HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=15)
-   -   Re-generating SSL certificates for ISPConfig (http://www.howtoforge.com/forums/showthread.php?t=23212)

Norman 13th May 2008 14:33

Re-generating SSL certificates for ISPConfig
 
This is related to a new (critical) vurnurability affecting openSSL in debian 4.0
( see http://lists.debian.org/debian-secur.../msg00152.html ) .

Could someone be so kind as to give me input on my checklist:

This is not really ISPConfig's fault but I'm going to have to regenerate all ssl certificates on all systems.

So... for debian "perfect setup" what would I need to do?

1. regenerate SSL certificates for ISPConfig
2. regenerate SSL certificates for IMAP-SSL / POP3-SSL
3. Re-generate customer self-signed certificates. (ok, know how this is done)
4. re-generate keys for SSH (done with apt-get upgrade)

Anything else I might've missed?

How do I regenerate SSL certificates for 1 and 2?

letic 13th May 2008 18:16

That's a good question I was actually asking myself. Is ISPConfig using openssl from the installed Debian package or does it compile its own ?

Well I check in the setup2 script and you can see that the script is actually checking where the openssl command is (please Till and Falko correct me if I'm wrong) :

Code:

echo
  echo "########## OPENSSL ##########"
  echo
  echo $q_openssl_check
  which openssl
  if [ $? != 0 ]; then
    error "openssl not found!";
  else
    log "openssl found: `which openssl`"
    echo OK
  fi

but I couldn't find where it actually use it, but I think we'll have to regenerate all our keys...

Falko, Till could you confirm ?

Thanks in advance
LeTic

daveb 13th May 2008 18:36

I belive ispconfig uses its own install of openssl for ssl certs generated by ispconfig for sites.
What do you do about all the ssl certs that are already signed by a Certificate Authority?

till 13th May 2008 19:03

1) http://www.howtoforge.com/forums/sho...58&postcount=4
2) If you use courier: http://www.howtoforge.com/forums/sho...79&postcount=6

till 13th May 2008 19:04

Quote:

Originally Posted by daveb
I belive ispconfig uses its own install of openssl for ssl certs generated by ispconfig for sites.
What do you do about all the ssl certs that are already signed by a Certificate Authority?

If I remember correctly, ISPConfig uses the openssl from the linux distribution to create the certificates. The openssl that is included in ISPConfig is only used for the sl encryption of the webserver on port 81.

daveb 13th May 2008 19:11

ok thanks till, still not sure what to do about the other certs though that was already signed by a certificate authority. I can create new keys but then certs would have to still be resigned, correct?

till 13th May 2008 19:27

Quote:

I can create new keys but then certs would have to still be resigned, correct?
Yes. If you create a new key, you will have to resign them.


All times are GMT +2. The time now is 08:36.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.