_tls_loglevel = 2
Restart postfix
service postfix restart
When a client is connecting via outlook/thunderbird for SMTP it's SSL not TLS and port 465
I hope this helps everybody that's trying to set up signed SSL certificates on clearos in the interim of 7.0 (hopefully being on there). -
Accepted Answer
I've got apache to have ssl certificates on clearos now using some tutorials on the web.
Only need to do the following now
* Get zarafa to use SSL certificates from CA
* ClearOS to use CA (ideal but not required(
It's weird because I've looked at /usr/clearos/sandbox/etc/httpd.conf.d/ssl.conf and nothign points to self signed certificates so where does clearos webconfig get it's generated certificates from so I can set it to use CA certs. -
Accepted Answer
-
Accepted Answer
Hi James,
Yes, this topic should be more of a priority! I have added the issue in the tracker:
http://tracker.clearfoundation.com/view.php?id=1891
The target version is ClearOS 7.0.0, but that's more of a wish than a promise. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Thanks peter, looks like we'll wait for 6.4 to come out and when zarafa gets updated should be ready to go I guess. Will you be updating to the latest zarafa 7.1.x?
They are on a SMB license from zarafa from back in the days of 5.2 before you had it so we have to go to them regarding that but I'll wait to raise a ticket with them after you guys upgrade zarafa.
Thanks for the TLS postfix tips, I'll try and look into the normal port 25 authentication I'm sure there should be some easy way of taking away plain authentication anyway that or just disabling it and make users use 465 instead.
*edit*
It seems you posted much faster then I can! Thanks for making that ticket I'll update and let you know how I get on. Just to clarify with signed certificates when we get them we can't do that in the web interface that has to be done via terminal? -
Accepted Answer
It would be good idea to have weak ciphers disabled by default. That feature request is now in the tracker -
Accepted Answer
* they are complaining about port 993 not being secure enough
* zarafa port 237 being not secure enough (will raise a ticket with zarafa support)
This looks relevant :-)
https://jira.zarafa.com/browse/ZCP-11212
If you have purchased Zarafa Small Business / Professional through ClearCenter, please raise the ticket with ClearCenter support first. We'll escalate it if necessary.
* smtp authentication (will look into this)
The following "Server-side cipher controls" for Postfix looks good:
http://www.postfix.org/TLS_README.html#server_cipher -
Accepted Answer
Just got some results back from the latest security matrix.
Thanks to your apache edit I was able to get them to stop complaining about it so thanks alot peter.
Three main issues now:
* they are complaining about port 993 not being secure enough
* smtp authentication (will look into this)
* zarafa port 237 being not secure enough (will raise a ticket with zarafa support)
Maybe you can shed some light on the 993? Description:
Title: SSL server accepts weak ciphers Impact: A remote attacker with the ability to sniff network
traffic could decrypt an encrypted session. Resolution: For Apache mod_ssl web servers, use the
[http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite] SSLCipherSuite directive in the
configuration file to specify strong ciphers only and disable SSLv2. For Microsoft IIS web servers,
disable SSLv2 and any weak ciphers as described in Microsoft knowledge base articles
[http://support.microsoft.com/kb/187498] 187498 and [http://support.microsoft.com/kb/245030]
245030. For other types of web servers, consult the web server documentation. Risk Factor:
Medium/ CVSS2 Base Score: 4.0 (AV:N/AC:H/Au:N/C:P/I:N/A:N) -
Accepted Answer
-
Accepted Answer
Unfortunately not it's asking that it be updated to specified versions.
We have taken the flag off apache so that shouldn't be a problem. However it is complaining about smtp allowing logins using clear text and not encryption.
Is that something we can change with clearos/postfix or is that a zarafa issue?
More detailed information:
Description: SMTP Service Cleartext Login Permitted Synopsis: The remote mail server allows
cleartext logins. Impact: The remote host is running an SMTP server that advertises that it allows
cleartext logins over unencrypted connections. An attacker may be able to uncover user names
and passwords by sniffing traffic to the server if a less secure authentication mechanism (i.e.
