subject:"Re\: \[PacketFence\-users\] Wildcard SSL certificate installation on PF"

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-17 Thread mj via PacketFence-users


Hi,

Just to ask: Are you aware that packetfence has built-in LE certificate 
management?


(somewhere in the settings menu's)

I think it should auto-generate and install certs for both the web 
interface and radius.


MJ

On 11/17/20 4:24 AM, E.P. via PacketFence-users wrote:

Guys,

Can I hope for any hint of assistance here ?

What changes would I need to do to have the server identified by the 
name and not the IP address ?


Eugene

*From:* ype...@gmail.com 
*Sent:* Friday, November 13, 2020 12:15 PM
*To:* 'Ludovic Zammit' ; 
packetfence-users@lists.sourceforge.net
*Subject:* RE: [PacketFence-users] Wildcard SSL certificate installation 
on PF


Disregard my last, Ludovic.

It was stupid Firefox browser that somehow cached the old certificate.

Logged into the PF web admin GUI via Chrome and the certificate shows as 
good.


But…. This was just a precursor to the task that we need to cover with 
an SSL certificate.


So, when the guest WiFi user associates to a guest SSID their device 
sees the certificate issued to a host with IP address


But the details of this certificate show the correct subject name (CN) 
which is linked to FQDN as shown below


My question now is where in the captive portal I can change the IP 
address to FQDN ?


Eugene

*From:* ype...@gmail.com <mailto:ype...@gmail.com> <mailto:ype...@gmail.com>>

*Sent:* Friday, November 13, 2020 10:40 AM
*To:* 'Ludovic Zammit' mailto:lzam...@inverse.ca>>; 
packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net>
*Subject:* RE: [PacketFence-users] Wildcard SSL certificate installation 
on PF


Thank you, Ludovic,

I prepared certificate files almost exactly like you described.

Just changed the order of certificates in the server.pem file as per 
your instruction.


Well, apparently it made the trick. I can now hit PF via a standard URL, 
i.e. https//pf.domain.xxx/ and it shows the valid new SSL certificate.


But the web admin interface via 1443 is still using a self-signed 
certificate.


Where would I change this behavior ?

Nothing in this file to catch my eye

/usr/local/pf/conf/haproxy-admin.conf

Eugene

*From:* Ludovic Zammit mailto:lzam...@inverse.ca>>
*Sent:* Friday, November 13, 2020 4:30 AM
*To:* packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net>

*Cc:* ype...@gmail.com <mailto:ype...@gmail.com>
*Subject:* Re: [PacketFence-users] Wildcard SSL certificate installation 
on PF


Hello there,

Use of certificates in PF.

PF Version prior 10:

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)


Configuration: /usr/local/pf/conf/haproxy-portal.conf

Web admin = /usr/local/pf/conf/ssl//server.crt (Certificate)

                       /usr/local/pf/raddb/certs/server.key (Private key)

                      /usr/local/pf/raddb/certs/intermediates.crt 
(Intermediates)


Configuration: /usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf

RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)

                  /usr/local/pf/raddb/certs/server.key (Private key)

                 /usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)

Configuration: /usr/local/pf/conf/radiusd/eap.conf

PF Version 10:

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)


Configuration: /usr/local/pf/conf/haproxy-portal.conf

Web admin = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)


Configuration: /usr/local/pf/conf/haproxy-admin.conf

RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)

                  /usr/local/pf/raddb/certs/server.key (Private key)

                 /usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)

Configuration: /usr/local/pf/conf/radiusd/eap.conf

Hope it shed some light.

Thanks,


Ludovic Zammit

lzam...@inverse.ca <mailto:lzam...@inverse.ca> ::  +1.514.447.4918 
(x145) :: www.inverse.ca <http://www.inverse.ca>


Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
<http://www.sogo.nu>) and PacketFence (http://packetfence.org 
<http://packetfence.org>)


On Nov 12, 2020, at 10:55 PM, ypefti--- via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>> wrote:

It is some sort of conspiracy.

No luck at all. Maybe someone will tell me what else to do to
install an external SSL certificate to PF.

The server.key is also there, in the same folder. Do I really need
*.pem file ?

I didn’t receive it from CA. Fine, I converted *.crt to *.pem, still
doesn’t fly.

Why am I getting this error on PF GUI ?

A networking error occurred. Is the API service running?

Eugene

*From:*E.P. mailto:ype...@gmail.com>>
*Sent:*Thursday, November 12, 2020 3:03 PM
*To:*'Michael Brown' mailto:michaelbrow...@yahoo.com>>;packetfence-users@lists.sourceforge.net
    <mailto:packetfence-users@lists.source

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-16 Thread E.P. via PacketFence-users

Guys,

Can I hope for any hint of assistance here ?

What changes would I need to do to have the server identified by the name and 
not the IP address ?

 

Eugene

 

From: ype...@gmail.com  
Sent: Friday, November 13, 2020 12:15 PM
To: 'Ludovic Zammit' ; 
packetfence-users@lists.sourceforge.net
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

 

Disregard my last, Ludovic.

It was stupid Firefox browser that somehow cached the old certificate.

Logged into the PF web admin GUI via Chrome and the certificate shows as good.

But…. This was just a precursor to the task that we need to cover with an SSL 
certificate.

So, when the guest WiFi user associates to a guest SSID their device sees the 
certificate issued to a host with IP address

 



 

But the details of this certificate show the correct subject name (CN) which is 
linked to FQDN as shown below

 



 

My question now is where in the captive portal I can change the IP address to 
FQDN ?

 

Eugene

 

 

From: ype...@gmail.com <mailto:ype...@gmail.com>  mailto:ype...@gmail.com> > 
Sent: Friday, November 13, 2020 10:40 AM
To: 'Ludovic Zammit' mailto:lzam...@inverse.ca> >; 
packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

 

Thank you, Ludovic,

I prepared certificate files almost exactly like you described.

Just changed the order of certificates in the server.pem file as per your 
instruction.

Well, apparently it made the trick. I can now hit PF via a standard URL, i.e. 
https//pf.domain.xxx/ and it shows the valid new SSL certificate.

But the web admin interface via 1443 is still using a self-signed certificate.

Where would I change this behavior ?

Nothing in this file to catch my eye

/usr/local/pf/conf/haproxy-admin.conf

 

Eugene

 

From: Ludovic Zammit mailto:lzam...@inverse.ca> > 
Sent: Friday, November 13, 2020 4:30 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: ype...@gmail.com <mailto:ype...@gmail.com> 
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

 

Hello there,

 

Use of certificates in PF.

 

PF Version prior 10:

 

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

 

Configuration: /usr/local/pf/conf/haproxy-portal.conf

 

Web admin = /usr/local/pf/conf/ssl//server.crt (Certificate)

  /usr/local/pf/raddb/certs/server.key (Private key)

 /usr/local/pf/raddb/certs/intermediates.crt (Intermediates)

 

Configuration: /usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf

 

RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)

 /usr/local/pf/raddb/certs/server.key (Private key)

/usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)

 

Configuration: /usr/local/pf/conf/radiusd/eap.conf

 

PF Version 10:

 

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

 

Configuration: /usr/local/pf/conf/haproxy-portal.conf

 

Web admin = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

 

Configuration: /usr/local/pf/conf/haproxy-admin.conf

 

RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)

 /usr/local/pf/raddb/certs/server.key (Private key)

/usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)

 

Configuration: /usr/local/pf/conf/radiusd/eap.conf

 

Hope it shed some light.

 

Thanks,


Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca <http://www.inverse.ca> 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

 

 

 

On Nov 12, 2020, at 10:55 PM, ypefti--- via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

 

It is some sort of conspiracy.

No luck at all. Maybe someone will tell me what else to do to install an 
external SSL certificate to PF. 

The server.key is also there, in the same folder. Do I really need *.pem file ?

I didn’t receive it from CA. Fine, I converted *.crt to *.pem, still doesn’t 
fly.

Why am I getting this error on PF GUI ?

 

A networking error occurred. Is the API service running?

 

Eugene

 

From: E.P. mailto:ype...@gmail.com> > 
Sent: Thursday, November 12, 2020 3:03 PM
To: 'Michael Brown' mailto:michaelbrow...@yahoo.com> 
>; packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

 

Thank you, Michael.

I did it almost the same way. 

What I don’t understand is the logic of PF and Apache integration.

It appears that the original Apache config file, i.e. httpd.conf is useless and 
not in use by PF

I will play

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-15 Thread ypefti--- via PacketFence-users

Thank you, Ludovic,

I prepared certificate files almost exactly like you described.

Just changed the order of certificates in the server.pem file as per your 
instruction.

Well, apparently it made the trick. I can now hit PF via a standard URL, i.e. 
https//pf.domain.xxx/ and it shows the valid new SSL certificate.

But the web admin interface via 1443 is still using a self-signed certificate.

Where would I change this behavior ?

Nothing in this file to catch my eye

/usr/local/pf/conf/haproxy-admin.conf

Eugene

From: Ludovic Zammit  
Sent: Friday, November 13, 2020 4:30 AM
To: packetfence-users@lists.sourceforge.net
Cc: ype...@gmail.com
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Hello there,

Use of certificates in PF.

PF Version prior 10:

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

Configuration: /usr/local/pf/conf/haproxy-portal.conf

Web admin = /usr/local/pf/conf/ssl//server.crt (Certificate)

  /usr/local/pf/raddb/certs/server.key (Private key)

 /usr/local/pf/raddb/certs/intermediates.crt (Intermediates)

Configuration: /usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf

RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)

 /usr/local/pf/raddb/certs/server.key (Private key)

/usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)

Configuration: /usr/local/pf/conf/radiusd/eap.conf

PF Version 10:

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

Configuration: /usr/local/pf/conf/haproxy-portal.conf

Web admin = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

Configuration: /usr/local/pf/conf/haproxy-admin.conf

RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)

 /usr/local/pf/raddb/certs/server.key (Private key)

/usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)

Configuration: /usr/local/pf/conf/radiusd/eap.conf

Hope it shed some light.

Thanks,

Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca <http://www.inverse.ca> 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

On Nov 12, 2020, at 10:55 PM, ypefti--- via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

It is some sort of conspiracy.

No luck at all. Maybe someone will tell me what else to do to install an 
external SSL certificate to PF. 

The server.key is also there, in the same folder. Do I really need *.pem file ?

I didn’t receive it from CA. Fine, I converted *.crt to *.pem, still doesn’t 
fly.

Why am I getting this error on PF GUI ?

A networking error occurred. Is the API service running?

Eugene

From: E.P. mailto:ype...@gmail.com> > 
Sent: Thursday, November 12, 2020 3:03 PM
To: 'Michael Brown' mailto:michaelbrow...@yahoo.com> 
>; packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, Michael.

I did it almost the same way. 

What I don’t understand is the logic of PF and Apache integration.

It appears that the original Apache config file, i.e. httpd.conf is useless and 
not in use by PF

I will play and explore the SAN attribute in the certificate

Eugene

From: Michael Brown mailto:michaelbrow...@yahoo.com> 
> 
Sent: Thursday, November 12, 2020 1:47 PM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: ype...@gmail.com <mailto:ype...@gmail.com> 
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

I have a wildcard from Digicert and used this to get the cert:

 <https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm> Apache: 
CSR & SSL Installation (OpenSSL)

Apache: CSR & SSL Installation (OpenSSL)

Apache: Generating your Apache CSR with OpenSSL and installing your SSL 
certificate and Mod_SSL web server confi...

Also, when requesting the duplicate from Digicert it allows you to enter 
additional SANs beyond the *.domain.com <http://domain.com/> .  I put my 
pf.domain.com <http://pf.domain.com/>  as one of the SANs when requesting the 
duplicate.  I also used WinSCP to connect to my packetfence server to get the 
csr and key files.  I know that's not needed but just thought I would mention 
it.  

On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via 
PacketFence-users < <mailto:packetfence-users@lists.sourceforge.net> 
packetfence-users@lists.sourceforge.net> wrote: 

More digging, more tries, more frustrations 
Further to my previous email. I replaced thre

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-15 Thread ypefti--- via PacketFence-users

Disregard my last, Ludovic.

It was stupid Firefox browser that somehow cached the old certificate.

Logged into the PF web admin GUI via Chrome and the certificate shows as good.

But…. This was just a precursor to the task that we need to cover with an SSL 
certificate.

So, when the guest WiFi user associates to a guest SSID their device sees the 
certificate issued to a host with IP address

But the details of this certificate show the correct subject name (CN) which is 
linked to FQDN as shown below

My question now is where in the captive portal I can change the IP address to 
FQDN ?

Eugene

From: ype...@gmail.com  
Sent: Friday, November 13, 2020 10:40 AM
To: 'Ludovic Zammit' ; 
packetfence-users@lists.sourceforge.net
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, Ludovic,

I prepared certificate files almost exactly like you described.

Just changed the order of certificates in the server.pem file as per your 
instruction.

Well, apparently it made the trick. I can now hit PF via a standard URL, i.e. 
https//pf.domain.xxx/ and it shows the valid new SSL certificate.

But the web admin interface via 1443 is still using a self-signed certificate.

Where would I change this behavior ?

Nothing in this file to catch my eye

/usr/local/pf/conf/haproxy-admin.conf

Eugene

From: Ludovic Zammit mailto:lzam...@inverse.ca> > 
Sent: Friday, November 13, 2020 4:30 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: ype...@gmail.com <mailto:ype...@gmail.com> 
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Hello there,

Use of certificates in PF.

PF Version prior 10:

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

Configuration: /usr/local/pf/conf/haproxy-portal.conf

Web admin = /usr/local/pf/conf/ssl//server.crt (Certificate)

  /usr/local/pf/raddb/certs/server.key (Private key)

 /usr/local/pf/raddb/certs/intermediates.crt (Intermediates)

Configuration: /usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf

RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)

 /usr/local/pf/raddb/certs/server.key (Private key)

/usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)

Configuration: /usr/local/pf/conf/radiusd/eap.conf

PF Version 10:

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

Configuration: /usr/local/pf/conf/haproxy-portal.conf

Web admin = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

Configuration: /usr/local/pf/conf/haproxy-admin.conf

RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)

 /usr/local/pf/raddb/certs/server.key (Private key)

/usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)

Configuration: /usr/local/pf/conf/radiusd/eap.conf

Hope it shed some light.

Thanks,

Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca>  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca <http://www.inverse.ca> 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

On Nov 12, 2020, at 10:55 PM, ypefti--- via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

It is some sort of conspiracy.

No luck at all. Maybe someone will tell me what else to do to install an 
external SSL certificate to PF. 

The server.key is also there, in the same folder. Do I really need *.pem file ?

I didn’t receive it from CA. Fine, I converted *.crt to *.pem, still doesn’t 
fly.

Why am I getting this error on PF GUI ?

A networking error occurred. Is the API service running?

Eugene

From: E.P. mailto:ype...@gmail.com> > 
Sent: Thursday, November 12, 2020 3:03 PM
To: 'Michael Brown' mailto:michaelbrow...@yahoo.com> 
>; packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, Michael.

I did it almost the same way. 

What I don’t understand is the logic of PF and Apache integration.

It appears that the original Apache config file, i.e. httpd.conf is useless and 
not in use by PF

I will play and explore the SAN attribute in the certificate

Eugene

From: Michael Brown mailto:michaelbrow...@yahoo.com> 
> 
Sent: Thursday, November 12, 2020 1:47 PM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: ype...@gmail.com <mailto:ype...@gmail.com> 
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

I have a wildcard from Digicert and used this to get the cert:

 <https://www.digicert.com/kb/csr-ss

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-13 Thread Tomasz Karczewski via PacketFence-users

Intermediates.crt -> intermediate certs + CA

server.crt -> Server certificate

server.key -> Key

server.pem -> Server.crt + intermediates.crt + server.key (from top to bottom)

Tomasz Karczewski

Administrator Sieci

tkarczew...@man.olsztyn.pl

http://www.man.olsztyn.pl  http://www.uwm.edu.pl

tel. (89) 523 45 55  fax. (89) 523 43 47

Ośrodek Eksploatacji i Zarządzania

Miejską Siecią Komputerową OLMAN w Olsztynie

Uniwersytet Warmińsko-Mazurski w Olsztynie

From: ypefti--- via PacketFence-users  
Sent: Friday, November 13, 2020 4:55 AM
To: packetfence-users@lists.sourceforge.net
Cc: ype...@gmail.com
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

It is some sort of conspiracy.

No luck at all. Maybe someone will tell me what else to do to install an 
external SSL certificate to PF. 

The server.key is also there, in the same folder. Do I really need *.pem file ?

I didn’t receive it from CA. Fine, I converted *.crt to *.pem, still doesn’t 
fly.

Why am I getting this error on PF GUI ?

A networking error occurred. Is the API service running?

Eugene

From: E.P. mailto:ype...@gmail.com> > 
Sent: Thursday, November 12, 2020 3:03 PM
To: 'Michael Brown' mailto:michaelbrow...@yahoo.com> 
>; packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, Michael.

I did it almost the same way. 

What I don’t understand is the logic of PF and Apache integration.

It appears that the original Apache config file, i.e. httpd.conf is useless and 
not in use by PF

I will play and explore the SAN attribute in the certificate

Eugene

From: Michael Brown mailto:michaelbrow...@yahoo.com> 
> 
Sent: Thursday, November 12, 2020 1:47 PM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: ype...@gmail.com <mailto:ype...@gmail.com> 
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

I have a wildcard from Digicert and used this to get the cert:

 <https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm> Apache: 
CSR & SSL Installation (OpenSSL)

Apache: CSR & SSL Installation (OpenSSL)

Apache: Generating your Apache CSR with OpenSSL and installing your SSL 
certificate and Mod_SSL web server confi...

Also, when requesting the duplicate from Digicert it allows you to enter 
additional SANs beyond the *.domain.com.  I put my pf.domain.com as one of the 
SANs when requesting the duplicate.  I also used WinSCP to connect to my 
packetfence server to get the csr and key files.  I know that's not needed but 
just thought I would mention it.  

On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via 
PacketFence-users < <mailto:packetfence-users@lists.sourceforge.net> 
packetfence-users@lists.sourceforge.net> wrote: 

More digging, more tries, more frustrations 
Further to my previous email. I replaced three files from SSL folder with files 
that correspond to the new certificated, i.e.
/usr/local/pf/conf/ssl/server.key
/usr/local/pf/conf/ssl/server.crt
/usr/local/pf/conf/ssl/server.pem

PF web interface said bye-bye to me. Why do I see this error in 
/usr/local/pf/logs/httpd.webservices.error

Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably 
determine the server's fully qualified domain name, using 
fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to suppress 
this message

What happened to Apache and PF ?

And what drives me mad is the fact that if I put old certificate files back I 
still can't login via PF GUI.
Having this error:

A networking error occurred. Is the API service running?

Eugene

-Original Message-
From:  <mailto:ype...@gmail.com> ype...@gmail.com < <mailto:ype...@gmail.com> 
ype...@gmail.com> 
Sent: Thursday, November 12, 2020 11:26 AM
To:  <mailto:packetfence-users@lists.sourceforge.net> 
packetfence-users@lists.sourceforge.net
Cc: 'mj' < <mailto:li...@merit.unu.edu> li...@merit.unu.edu>
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, MJ,
It looks like questions asked here are replied selectively.
At least out of 4 questions that I asked only this one was finally "noticed" 
after the resend 
I wouldn't bother the list with my questions if the procedure is well 
documented and works.
The existing documentation mentions only this:

"Upon PacketFence installation, self-signed certificates will be created in 
/usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be 
replaced anytime by your 3rd-par

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-13 Thread Ludovic Zammit via PacketFence-users

Hello there,

Use of certificates in PF.

PF Version prior 10:

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

Configuration: /usr/local/pf/conf/haproxy-portal.conf

Web admin = /usr/local/pf/conf/ssl//server.crt (Certificate)
  /usr/local/pf/raddb/certs/server.key (Private key)
 /usr/local/pf/raddb/certs/intermediates.crt (Intermediates)

Configuration: /usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf

RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)
 /usr/local/pf/raddb/certs/server.key (Private key)
/usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)

Configuration: /usr/local/pf/conf/radiusd/eap.conf

PF Version 10:

Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

Configuration: /usr/local/pf/conf/haproxy-portal.conf

Web admin = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert + 
intermediate)

Configuration: /usr/local/pf/conf/haproxy-admin.conf

RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)
 /usr/local/pf/raddb/certs/server.key (Private key)
/usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)

Configuration: /usr/local/pf/conf/radiusd/eap.conf

Hope it shed some light.

Thanks,

Ludovic Zammit
lzam...@inverse.ca <mailto:lzam...@inverse.ca> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca <http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org <http://packetfence.org/>) 




> On Nov 12, 2020, at 10:55 PM, ypefti--- via PacketFence-users 
>  wrote:
> 
> It is some sort of conspiracy.
> No luck at all. Maybe someone will tell me what else to do to install an 
> external SSL certificate to PF. 
> The server.key is also there, in the same folder. Do I really need *.pem file 
> ?
> I didn’t receive it from CA. Fine, I converted *.crt to *.pem, still doesn’t 
> fly.
> Why am I getting this error on PF GUI ?
>  
> A networking error occurred. Is the API service running?
>  
> Eugene
>  
> From: E.P. mailto:ype...@gmail.com>> 
> Sent: Thursday, November 12, 2020 3:03 PM
> To: 'Michael Brown'  <mailto:michaelbrow...@yahoo.com>>; packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>
> Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF
>  
> Thank you, Michael.
> I did it almost the same way. 
> What I don’t understand is the logic of PF and Apache integration.
> It appears that the original Apache config file, i.e. httpd.conf is useless 
> and not in use by PF
> I will play and explore the SAN attribute in the certificate
>  
> Eugene
>  
> From: Michael Brown  <mailto:michaelbrow...@yahoo.com>> 
> Sent: Thursday, November 12, 2020 1:47 PM
> To: packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>
> Cc: ype...@gmail.com <mailto:ype...@gmail.com>
> Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF
>  
> I have a wildcard from Digicert and used this to get the cert:
> Apache: CSR & SSL Installation (OpenSSL) 
> <https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm>
>  
>  
> 
> 
> Apache: CSR & SSL Installation (OpenSSL)
> Apache: Generating your Apache CSR with OpenSSL and installing your SSL 
> certificate and Mod_SSL web server confi...
>  
>  
> Also, when requesting the duplicate from Digicert it allows you to enter 
> additional SANs beyond the *.domain.com <http://domain.com/>.  I put my 
> pf.domain.com <http://pf.domain.com/> as one of the SANs when requesting the 
> duplicate.  I also used WinSCP to connect to my packetfence server to get the 
> csr and key files.  I know that's not needed but just thought I would mention 
> it.  
>  
>  
>  
>  
> On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via 
> PacketFence-users  <mailto:packetfence-users@lists.sourceforge.net>> wrote: 
>  
>  
> More digging, more tries, more frustrations 
> Further to my previous email. I replaced three files from SSL folder with 
> files that correspond to the new certificated, i.e.
> /usr/local/pf/conf/ssl/server.key
> /usr/local/pf/conf/ssl/server.crt
> /usr/local/pf/conf/ssl/server.pem
> 
> PF web interface said bye-bye to me. Why do I see this error in 
> /usr/local/pf/logs/httpd.webservices.error
> 
> Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably 
> determine the server's fully qualified domain name, using 
> fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to suppress

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-12 Thread ypefti--- via PacketFence-users

It is some sort of conspiracy.

