Guys, Can I hope for any hint of assistance here ?
What changes would I need to do to have the server identified by the name and not the IP address ? Eugene From: ype...@gmail.com <ype...@gmail.com> Sent: Friday, November 13, 2020 12:15 PM To: 'Ludovic Zammit' <lzam...@inverse.ca>; packetfence-users@lists.sourceforge.net Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF Disregard my last, Ludovic. It was stupid Firefox browser that somehow cached the old certificate. Logged into the PF web admin GUI via Chrome and the certificate shows as good. But…. This was just a precursor to the task that we need to cover with an SSL certificate. So, when the guest WiFi user associates to a guest SSID their device sees the certificate issued to a host with IP address But the details of this certificate show the correct subject name (CN) which is linked to FQDN as shown below My question now is where in the captive portal I can change the IP address to FQDN ? Eugene From: ype...@gmail.com <mailto:ype...@gmail.com> <ype...@gmail.com <mailto:ype...@gmail.com> > Sent: Friday, November 13, 2020 10:40 AM To: 'Ludovic Zammit' <lzam...@inverse.ca <mailto:lzam...@inverse.ca> >; packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF Thank you, Ludovic, I prepared certificate files almost exactly like you described. Just changed the order of certificates in the server.pem file as per your instruction. Well, apparently it made the trick. I can now hit PF via a standard URL, i.e. https//pf.domain.xxx/ and it shows the valid new SSL certificate. But the web admin interface via 1443 is still using a self-signed certificate. Where would I change this behavior ? Nothing in this file to catch my eye /usr/local/pf/conf/haproxy-admin.conf Eugene From: Ludovic Zammit <lzam...@inverse.ca <mailto:lzam...@inverse.ca> > Sent: Friday, November 13, 2020 4:30 AM To: packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> Cc: ype...@gmail.com <mailto:ype...@gmail.com> Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF Hello there, Use of certificates in PF. PF Version prior 10: Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + intermediate) Configuration: /usr/local/pf/conf/haproxy-portal.conf Web admin = /usr/local/pf/conf/ssl//server.crt (Certificate) /usr/local/pf/raddb/certs/server.key (Private key) /usr/local/pf/raddb/certs/intermediates.crt (Intermediates) Configuration: /usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate) /usr/local/pf/raddb/certs/server.key (Private key) /usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS) Configuration: /usr/local/pf/conf/radiusd/eap.conf PF Version 10: Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + intermediate) Configuration: /usr/local/pf/conf/haproxy-portal.conf Web admin = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + intermediate) Configuration: /usr/local/pf/conf/haproxy-admin.conf RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate) /usr/local/pf/raddb/certs/server.key (Private key) /usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS) Configuration: /usr/local/pf/conf/radiusd/eap.conf Hope it shed some light. Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) On Nov 12, 2020, at 10:55 PM, ypefti--- via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> > wrote: It is some sort of conspiracy. No luck at all. Maybe someone will tell me what else to do to install an external SSL certificate to PF. The server.key is also there, in the same folder. Do I really need *.pem file ? I didn’t receive it from CA. Fine, I converted *.crt to *.pem, still doesn’t fly. Why am I getting this error on PF GUI ? A networking error occurred. Is the API service running? Eugene From: E.P. <ype...@gmail.com <mailto:ype...@gmail.com> > Sent: Thursday, November 12, 2020 3:03 PM To: 'Michael Brown' <michaelbrow...@yahoo.com <mailto:michaelbrow...@yahoo.com> >; packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF Thank you, Michael. I did it almost the same way. What I don’t understand is the logic of PF and Apache integration. It appears that the original Apache config file, i.e. httpd.conf is useless and not in use by PF I will play and explore the SAN attribute in the certificate Eugene From: Michael Brown <michaelbrow...@yahoo.com <mailto:michaelbrow...@yahoo.com> > Sent: Thursday, November 12, 2020 1:47 PM To: packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> Cc: ype...@gmail.com <mailto:ype...@gmail.com> Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF I have a wildcard from Digicert and used this to get the cert: <https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm> Apache: CSR & SSL Installation (OpenSSL) <image003.png> <image001.png> Apache: CSR & SSL Installation (OpenSSL) Apache: Generating your Apache CSR with OpenSSL and installing your SSL certificate and Mod_SSL web server confi... Also, when requesting the duplicate from Digicert it allows you to enter additional SANs beyond the *.domain.com <http://domain.com/> . I put my pf.domain.com <http://pf.domain.com/> as one of the SANs when requesting the duplicate. I also used WinSCP to connect to my packetfence server to get the csr and key files. I know that's not needed but just thought I would mention it. On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via PacketFence-users < <mailto:packetfence-users@lists.sourceforge.net> packetfence-users@lists.sourceforge.net> wrote: More digging, more tries, more frustrations 😉 Further to my previous email. I replaced three files from SSL folder with files that correspond to the new certificated, i.e. /usr/local/pf/conf/ssl/server.key /usr/local/pf/conf/ssl/server.crt /usr/local/pf/conf/ssl/server.pem PF web interface said bye-bye to me. Why do I see this error in /usr/local/pf/logs/httpd.webservices.error Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to suppress this message What happened to Apache and PF ? And what drives me mad is the fact that if I put old certificate files back I still can't login via PF GUI. Having this error: A networking error occurred. Is the API service running? Eugene -----Original Message----- From: <mailto:ype...