LOGIN or PLAIN) is used. See also : http://tools.ietf.org/html/rfc4422
http://tools.ietf.org/html/rfc4954 Data Received: The SMTP server advertises the following SASL
methods over an unencrypted channel : All supported methods : PLAIN, LOGIN Cleartext methods
: PLAIN, LOGIN Resolution: Configure the service to support less secure authentication
mechanisms only over an encrrypted channel. Risk Factor: Medium/ CVSS2 Base Score: 4.0
AV:N/AC:H/Au:N/C:P/I:N/A:N -
Accepted Answer
With the upstream updates would it only stop updates from httpd in the future or mostly everything? If it's mostly everything I will have to tell them it's a no go.
It will very likely only impact the httpd and mod_ssl updates (mod_ssl is part of the httpd source code).
Here are a couple of changes that you can make that might prevent the scanner from doing version detection. You can hide the version information coming from Apache by changing the ServerTokens parameter in /etc/httpd/conf/httpd.conf:
ServerTokens Prod
Similarly for PHP, the expose_php parameter should be changed in /etc/php.ini:
expose_php = Off
Restart the web server after making the changes:
# service httpd restart
A web page request will no longer get presented with version information:
Default HTTP header:
HTTP/1.1 200 OK
Date: Wed, 30 Jan 2013 00:32:56 GMT
Server: Apache/2.2.15 (ClearOS Core)
X-Powered-By: PHP/5.3.3
Content-Length: 5
Connection: close
Content-Type: text/html; charset=UTF-8
Version-stripped HTTP header:
HTTP/1.1 200 OK
Date: Wed, 30 Jan 2013 00:35:54 GMT
Server: Apache
Content-Length: 5
Connection: close
Content-Type: text/html; charset=UTF-8
By the way, both of these configuration changes are defaults for the webconfig engine so no changes are required on that front. Though we want to be as close to upstream as possible, I think I'll update the Web Server app so that these two changes are made by default on install.
The scan is for every open port on the router it scans what service is running and if the service is too old it needs to be updated or if there are fixes they need to be patched.
If the scanning company is just asking for verification that the software is patched, then that can be verified by matching the version available in the upstream errata @ https://rhn.redhat.com/errata/rhel-server-6-errata.html The last httpd update is version 2.2.15 -- the details are here. -
Accepted Answer
I too am not really a fan of these security scans the amount of work we tried to do to get ssh, ssl etc upgraded on 5.2 because it was too old for them too broke our test vm which was a bit annoying.
You are probably right about the port 81 I just find it convenient without using tunneling the port via ssh but that's the lazy side in me so I think for the best I will just disable it.
I'm not a fan of upgrading apache either outside of the yum repo I find it a bit absurd but my clients hands are tied due to them needing this to keep using the system .
With the upstream updates would it only stop updates from httpd in the future or mostly everything? If it's mostly everything I will have to tell them it's a no go.
*edit*
The scan is for every open port on the router it scans what service is running and if the service is too old it needs to be updated or if there are fixes they need to be patched. -
Accepted Answer
I'm assuming this scan was for the main web server and not webconfig (port 81)? For webconfig scans, I recommend disabling access at the firewall and either:
- Using VPN to access webconfig, or
- Adding custom firewall rules for restricting webconfig access to particular static IP addresses
along with apache being to old
These security scans are becoming more and more problematic :angry: The concept of Backporting seems to missing in most of these scans even though it's super important for enterprises. It would be a shame to go through the trouble of "upgrading" just to pass a somewhat flawed security test. In many ways, the upgrade will make the system less secure since all the Upstream Security Updates will no longer function.
It's tempting to provide a custom patch for Apache to fake out these scans. Lame, but I don't see a way past the backporting issue. Hmmmm. -
Accepted Answer
Hi peter,
Thanks for your reply. It's actually both my client upgraded to 6.3 as they have to comply with a security matrix scan and 5.2 was using some old tech although upgraded it's complaining about self signed certificates along with apache being to old (I can upgrade that manually so it's not too bad).
If you have some type of howto's that you might think of that could help towards setting this up that would be great. -
Accepted Answer
Hi James,
That User Guide doc was old and is now more up-to-date (still needs work). In ClearOS 6, the Certificate Manager is used by OpenVPN and Webconfig. There are no other hooks to other systems (including Zarafa) yet. All the changes generated by this app happen in /etc/pki/CA -- that's where you will find:
- The Certificate Authority
- The default System Certificate (used by Webconfig, but potentially other apps)
- User certificates
Are you implementing an HTTPS site? Or are you implementing a 3rd party CA for Zarafa mail?
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »