Disregard my last, Ludovic.

It was stupid Firefox browser that somehow cached the old certificate.

Logged into the PF web admin GUI via Chrome and the certificate shows as good.

But…. This was just a precursor to the task that we need to cover with an SSL 
certificate.

So, when the guest WiFi user associates to a guest SSID their device sees the 
certificate issued to a host with IP address

 



 

But the details of this certificate show the correct subject name (CN) which is 
linked to FQDN as shown below

 



 

My question now is where in the captive portal I can change the IP address to 
FQDN ?

 

Eugene

 

 

From: ype...@gmail.com <ype...@gmail.com> 
Sent: Friday, November 13, 2020 10:40 AM
To: 'Ludovic Zammit' <lzam...@inverse.ca>; 
packetfence-users@lists.sourceforge.net
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

 

Thank you, Ludovic,

I prepared certificate files almost exactly like you described.

Just changed the order of certificates in the server.pem file as per your 
instruction.

Well, apparently it made the trick. I can now hit PF via a standard URL, i.e. 
https//pf.domain.xxx/ and it shows the valid new SSL certificate.

But the web admin interface via 1443 is still using a self-signed certificate.

Where would I change this behavior ?

Nothing in this file to catch my eye

/usr/local/pf/conf/haproxy-admin.conf

 

Eugene

 

From: Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca> > 
Sent: Friday, November 13, 2020 4:30 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: ype...@gmail.com <mailto:ype...@gmail.com> 
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

 

Hello there,

 

Use of certificates in PF.

 

PF Version prior 10:

 

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

 

Configuration: /usr/local/pf/conf/haproxy-portal.conf

 

Web admin = /usr/local/pf/conf/ssl//server.crt (Certificate)

                      /usr/local/pf/raddb/certs/server.key (Private key)

                     /usr/local/pf/raddb/certs/intermediates.crt (Intermediates)

 

Configuration: /usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf

 

RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)

                 /usr/local/pf/raddb/certs/server.key (Private key)

                /usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)

 

Configuration: /usr/local/pf/conf/radiusd/eap.conf

 

PF Version 10:

 

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

 

Configuration: /usr/local/pf/conf/haproxy-portal.conf

 

Web admin = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

 

Configuration: /usr/local/pf/conf/haproxy-admin.conf

 

RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)

                 /usr/local/pf/raddb/certs/server.key (Private key)

                /usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)

 

Configuration: /usr/local/pf/conf/radiusd/eap.conf

 

Hope it shed some light.

 

Thanks,


Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca <http://www.inverse.ca> 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

 

 

 

On Nov 12, 2020, at 10:55 PM, ypefti--- via PacketFence-users 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> > wrote:

 

It is some sort of conspiracy.

No luck at all. Maybe someone will tell me what else to do to install an 
external SSL certificate to PF. 

The server.key is also there, in the same folder. Do I really need *.pem file ?

I didn’t receive it from CA. Fine, I converted *.crt to *.pem, still doesn’t 
fly.

Why am I getting this error on PF GUI ?

 

A networking error occurred. Is the API service running?

 

Eugene

 

From: E.P. <ype...@gmail.com <mailto:ype...@gmail.com> > 
Sent: Thursday, November 12, 2020 3:03 PM
To: 'Michael Brown' <michaelbrow...@yahoo.com <mailto:michaelbrow...@yahoo.com> 
>; packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

 

Thank you, Michael.

I did it almost the same way. 

What I don’t understand is the logic of PF and Apache integration.

It appears that the original Apache config file, i.e. httpd.conf is useless and 
not in use by PF

I will play and explore the SAN attribute in the certificate

 

Eugene

 

From: Michael Brown <michaelbrow...@yahoo.com <mailto:michaelbrow...@yahoo.com> 
> 
Sent: Thursday, November 12, 2020 1:47 PM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: ype...@gmail.com <mailto:ype...@gmail.com> 
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

 

I have a wildcard from Digicert and used this to get the cert:

 <https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm> Apache: 
CSR & SSL Installation (OpenSSL)

 



<image003.png> 





<image001.png>


        

Apache: CSR & SSL Installation (OpenSSL)


Apache: Generating your Apache CSR with OpenSSL and installing your SSL 
certificate and Mod_SSL web server confi...

 

 

Also, when requesting the duplicate from Digicert it allows you to enter 
additional SANs beyond the *.domain.com <http://domain.com/> .  I put my 
pf.domain.com <http://pf.domain.com/>  as one of the SANs when requesting the 
duplicate.  I also used WinSCP to connect to my packetfence server to get the 
csr and key files.  I know that's not needed but just thought I would mention 
it.  

 

 

 

 

On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via 
PacketFence-users < <mailto:packetfence-users@lists.sourceforge.net> 
packetfence-users@lists.sourceforge.net> wrote: 

 

 

More digging, more tries, more frustrations 😉
Further to my previous email. I replaced three files from SSL folder with files 
that correspond to the new certificated, i.e.
/usr/local/pf/conf/ssl/server.key
/usr/local/pf/conf/ssl/server.crt
/usr/local/pf/conf/ssl/server.pem

PF web interface said bye-bye to me. Why do I see this error in 
/usr/local/pf/logs/httpd.webservices.error

Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably 
determine the server's fully qualified domain name, using 
fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to suppress 
this message

What happened to Apache and PF ?