No luck at all. Maybe someone will tell me what else to do to install an 
external SSL certificate to PF. 

The server.key is also there, in the same folder. Do I really need *.pem file ?

I didn’t receive it from CA. Fine, I converted *.crt to *.pem, still doesn’t 
fly.

Why am I getting this error on PF GUI ?

A networking error occurred. Is the API service running?

Eugene

From: E.P. mailto:ype...@gmail.com> > 
Sent: Thursday, November 12, 2020 3:03 PM
To: 'Michael Brown' mailto:michaelbrow...@yahoo.com> 
>; packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, Michael.

I did it almost the same way. 

What I don’t understand is the logic of PF and Apache integration.

It appears that the original Apache config file, i.e. httpd.conf is useless and 
not in use by PF

I will play and explore the SAN attribute in the certificate

Eugene

From: Michael Brown mailto:michaelbrow...@yahoo.com> 
> 
Sent: Thursday, November 12, 2020 1:47 PM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: ype...@gmail.com <mailto:ype...@gmail.com> 
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

I have a wildcard from Digicert and used this to get the cert:

 <https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm> Apache: 
CSR & SSL Installation (OpenSSL)

Apache: CSR & SSL Installation (OpenSSL)

Apache: Generating your Apache CSR with OpenSSL and installing your SSL 
certificate and Mod_SSL web server confi...

Also, when requesting the duplicate from Digicert it allows you to enter 
additional SANs beyond the *.domain.com.  I put my pf.domain.com as one of the 
SANs when requesting the duplicate.  I also used WinSCP to connect to my 
packetfence server to get the csr and key files.  I know that's not needed but 
just thought I would mention it.  

On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via 
PacketFence-users < <mailto:packetfence-users@lists.sourceforge.net> 
packetfence-users@lists.sourceforge.net> wrote: 

More digging, more tries, more frustrations 
Further to my previous email. I replaced three files from SSL folder with files 
that correspond to the new certificated, i.e.
/usr/local/pf/conf/ssl/server.key
/usr/local/pf/conf/ssl/server.crt
/usr/local/pf/conf/ssl/server.pem

PF web interface said bye-bye to me. Why do I see this error in 
/usr/local/pf/logs/httpd.webservices.error

Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably 
determine the server's fully qualified domain name, using 
fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to suppress 
this message

What happened to Apache and PF ?

And what drives me mad is the fact that if I put old certificate files back I 
still can't login via PF GUI.
Having this error:

A networking error occurred. Is the API service running?

Eugene

-Original Message-
From:  <mailto:ype...@gmail.com> ype...@gmail.com < <mailto:ype...@gmail.com> 
ype...@gmail.com> 
Sent: Thursday, November 12, 2020 11:26 AM
To:  <mailto:packetfence-users@lists.sourceforge.net> 
packetfence-users@lists.sourceforge.net
Cc: 'mj' < <mailto:li...@merit.unu.edu> li...@merit.unu.edu>
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, MJ,
It looks like questions asked here are replied selectively.
At least out of 4 questions that I asked only this one was finally "noticed" 
after the resend 
I wouldn't bother the list with my questions if the procedure is well 
documented and works.
The existing documentation mentions only this:

"Upon PacketFence installation, self-signed certificates will be created in 
/usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be 
replaced anytime by your 3rd-party or existing wild card certificate without 
problems. Please note that the CN (Common Name) needs to be the same as the one 
defined in the PacketFence configuration file (pf.conf)."

This is very confusing. We all know that CN in the wildcard certificate looks 
like this:
*.example.com
How would I make use of it with PF ?

If you refer me to Let's Encrypt certificates should I understand that I need 
to do it from  <http://www.sslforfree.com> www.sslforfree.com And what's the 
correct procedure to install an SSL certificate to PF. Never saw it in the 
documentation.
I need it for a captive portal.

Eugene

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-12 Thread E.P. via PacketFence-users

May I kindly ask to tell me what you did with certificate files, Colton?

