Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 13th May 2008, 14:33
Norman Norman is offline
HowtoForge Supporter
 
Join Date: May 2006
Posts: 242
Thanks: 0
Thanked 18 Times in 14 Posts
Default Re-generating SSL certificates for ISPConfig

This is related to a new (critical) vurnurability affecting openSSL in debian 4.0
( see http://lists.debian.org/debian-secur.../msg00152.html ) .

Could someone be so kind as to give me input on my checklist:

This is not really ISPConfig's fault but I'm going to have to regenerate all ssl certificates on all systems.

So... for debian "perfect setup" what would I need to do?

1. regenerate SSL certificates for ISPConfig
2. regenerate SSL certificates for IMAP-SSL / POP3-SSL
3. Re-generate customer self-signed certificates. (ok, know how this is done)
4. re-generate keys for SSH (done with apt-get upgrade)

Anything else I might've missed?

How do I regenerate SSL certificates for 1 and 2?
__________________
http://www.xh.se
Reply With Quote
Sponsored Links
  #2  
Old 13th May 2008, 18:16
letic letic is offline
HowtoForge Supporter
 
Join Date: Jul 2006
Posts: 28
Thanks: 10
Thanked 3 Times in 3 Posts
Default

That's a good question I was actually asking myself. Is ISPConfig using openssl from the installed Debian package or does it compile its own ?

Well I check in the setup2 script and you can see that the script is actually checking where the openssl command is (please Till and Falko correct me if I'm wrong) :

Code:
 echo
  echo "########## OPENSSL ##########"
  echo
  echo $q_openssl_check
  which openssl
  if [ $? != 0 ]; then
    error "openssl not found!";
  else
    log "openssl found: `which openssl`"
    echo OK
  fi
but I couldn't find where it actually use it, but I think we'll have to regenerate all our keys...

Falko, Till could you confirm ?

Thanks in advance
LeTic
Reply With Quote
  #3  
Old 13th May 2008, 18:36
daveb daveb is offline
Senior Member
 
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default

I belive ispconfig uses its own install of openssl for ssl certs generated by ispconfig for sites.
What do you do about all the ssl certs that are already signed by a Certificate Authority?
Reply With Quote
  #4  
Old 13th May 2008, 19:03
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,185
Thanks: 829
Thanked 5,417 Times in 4,259 Posts
Default

1) http://www.howtoforge.com/forums/sho...58&postcount=4
2) If you use courier: http://www.howtoforge.com/forums/sho...79&postcount=6
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 13th May 2008, 19:04
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,185
Thanks: 829
Thanked 5,417 Times in 4,259 Posts
Default

Quote:
Originally Posted by daveb
I belive ispconfig uses its own install of openssl for ssl certs generated by ispconfig for sites.
What do you do about all the ssl certs that are already signed by a Certificate Authority?
If I remember correctly, ISPConfig uses the openssl from the linux distribution to create the certificates. The openssl that is included in ISPConfig is only used for the sl encryption of the webserver on port 81.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 13th May 2008, 19:11
daveb daveb is offline
Senior Member
 
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default

ok thanks till, still not sure what to do about the other certs though that was already signed by a certificate authority. I can create new keys but then certs would have to still be resigned, correct?
Reply With Quote
  #7  
Old 13th May 2008, 19:27
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,185
Thanks: 829
Thanked 5,417 Times in 4,259 Posts
 
Default

Quote:
I can create new keys but then certs would have to still be resigned, correct?
Yes. If you create a new key, you will have to resign them.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig and SSL Certificates phamels Installation/Configuration 48 2nd April 2009 18:33
Generating default ISPconfig SSL Certificates Again. spacemind Installation/Configuration 2 12th May 2008 13:14
SSL certificates VelhaChica Installation/Configuration 1 9th April 2008 14:11
SSL Certificates msource Installation/Configuration 7 18th January 2008 11:07
SSL for virtual hosts on one certificate rbartz Tips/Tricks/Mods 8 20th November 2007 17:59


All times are GMT +2. The time now is 14:23.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.