Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Thu, 12 Nov 2020 19:56:22 -0800 

Thank you, Michael.

I did it almost the same way. 

What I don’t understand is the logic of PF and Apache integration.

It appears that the original Apache config file, i.e. httpd.conf is useless and 
not in use by PF

I will play and explore the SAN attribute in the certificate

 

Eugene

 

From: Michael Brown <michaelbrow...@yahoo.com> 
Sent: Thursday, November 12, 2020 1:47 PM
To: packetfence-users@lists.sourceforge.net
Cc: ype...@gmail.com
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

 

I have a wildcard from Digicert and used this to get the cert:

Apache: CSR  
<https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm> & SSL 
Installation (OpenSSL)

 




        
                
 






        

Apache: CSR & SSL Installation (OpenSSL)


Apache: Generating your Apache CSR with OpenSSL and installing your SSL 
certificate and Mod_SSL web server confi...

 

 

Also, when requesting the duplicate from Digicert it allows you to enter 
additional SANs beyond the *.domain.com.  I put my pf.domain.com as one of the 
SANs when requesting the duplicate.  I also used WinSCP to connect to my 
packetfence server to get the csr and key files.  I know that's not needed but 
just thought I would mention it.  

 

 

 

 

On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via 
PacketFence-users <packetfence-users@lists.sourceforge.net> wrote: 

 

 

More digging, more tries, more frustrations πŸ˜‰
Further to my previous email. I replaced three files from SSL folder with files 
that correspond to the new certificated, i.e.
/usr/local/pf/conf/ssl/server.key
/usr/local/pf/conf/ssl/server.crt
/usr/local/pf/conf/ssl/server.pem

PF web interface said bye-bye to me. Why do I see this error in 
/usr/local/pf/logs/httpd.webservices.error

Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably 
determine the server's fully qualified domain name, using 
fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to suppress 
this message

What happened to Apache and PF ?

And what drives me mad is the fact that if I put old certificate files back I 
still can't login via PF GUI.
Having this error:

A networking error occurred. Is the API service running?

Eugene


-----Original Message-----
From: ype...@gmail.com <mailto:ype...@gmail.com>  <ype...@gmail.com 
<mailto:ype...@gmail.com> > 
Sent: Thursday, November 12, 2020 11:26 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: 'mj' <li...@merit.unu.edu <mailto:li...@merit.unu.edu> >
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, MJ,
It looks like questions asked here are replied selectively.
At least out of 4 questions that I asked only this one was finally "noticed" 
after the resend πŸ˜‰
I wouldn't bother the list with my questions if the procedure is well 
documented and works.
The existing documentation mentions only this:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
"Upon PacketFence installation, self-signed certificates will be created in 
/usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be 
replaced anytime by your 3rd-party or existing wild card certificate without 
problems. Please note that the CN (Common Name) needs to be the same as the one 
defined in the PacketFence configuration file (pf.conf)."
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This is very confusing. We all know that CN in the wildcard certificate looks 
like this:
*.example.com
How would I make use of it with PF ?

If you refer me to Let's Encrypt certificates should I understand that I need 
to do it from www.sslforfree.com And what's the correct procedure to install an 
SSL certificate to PF. Never saw it in the documentation.
I need it for a captive portal.

Eugene

-----Original Message-----
From: mj via PacketFence-users <packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> >
Sent: Wednesday, November 11, 2020 1:38 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: mj <li...@merit.unu.edu <mailto:li...@merit.unu.edu> >
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Hi Eugene,

The list has always been alive, from where we are. :-)

Anyway: I would encourage you to take a look a Let's Encrypt certificates with 
packetfence. I think they are a bit more secure than a wildcard certificate, 
plus they are free and work very well.

(there are some threads on this mailinglist on that subject)

Good luck,
MJ

On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote:
> Since this group suddenly became alive I dare asking my previous again
> πŸ˜‰
> 
> How would I install a wildcard SSL certificate on PF, see more details 
> below
> 
> Eugene
> 
> *From:* E.P. <ype...@gmail.com <mailto:ype...@gmail.com> >
> *Sent:* Saturday, October 31, 2020 2:43 PM
> *To:* packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net> 
> *Subject:* Wildcard SSL certificate installation on PF
> 
> Guys,
> 
> I’m trying to overcome the issue with a self-signed SSL certificate 
> that PF offers to WiFi authentication via captive portal.
> 
> This a certificate that is in use by HTTPS sessions
> 
> Certificate/Key match
> 
> Chain is invalid
> 
> common_name
> 
> 127.0.0.1, emailAddress=supp...@inverse.ca <mailto:supp...@inverse.ca>  
> <mailto:emailAddress=supp...@inverse.ca <mailto:supp...@inverse.ca> >
> 
> issuer
> 
> C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
> emailAddress=supp...@inverse.ca <mailto:supp...@inverse.ca>  
> <mailto:emailAddress=supp...@inverse.ca <mailto:supp...@inverse.ca> >
> 
> not_after
> 
> Oct 7 15:29:09 2021 GMT
> 
> not_before
> 
> Oct 7 15:29:09 2020 GMT
> 
> serial
> 
> A500DC03671C0E35
> 
> subject
> 
> C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
> emailAddress=supp...@inverse.ca <mailto:supp...@inverse.ca>  
> <mailto:emailAddress=supp...@inverse.ca <mailto:supp...@inverse.ca> >
> 
> Is there any way to import and install a company wild card SSL 
> certificate into PF
> 
> Eugene
> 
> 
> 
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> <mailto:PacketFence-users@lists.sourceforge.net> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users




_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Attachment: image004.emz
Description: Binary data

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to