Sent from iPhone

> On Nov 12, 2020, at 19:55, Colton Conor via PacketFence-users 
>  wrote:
> 
> 
> We use a wildcard on PF without a problem. 
> 
>> On Thu, Nov 12, 2020 at 3:51 PM Michael Brown via PacketFence-users 
>>  wrote:
>> I have a wildcard from Digicert and used this to get the cert:
>> Apache: CSR & SSL Installation (OpenSSL)
>> 
>> Apache: CSR & SSL Installation (OpenSSL)
>> Apache: Generating your Apache CSR with OpenSSL and installing your SSL 
>> certificate and Mod_SSL web server confi...
>> 
>> 
>> Also, when requesting the duplicate from Digicert it allows you to enter 
>> additional SANs beyond the *.domain.com.  I put my pf.domain.com as one of 
>> the SANs when requesting the duplicate.  I also used WinSCP to connect to my 
>> packetfence server to get the csr and key files.  I know that's not needed 
>> but just thought I would mention it.  
>> 
>> 
>> 
>> 
>> On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via 
>> PacketFence-users  wrote:
>> 
>> 
>> More digging, more tries, more frustrations 
>> Further to my previous email. I replaced three files from SSL folder with 
>> files that correspond to the new certificated, i.e.
>> /usr/local/pf/conf/ssl/server.key
>> /usr/local/pf/conf/ssl/server.crt
>> /usr/local/pf/conf/ssl/server.pem
>> 
>> PF web interface said bye-bye to me. Why do I see this error in 
>> /usr/local/pf/logs/httpd.webservices.error
>> 
>> Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably 
>> determine the server's fully qualified domain name, using 
>> fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to 
>> suppress this message
>> 
>> What happened to Apache and PF ?
>> 
>> And what drives me mad is the fact that if I put old certificate files back 
>> I still can't login via PF GUI.
>> Having this error:
>> 
>> A networking error occurred. Is the API service running?
>> 
>> Eugene
>> 
>> -Original Message-
>> From: ype...@gmail.com  
>> Sent: Thursday, November 12, 2020 11:26 AM
>> To: packetfence-users@lists.sourceforge.net
>> Cc: 'mj' 
>> Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF
>> 
>> Thank you, MJ,
>> It looks like questions asked here are replied selectively.
>> At least out of 4 questions that I asked only this one was finally "noticed" 
>> after the resend 
>> I wouldn't bother the list with my questions if the procedure is well 
>> documented and works.
>> The existing documentation mentions only this:
>> 
>> 
>> "Upon PacketFence installation, self-signed certificates will be created in 
>> /usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can 
>> be replaced anytime by your 3rd-party or existing wild card certificate 
>> without problems. Please note that the CN (Common Name) needs to be the same 
>> as the one defined in the PacketFence configuration file (pf.conf)."
>> 
>> 
>> This is very confusing. We all know that CN in the wildcard certificate 
>> looks like this:
>> *.example.com
>> How would I make use of it with PF ?
>> 
>> If you refer me to Let's Encrypt certificates should I understand that I 
>> need to do it from www.sslforfree.com And what's the correct procedure to 
>> install an SSL certificate to PF. Never saw it in the documentation.
>> I need it for a captive portal.
>> 
>> Eugene
>> 
>> -Original Message-
>> From: mj via PacketFence-users 
>> Sent: Wednesday, November 11, 2020 1:38 AM
>> To: packetfence-users@lists.sourceforge.net
>> Cc: mj 
>> Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF
>> 
>> Hi Eugene,
>> 
>> The list has always been alive, from where we are. :-)
>> 
>> Anyway: I would encourage you to take a look a Let's Encrypt certificates 
>> with packetfence. I think they are a bit more secure than a wildcard 
>> certificate, plus they are free and work very well.
>> 
>> (there are some threads on this mailinglist on that subject)
>> 
>> Good luck,
>> MJ
>> 
>> On 11/10/20 5:31 PM, E.P. via Packet

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-12 Thread E.P. via PacketFence-users

Thank you, Michael.

I did it almost the same way. 

What I don’t understand is the logic of PF and Apache integration.

It appears that the original Apache config file, i.e. httpd.conf is useless and 
not in use by PF

I will play and explore the SAN attribute in the certificate

Eugene

From: Michael Brown  
Sent: Thursday, November 12, 2020 1:47 PM
To: packetfence-users@lists.sourceforge.net
Cc: ype...@gmail.com
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

I have a wildcard from Digicert and used this to get the cert:

Apache: CSR  
<https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm> & SSL 
Installation (OpenSSL)

Apache: CSR & SSL Installation (OpenSSL)

Apache: Generating your Apache CSR with OpenSSL and installing your SSL 
certificate and Mod_SSL web server confi...

Also, when requesting the duplicate from Digicert it allows you to enter 
additional SANs beyond the *.domain.com.  I put my pf.domain.com as one of the 
SANs when requesting the duplicate.  I also used WinSCP to connect to my 
packetfence server to get the csr and key files.  I know that's not needed but 
just thought I would mention it.  

On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via 
PacketFence-users  wrote: 

More digging, more tries, more frustrations 
Further to my previous email. I replaced three files from SSL folder with files 
that correspond to the new certificated, i.e.
/usr/local/pf/conf/ssl/server.key
/usr/local/pf/conf/ssl/server.crt
/usr/local/pf/conf/ssl/server.pem

PF web interface said bye-bye to me. Why do I see this error in 
/usr/local/pf/logs/httpd.webservices.error

Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably 
determine the server's fully qualified domain name, using 
fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to suppress 
this message

What happened to Apache and PF ?

And what drives me mad is the fact that if I put old certificate files back I 
still can't login via PF GUI.
Having this error:

A networking error occurred. Is the API service running?

Eugene

-Original Message-
From: ype...@gmail.com <mailto:ype...@gmail.com>  mailto:ype...@gmail.com> > 
Sent: Thursday, November 12, 2020 11:26 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: 'mj' mailto:li...@merit.unu.edu> >
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, MJ,
It looks like questions asked here are replied selectively.
At least out of 4 questions that I asked only this one was finally "noticed" 
after the resend 
I wouldn't bother the list with my questions if the procedure is well 
documented and works.
The existing documentation mentions only this:

"Upon PacketFence installation, self-signed certificates will be created in 
/usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be 
replaced anytime by your 3rd-party or existing wild card certificate without 
problems. Please note that the CN (Common Name) needs to be the same as the one 
defined in the PacketFence configuration file (pf.conf)."

This is very confusing. We all know that CN in the wildcard certificate looks 
like this:
*.example.com
How would I make use of it with PF ?

If you refer me to Let's Encrypt certificates should I understand that I need 
to do it from www.sslforfree.com And what's the correct procedure to install an 
SSL certificate to PF. Never saw it in the documentation.
I need it for a captive portal.