@gmail.com> ype...@gmail.com < <mailto:ype...@gmail.com> ype...@gmail.com> Sent: Thursday, November 12, 2020 11:26 AM To: <mailto:packetfence-users@lists.sourceforge.net> packetfence-users@lists.sourceforge.net Cc: 'mj' < <mailto:li...@merit.unu.edu> li...@merit.unu.edu> Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF Thank you, MJ, It looks like questions asked here are replied selectively. At least out of 4 questions that I asked only this one was finally "noticed" after the resend 😉 I wouldn't bother the list with my questions if the procedure is well documented and works. The existing documentation mentions only this: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ "Upon PacketFence installation, self-signed certificates will be created in /usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be replaced anytime by your 3rd-party or existing wild card certificate without problems. Please note that the CN (Common Name) needs to be the same as the one defined in the PacketFence configuration file (pf.conf)." ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ This is very confusing. We all know that CN in the wildcard certificate looks like this: *.example.com <http://example.com/> How would I make use of it with PF ? If you refer me to Let's Encrypt certificates should I understand that I need to do it from <http://www.sslforfree.com/> www.sslforfree.com And what's the correct procedure to install an SSL certificate to PF. Never saw it in the documentation. I need it for a captive portal. Eugene -----Original Message----- From: mj via PacketFence-users < <mailto:packetfence-users@lists.sourceforge.net> packetfence-users@lists.sourceforge.net> Sent: Wednesday, November 11, 2020 1:38 AM To: <mailto:packetfence-users@lists.sourceforge.net> packetfence-users@lists.sourceforge.net Cc: mj < <mailto:li...@merit.unu.edu> li...@merit.unu.edu> Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF Hi Eugene, The list has always been alive, from where we are. :-) Anyway: I would encourage you to take a look a Let's Encrypt certificates with packetfence. I think they are a bit more secure than a wildcard certificate, plus they are free and work very well. (there are some threads on this mailinglist on that subject) Good luck, MJ On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote: > Since this group suddenly became alive I dare asking my previous again > 😉 > > How would I install a wildcard SSL certificate on PF, see more details > below > > Eugene > > *From:* E.P. < <mailto:ype...@gmail.com> ype...@gmail.com> > *Sent:* Saturday, October 31, 2020 2:43 PM > *To:* <mailto:packetfence-users@lists.sourceforge.net> > packetfence-users@lists.sourceforge.net > *Subject:* Wildcard SSL certificate installation on PF > > Guys, > > I’m trying to overcome the issue with a self-signed SSL certificate > that PF offers to WiFi authentication via captive portal. > > This a certificate that is in use by HTTPS sessions > > Certificate/Key match > > Chain is invalid > > common_name > > 127.0.0.1, emailAddress= <mailto:supp...@inverse.ca> supp...@inverse.ca > <mailto:emailAddress= <mailto:supp...@inverse.ca> supp...@inverse.ca> > > issuer > > C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, > emailAddress= <mailto:supp...@inverse.ca> supp...@inverse.ca > <mailto:emailAddress= <mailto:supp...@inverse.ca> supp...@inverse.ca> > > not_after > > Oct 7 15:29:09 2021 GMT > > not_before > > Oct 7 15:29:09 2020 GMT > > serial > > A500DC03671C0E35 > > subject > > C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, > emailAddress= <mailto:supp...@inverse.ca> supp...@inverse.ca > <mailto:emailAddress= <mailto:supp...@inverse.ca> supp...@inverse.ca> > > Is there any way to import and install a company wild card SSL > certificate into PF > > Eugene > > > > _______________________________________________ > PacketFence-users mailing list > <mailto:PacketFence-users@lists.sourceforge.net> > PacketFence-users@lists.sourceforge.net > <https://lists.sourceforge.net/lists/listinfo/packetfence-users> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > _______________________________________________ PacketFence-users mailing list <mailto:PacketFence-users@lists.sourceforge.net> PacketFence-users@lists.sourceforge.net <https://lists.sourceforge.net/lists/listinfo/packetfence-users> https://lists.sourceforge.net/lists/listinfo/packetfence-users _______________________________________________ PacketFence-users mailing list <mailto:PacketFence-users@lists.sourceforge.net> PacketFence-users@lists.sourceforge.net <https://lists.sourceforge.net/lists/listinfo/packetfence-users> https://lists.sourceforge.net/lists/listinfo/packetfence-users _______________________________________________ PacketFence-users mailing list <mailto:PacketFence-users@lists.sourceforge.net> PacketFence-users@lists.sourceforge.net <https://lists.sourceforge.net/lists/listinfo/packetfence-users> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
