Guys,
Can I hope for any hint of assistance here ?
What changes would I need to do to have the server identified by the
name and not the IP address ?
Eugene
*From:* ype...@gmail.com <ype...@gmail.com>
*Sent:* Friday, November 13, 2020 12:15 PM
*To:* 'Ludovic Zammit' <lzam...@inverse.ca>;
packetfence-users@lists.sourceforge.net
*Subject:* RE: [PacketFence-users] Wildcard SSL certificate installation
on PF
Disregard my last, Ludovic.
It was stupid Firefox browser that somehow cached the old certificate.
Logged into the PF web admin GUI via Chrome and the certificate shows as
good.
But…. This was just a precursor to the task that we need to cover with
an SSL certificate.
So, when the guest WiFi user associates to a guest SSID their device
sees the certificate issued to a host with IP address
But the details of this certificate show the correct subject name (CN)
which is linked to FQDN as shown below
My question now is where in the captive portal I can change the IP
address to FQDN ?
Eugene
*From:* ype...@gmail.com <mailto:ype...@gmail.com> <ype...@gmail.com
<mailto:ype...@gmail.com>>
*Sent:* Friday, November 13, 2020 10:40 AM
*To:* 'Ludovic Zammit' <lzam...@inverse.ca <mailto:lzam...@inverse.ca>>;
packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Subject:* RE: [PacketFence-users] Wildcard SSL certificate installation
on PF
Thank you, Ludovic,
I prepared certificate files almost exactly like you described.
Just changed the order of certificates in the server.pem file as per
your instruction.
Well, apparently it made the trick. I can now hit PF via a standard URL,
i.e. https//pf.domain.xxx/ and it shows the valid new SSL certificate.
But the web admin interface via 1443 is still using a self-signed
certificate.
Where would I change this behavior ?
Nothing in this file to catch my eye
/usr/local/pf/conf/haproxy-admin.conf
Eugene
*From:* Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca>>
*Sent:* Friday, November 13, 2020 4:30 AM
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* ype...@gmail.com <mailto:ype...@gmail.com>
*Subject:* Re: [PacketFence-users] Wildcard SSL certificate installation
on PF
Hello there,
Use of certificates in PF.
PF Version prior 10:
Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert +
intermediate)
Configuration: /usr/local/pf/conf/haproxy-portal.conf
Web admin = /usr/local/pf/conf/ssl//server.crt (Certificate)
/usr/local/pf/raddb/certs/server.key (Private key)
/usr/local/pf/raddb/certs/intermediates.crt
(Intermediates)
Configuration: /usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf
RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)
/usr/local/pf/raddb/certs/server.key (Private key)
/usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)
Configuration: /usr/local/pf/conf/radiusd/eap.conf
PF Version 10:
Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert +
intermediate)
Configuration: /usr/local/pf/conf/haproxy-portal.conf
Web admin = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert +
intermediate)
Configuration: /usr/local/pf/conf/haproxy-admin.conf
RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)
/usr/local/pf/raddb/certs/server.key (Private key)
/usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)
Configuration: /usr/local/pf/conf/radiusd/eap.conf
Hope it shed some light.
Thanks,
Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918
(x145) :: www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
<http://www.sogo.nu>) and PacketFence (http://packetfence.org
<http://packetfence.org>)
On Nov 12, 2020, at 10:55 PM, ypefti--- via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
It is some sort of conspiracy.
No luck at all. Maybe someone will tell me what else to do to
install an external SSL certificate to PF.
The server.key is also there, in the same folder. Do I really need
*.pem file ?
I didn’t receive it from CA. Fine, I converted *.crt to *.pem, still
doesn’t fly.
Why am I getting this error on PF GUI ?
A networking error occurred. Is the API service running?
Eugene
*From:*E.P. <ype...@gmail.com <mailto:ype...@gmail.com>>
*Sent:*Thursday, November 12, 2020 3:03 PM
*To:*'Michael Brown' <michaelbrow...@yahoo.com
<mailto:michaelbrow...@yahoo.com>>;packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Subject:*RE: [PacketFence-users] Wildcard SSL certificate
installation on PF
Thank you, Michael.
I did it almost the same way.
What I don’t understand is the logic of PF and Apache integration.
It appears that the original Apache config file, i.e. httpd.conf is
useless and not in use by PF
I will play and explore the SAN attribute in the certificate
Eugene
*From:*Michael Brown <michaelbrow...@yahoo.com
<mailto:michaelbrow...@yahoo.com>>
*Sent:*Thursday, November 12, 2020 1:47 PM
*To:*packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:*ype...@gmail.com <mailto:ype...@gmail.com>
*Subject:*Re: [PacketFence-users] Wildcard SSL certificate
installation on PF
I have a wildcard from Digicert and used this to get the cert:
Apache: CSR & SSL Installation (OpenSSL)
<https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm>
<image003.png>
<image001.png>
Apache: CSR & SSL Installation (OpenSSL)
Apache: Generating your Apache CSR with OpenSSL and installing your
SSL certificate and Mod_SSL web server confi...
