Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General
Reload this Page Re-generating SSL certificates for ISPConfig
Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 13th May 2008, 14:33
Norman Norman is offline
HowtoForge Supporter
  
Join Date: May 2006
Posts: 238
Thanks: 0
Thanked 12 Times in 11 Posts
Default Re-generating SSL certificates for ISPConfig
This is related to a new (critical) vurnurability affecting openSSL in debian 4.0
( see http://lists.debian.org/debian-secur.../msg00152.html ) .

Could someone be so kind as to give me input on my checklist:

This is not really ISPConfig's fault but I'm going to have to regenerate all ssl certificates on all systems.

So... for debian "perfect setup" what would I need to do?

1. regenerate SSL certificates for ISPConfig
2. regenerate SSL certificates for IMAP-SSL / POP3-SSL
3. Re-generate customer self-signed certificates. (ok, know how this is done)
4. re-generate keys for SSH (done with apt-get upgrade)

Anything else I might've missed?

How do I regenerate SSL certificates for 1 and 2?
__________________
http://www.xh.se
Reply With Quote
Sponsored Links
  #2  
Old 13th May 2008, 18:16
letic letic is offline
HowtoForge Supporter
  
Join Date: Jul 2006
Posts: 28
Thanks: 10
Thanked 3 Times in 3 Posts
Default
That's a good question I was actually asking myself. Is ISPConfig using openssl from the installed Debian package or does it compile its own ?

Well I check in the setup2 script and you can see that the script is actually checking where the openssl command is (please Till and Falko correct me if I'm wrong) :

Code:
 echo
  echo "########## OPENSSL ##########"
  echo
  echo $q_openssl_check
  which openssl
  if [ $? != 0 ]; then
    error "openssl not found!";
  else
    log "openssl found: `which openssl`"
    echo OK
  fi
but I couldn't find where it actually use it, but I think we'll have to regenerate all our keys...

Falko, Till could you confirm ?

Thanks in advance
LeTic
Reply With Quote
  #3  
Old 13th May 2008, 18:36
daveb daveb is offline
Senior Member
  
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default
I belive ispconfig uses its own install of openssl for ssl certs generated by ispconfig for sites.
What do you do about all the ssl certs that are already signed by a Certificate Authority?
Reply With Quote
  #4  
Old 13th May 2008, 19:03
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 32,071
Thanks: 697
Thanked 4,248 Times in 3,260 Posts
Default
1) http://www.howtoforge.com/forums/sho...58&postcount=4
2) If you use courier: http://www.howtoforge.com/forums/sho...79&postcount=6
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 13th May 2008, 19:04
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 32,071
Thanks: 697
Thanked 4,248 Times in 3,260 Posts
Default
Quote:
Originally Posted by daveb
I belive ispconfig uses its own install of openssl for ssl certs generated by ispconfig for sites.
What do you do about all the ssl certs that are already signed by a Certificate Authority?
If I remember correctly, ISPConfig uses the openssl from the linux distribution to create the certificates. The openssl that is included in ISPConfig is only used for the sl encryption of the webserver on port 81.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 13th May 2008, 19:11
daveb daveb is offline
Senior Member
  
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default
ok thanks till, still not sure what to do about the other certs though that was already signed by a certificate authority. I can create new keys but then certs would have to still be resigned, correct?
Reply With Quote
  #7  
Old 13th May 2008, 19:27
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 32,071
Thanks: 697
Thanked 4,248 Times in 3,260 Posts
 
Default
Quote:
I can create new keys but then certs would have to still be resigned, correct?
Yes. If you create a new key, you will have to resign them.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig and SSL Certificates phamels Installation/Configuration 48 2nd April 2009 18:33
Generating default ISPconfig SSL Certificates Again. spacemind Installation/Configuration 2 12th May 2008 13:14
SSL certificates VelhaChica Installation/Configuration 1 9th April 2008 14:11
SSL Certificates msource Installation/Configuration 7 18th January 2008 11:07
SSL for virtual hosts on one certificate rbartz Tips/Tricks/Mods 8 20th November 2007 17:59


All times are GMT +2. The time now is 19:43.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.