And what drives me mad is the fact that if I put old certificate files back I 
still can't login via PF GUI.
Having this error:

A networking error occurred. Is the API service running?

Eugene


-----Original Message-----
From:  <mailto:ype...@gmail.com> ype...@gmail.com < <mailto:ype...@gmail.com> 
ype...@gmail.com> 
Sent: Thursday, November 12, 2020 11:26 AM
To:  <mailto:packetfence-users@lists.sourceforge.net> 
packetfence-users@lists.sourceforge.net
Cc: 'mj' < <mailto:li...@merit.unu.edu> li...@merit.unu.edu>
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, MJ,
It looks like questions asked here are replied selectively.
At least out of 4 questions that I asked only this one was finally "noticed" 
after the resend 😉
I wouldn't bother the list with my questions if the procedure is well 
documented and works.
The existing documentation mentions only this:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
"Upon PacketFence installation, self-signed certificates will be created in 
/usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be 
replaced anytime by your 3rd-party or existing wild card certificate without 
problems. Please note that the CN (Common Name) needs to be the same as the one 
defined in the PacketFence configuration file (pf.conf)."
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This is very confusing. We all know that CN in the wildcard certificate looks 
like this:
*.example.com <http://example.com/> 
How would I make use of it with PF ?

If you refer me to Let's Encrypt certificates should I understand that I need 
to do it from  <http://www.sslforfree.com/> www.sslforfree.com And what's the 
correct procedure to install an SSL certificate to PF. Never saw it in the 
documentation.
I need it for a captive portal.

Eugene

-----Original Message-----
From: mj via PacketFence-users < 
<mailto:packetfence-users@lists.sourceforge.net> 
packetfence-users@lists.sourceforge.net>
Sent: Wednesday, November 11, 2020 1:38 AM
To:  <mailto:packetfence-users@lists.sourceforge.net> 
packetfence-users@lists.sourceforge.net
Cc: mj < <mailto:li...@merit.unu.edu> li...@merit.unu.edu>
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Hi Eugene,

The list has always been alive, from where we are. :-)

Anyway: I would encourage you to take a look a Let's Encrypt certificates with 
packetfence. I think they are a bit more secure than a wildcard certificate, 
plus they are free and work very well.

(there are some threads on this mailinglist on that subject)

Good luck,
MJ

On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote:
> Since this group suddenly became alive I dare asking my previous again
> 😉
> 
> How would I install a wildcard SSL certificate on PF, see more details 
> below
> 
> Eugene
> 
> *From:* E.P. < <mailto:ype...@gmail.com> ype...@gmail.com>
> *Sent:* Saturday, October 31, 2020 2:43 PM
> *To:*  <mailto:packetfence-users@lists.sourceforge.net> 
> packetfence-users@lists.sourceforge.net
> *Subject:* Wildcard SSL certificate installation on PF
> 
> Guys,
> 
> I’m trying to overcome the issue with a self-signed SSL certificate 
> that PF offers to WiFi authentication via captive portal.
> 
> This a certificate that is in use by HTTPS sessions
> 
> Certificate/Key match
> 
> Chain is invalid
> 
> common_name
> 
> 127.0.0.1, emailAddress= <mailto:supp...@inverse.ca> supp...@inverse.ca 
> <mailto:emailAddress= <mailto:supp...@inverse.ca> supp...@inverse.ca>
> 
> issuer
> 
> C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
> emailAddress= <mailto:supp...@inverse.ca> supp...@inverse.ca 
> <mailto:emailAddress= <mailto:supp...@inverse.ca> supp...@inverse.ca>
> 
> not_after
> 
> Oct 7 15:29:09 2021 GMT
> 
> not_before
> 
> Oct 7 15:29:09 2020 GMT
> 
> serial
> 
> A500DC03671C0E35
> 
> subject
> 
> C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
> emailAddress= <mailto:supp...@inverse.ca> supp...@inverse.ca 
> <mailto:emailAddress= <mailto:supp...@inverse.ca> supp...@inverse.ca>
> 
> Is there any way to import and install a company wild card SSL 
> certificate into PF
> 
> Eugene
> 
> 
> 
> _______________________________________________
> PacketFence-users mailing list
>  <mailto:PacketFence-users@lists.sourceforge.net> 
> PacketFence-users@lists.sourceforge.net
>  <https://lists.sourceforge.net/lists/listinfo/packetfence-users> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 


_______________________________________________
PacketFence-users mailing list
 <mailto:PacketFence-users@lists.sourceforge.net> 
PacketFence-users@lists.sourceforge.net
 <https://lists.sourceforge.net/lists/listinfo/packetfence-users> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users




_______________________________________________
PacketFence-users mailing list
 <mailto:PacketFence-users@lists.sourceforge.net> 
PacketFence-users@lists.sourceforge.net
 <https://lists.sourceforge.net/lists/listinfo/packetfence-users> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

_______________________________________________
PacketFence-users mailing list
 <mailto:PacketFence-users@lists.sourceforge.net> 
PacketFence-users@lists.sourceforge.net
 <https://lists.sourceforge.net/lists/listinfo/packetfence-users> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to