Eugene

-Original Message-
From: mj via PacketFence-users mailto:packetfence-users@lists.sourceforge.net> >
Sent: Wednesday, November 11, 2020 1:38 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: mj mailto:li...@merit.unu.edu> >
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Hi Eugene,

The list has always been alive, from where we are. :-)

Anyway: I would encourage you to take a look a Let's Encrypt certificates with 
packetfence. I think they are a bit more secure than a wildcard certificate, 
plus they are free and work very well.

(there are some threads on this mailinglist on that subject)

Good luck,
MJ

On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote:
> Since this group suddenly became alive I dare asking my previous again
> 
> 
> How would I install a wildcard SSL certificate on PF, see more details 
> below
> 
> Eugene
> 
> *From:* E.P. mailto:ype...@gmail.com> >
> *Sent:*

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-12 Thread Colton Conor via PacketFence-users

We use a wildcard on PF without a problem.

On Thu, Nov 12, 2020 at 3:51 PM Michael Brown via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> I have a wildcard from Digicert and used this to get the cert:
> Apache: CSR & SSL Installation (OpenSSL)
> <https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm>
>
> Apache: CSR & SSL Installation (OpenSSL)
>
> Apache: Generating your Apache CSR with OpenSSL and installing your SSL
> certificate and Mod_SSL web server confi...
> <https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm>
>
>
> Also, when requesting the duplicate from Digicert it allows you to enter
> additional SANs beyond the *.domain.com.  I put my pf.domain.com as one
> of the SANs when requesting the duplicate.  I also used WinSCP to connect
> to my packetfence server to get the csr and key files.  I know that's not
> needed but just thought I would mention it.
>
>
>
>
> On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via
> PacketFence-users  wrote:
>
>
> More digging, more tries, more frustrations 
> Further to my previous email. I replaced three files from SSL folder with
> files that correspond to the new certificated, i.e.
> /usr/local/pf/conf/ssl/server.key
> /usr/local/pf/conf/ssl/server.crt
> /usr/local/pf/conf/ssl/server.pem
>
> PF web interface said bye-bye to me. Why do I see this error in
> /usr/local/pf/logs/httpd.webservices.error
>
> Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not
> reliably determine the server's fully qualified domain name, using
> fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to
> suppress this message
>
> What happened to Apache and PF ?
>
> And what drives me mad is the fact that if I put old certificate files
> back I still can't login via PF GUI.
> Having this error:
>
> A networking error occurred. Is the API service running?
>
> Eugene
>
> -Original Message-----
> From: ype...@gmail.com 
> Sent: Thursday, November 12, 2020 11:26 AM
> To: packetfence-users@lists.sourceforge.net
> Cc: 'mj' 
> Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on
> PF
>
> Thank you, MJ,
> It looks like questions asked here are replied selectively.
> At least out of 4 questions that I asked only this one was finally
> "noticed" after the resend 
> I wouldn't bother the list with my questions if the procedure is well
> documented and works.
> The existing documentation mentions only this:
>
>
> 
> "Upon PacketFence installation, self-signed certificates will be created
> in /usr/local/pf/conf/ssl (server.key and server.crt). Those certificates
> can be replaced anytime by your 3rd-party or existing wild card certificate
> without problems. Please note that the CN (Common Name) needs to be the
> same as the one defined in the PacketFence configuration file (pf.conf)."
>
> 
>
> This is very confusing. We all know that CN in the wildcard certificate
> looks like this:
> *.example.com
> How would I make use of it with PF ?
>
> If you refer me to Let's Encrypt certificates should I understand that I
> need to do it from www.sslforfree.com And what's the correct procedure to
> install an SSL certificate to PF. Never saw it in the documentation.
> I need it for a captive portal.
>
> Eugene
>
> -Original Message-
> From: mj via PacketFence-users 
> Sent: Wednesday, November 11, 2020 1:38 AM
> To: packetfence-users@lists.sourceforge.net
> Cc: mj 
> Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on
> PF
>
> Hi Eugene,
>
> The list has always been alive, from where we are. :-)
>
> Anyway: I would encourage you to take a look a Let's Encrypt certificates
> with packetfence. I think they are a bit more secure than a wildcard
> certificate, plus they are free and work very well.
>
> (there are some threads on this mailinglist on that subject)
>
> Good luck,
> MJ
>
> On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote:
> > Since this group suddenly became alive I dare asking my previous again
> > 
> >
> > How would I install a wildcard SSL certificate on PF, see more details
> > below
> >
> > Eugene
> >
> > *From:* E.P. 
> > *Sent:* Saturday, October 31, 2020 2:43 PM
> > *To:* packetfence-users@lists.sourceforge.net
> > *Subject:* Wildcard SSL certificate installation o

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-12 Thread Michael Brown via PacketFence-users

 I have a wildcard from Digicert and used this to get the cert:Apache: CSR & 
SSL Installation (OpenSSL)

| 
| 
| 
|  |  |

 |

 |
| 
|  | 
Apache: CSR & SSL Installation (OpenSSL)

Apache: Generating your Apache CSR with OpenSSL and installing your SSL 
certificate and Mod_SSL web server confi...
 |

 |

 |

Also, when requesting the duplicate from Digicert it allows you to enter 
additional SANs beyond the *.domain.com.  I put my pf.domain.com as one of the 
SANs when requesting the duplicate.  I also used WinSCP to connect to my 
packetfence server to get the csr and key files.  I know that's not needed but 
just thought I would mention it.  

On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via 
PacketFence-users  wrote:  

 More digging, more tries, more frustrations 
Further to my previous email. I replaced three files from SSL folder with files 
that correspond to the new certificated, i.e.
/usr/local/pf/conf/ssl/server.key
/usr/local/pf/conf/ssl/server.crt
/usr/local/pf/conf/ssl/server.pem

PF web interface said bye-bye to me. Why do I see this error in 
/usr/local/pf/logs/httpd.webservices.error

Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably 
determine the server's fully qualified domain name, using 
fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to suppress 
this message

What happened to Apache and PF ?