Also, when requesting the duplicate from Digicert it allows you to
enter additional SANs beyond the *.domain.com <http://domain.com/>.
I put mypf.domain.com <http://pf.domain.com/>as one of the SANs when
requesting the duplicate. I also used WinSCP to connect to my
packetfence server to get the csr and key files. I know that's not
needed but just thought I would mention it.
On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via
PacketFence-users <packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
More digging, more tries, more frustrations😉
Further to my previous email. I replaced three files from SSL folder
with files that correspond to the new certificated, i.e.
/usr/local/pf/conf/ssl/server.key
/usr/local/pf/conf/ssl/server.crt
/usr/local/pf/conf/ssl/server.pem
PF web interface said bye-bye to me. Why do I see this error in
/usr/local/pf/logs/httpd.webservices.error
Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not
reliably determine the server's fully qualified domain name, using
fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to
suppress this message
What happened to Apache and PF ?
And what drives me mad is the fact that if I put old certificate
files back I still can't login via PF GUI.
Having this error:
A networking error occurred. Is the API service running?
Eugene
-----Original Message-----
From:ype...@gmail.com <mailto:ype...@gmail.com><ype...@gmail.com
<mailto:ype...@gmail.com>>
Sent: Thursday, November 12, 2020 11:26 AM
To:packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
Cc: 'mj' <li...@merit.unu.edu <mailto:li...@merit.unu.edu>>
Subject: RE: [PacketFence-users] Wildcard SSL certificate
installation on PF
Thank you, MJ,
It looks like questions asked here are replied selectively.
At least out of 4 questions that I asked only this one was finally
"noticed" after the resend😉
I wouldn't bother the list with my questions if the procedure is
well documented and works.
The existing documentation mentions only this:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
"Upon PacketFence installation, self-signed certificates will be
created in /usr/local/pf/conf/ssl (server.key and server.crt). Those
certificates can be replaced anytime by your 3rd-party or existing
wild card certificate without problems. Please note that the CN
(Common Name) needs to be the same as the one defined in the
PacketFence configuration file (pf.conf)."
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This is very confusing. We all know that CN in the wildcard
certificate looks like this:
*.example.com <http://example.com/>
How would I make use of it with PF ?
If you refer me to Let's Encrypt certificates should I understand
that I need to do it fromwww.sslforfree.com
<http://www.sslforfree.com/>And what's the correct procedure to
install an SSL certificate to PF. Never saw it in the documentation.
I need it for a captive portal.
Eugene
-----Original Message-----
From: mj via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>>
Sent: Wednesday, November 11, 2020 1:38 AM
To:packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
Cc: mj <li...@merit.unu.edu <mailto:li...@merit.unu.edu>>
Subject: Re: [PacketFence-users] Wildcard SSL certificate
installation on PF
Hi Eugene,
The list has always been alive, from where we are. :-)
Anyway: I would encourage you to take a look a Let's Encrypt
certificates with packetfence. I think they are a bit more secure
than a wildcard certificate, plus they are free and work very well.
(there are some threads on this mailinglist on that subject)
Good luck,
MJ
On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote:
> Since this group suddenly became alive I dare asking my previous again
>😉
>
> How would I install a wildcard SSL certificate on PF, see more details
> below
>
> Eugene
>
> *From:* E.P. <ype...@gmail.com <mailto:ype...@gmail.com>>
> *Sent:* Saturday, October 31, 2020 2:43 PM
> *To:*packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
> *Subject:* Wildcard SSL certificate installation on PF
>
> Guys,
>
> I’m trying to overcome the issue with a self-signed SSL certificate
> that PF offers to WiFi authentication via captive portal.
>
> This a certificate that is in use by HTTPS sessions
>
> Certificate/Key match
>
> Chain is invalid
>
> common_name
>
> 127.0.0.1, emailAddress=supp...@inverse.ca <mailto:supp...@inverse.ca>
> <mailto:emailAddress=supp...@inverse.ca <mailto:supp...@inverse.ca>>
>
> issuer
>
> C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1,
> emailAddress=supp...@inverse.ca <mailto:supp...@inverse.ca>
> <mailto:emailAddress=supp...@inverse.ca <mailto:supp...@inverse.ca>>
>
> not_after
>
> Oct 7 15:29:09 2021 GMT
>
> not_before
>
> Oct 7 15:29:09 2020 GMT
>
> serial
>
> A500DC03671C0E35
>
> subject
>
> C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1,
> emailAddress=supp...@inverse.ca <mailto:supp...@inverse.ca>
> <mailto:emailAddress=supp...@inverse.ca <mailto:supp...@inverse.ca>>
>
> Is there any way to import and install a company wild card SSL
> certificate into PF
>
> Eugene
>
>
>
> _______________________________________________
> PacketFence-users mailing list
>PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
>https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users