And what drives me mad is the fact that if I put old certificate files back I 
still can't login via PF GUI.
Having this error:

A networking error occurred. Is the API service running?

Eugene

-Original Message-
From: ype...@gmail.com  
Sent: Thursday, November 12, 2020 11:26 AM
To: packetfence-users@lists.sourceforge.net
Cc: 'mj' 
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, MJ,
It looks like questions asked here are replied selectively.
At least out of 4 questions that I asked only this one was finally "noticed" 
after the resend 
I wouldn't bother the list with my questions if the procedure is well 
documented and works.
The existing documentation mentions only this:

"Upon PacketFence installation, self-signed certificates will be created in 
/usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be 
replaced anytime by your 3rd-party or existing wild card certificate without 
problems. Please note that the CN (Common Name) needs to be the same as the one 
defined in the PacketFence configuration file (pf.conf)."

This is very confusing. We all know that CN in the wildcard certificate looks 
like this:
*.example.com
How would I make use of it with PF ?

If you refer me to Let's Encrypt certificates should I understand that I need 
to do it from www.sslforfree.com And what's the correct procedure to install an 
SSL certificate to PF. Never saw it in the documentation.
I need it for a captive portal.

Eugene

-Original Message-
From: mj via PacketFence-users 
Sent: Wednesday, November 11, 2020 1:38 AM
To: packetfence-users@lists.sourceforge.net
Cc: mj 
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Hi Eugene,

The list has always been alive, from where we are. :-)

Anyway: I would encourage you to take a look a Let's Encrypt certificates with 
packetfence. I think they are a bit more secure than a wildcard certificate, 
plus they are free and work very well.

(there are some threads on this mailinglist on that subject)

Good luck,
MJ

On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote:
> Since this group suddenly became alive I dare asking my previous again
> 
> 
> How would I install a wildcard SSL certificate on PF, see more details 
> below
> 
> Eugene
> 
> *From:* E.P. 
> *Sent:* Saturday, October 31, 2020 2:43 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* Wildcard SSL certificate installation on PF
> 
> Guys,
> 
> I’m trying to overcome the issue with a self-signed SSL certificate 
> that PF offers to WiFi authentication via captive portal.
> 
> This a certificate that is in use by HTTPS sessions
> 
> Certificate/Key match
> 
> Chain is invalid
> 
> common_name
> 
> 127.0.0.1, emailAddress=supp...@inverse.ca 
> <mailto:emailAddress=supp...@inverse.ca>
> 
> issuer
> 
> C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
> emailAddress=supp...@inverse.ca 
> <mailto:emailAddress=supp...@inverse.ca>
> 
> not_after
> 
> Oct 7 15:29:09 2021 GMT
> 
> not_before
> 
> Oct 7 15:29:09 2020 GMT
> 
> serial
> 
> A500DC03671C0E35
> 
> subject
> 
> C=CA, ST=QC, L=Montreal, O=In

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-12 Thread ypefti--- via PacketFence-users

More digging, more tries, more frustrations 
Further to my previous email. I replaced three files from SSL folder with files 
that correspond to the new certificated, i.e.
/usr/local/pf/conf/ssl/server.key
/usr/local/pf/conf/ssl/server.crt
/usr/local/pf/conf/ssl/server.pem

PF web interface said bye-bye to me. Why do I see this error in 
/usr/local/pf/logs/httpd.webservices.error

Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably 
determine the server's fully qualified domain name, using 
fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to suppress 
this message

What happened to Apache and PF ?

And what drives me mad is the fact that if I put old certificate files back I 
still can't login via PF GUI.
Having this error:

A networking error occurred. Is the API service running?

Eugene

-Original Message-
From: ype...@gmail.com  
Sent: Thursday, November 12, 2020 11:26 AM
To: packetfence-users@lists.sourceforge.net
Cc: 'mj' 
Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF

Thank you, MJ,
It looks like questions asked here are replied selectively.
At least out of 4 questions that I asked only this one was finally "noticed" 
after the resend 
I wouldn't bother the list with my questions if the procedure is well 
documented and works.
The existing documentation mentions only this:

"Upon PacketFence installation, self-signed certificates will be created in 
/usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be 
replaced anytime by your 3rd-party or existing wild card certificate without 
problems. Please note that the CN (Common Name) needs to be the same as the one 
defined in the PacketFence configuration file (pf.conf)."

This is very confusing. We all know that CN in the wildcard certificate looks 
like this:
*.example.com
How would I make use of it with PF ?

If you refer me to Let's Encrypt certificates should I understand that I need 
to do it from www.sslforfree.com And what's the correct procedure to install an 
SSL certificate to PF. Never saw it in the documentation.
I need it for a captive portal.

Eugene

-Original Message-
From: mj via PacketFence-users 
Sent: Wednesday, November 11, 2020 1:38 AM
To: packetfence-users@lists.sourceforge.net
Cc: mj 
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Hi Eugene,

The list has always been alive, from where we are. :-)

Anyway: I would encourage you to take a look a Let's Encrypt certificates with 
packetfence. I think they are a bit more secure than a wildcard certificate, 
plus they are free and work very well.

(there are some threads on this mailinglist on that subject)

Good luck,
MJ

On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote:
> Since this group suddenly became alive I dare asking my previous again
> 
> 
> How would I install a wildcard SSL certificate on PF, see more details 
> below
> 
> Eugene
> 
> *From:* E.P. 
> *Sent:* Saturday, October 31, 2020 2:43 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* Wildcard SSL certificate installation on PF
> 
> Guys,
> 
> I’m trying to overcome the issue with a self-signed SSL certificate 
> that PF offers to WiFi authentication via captive portal.
> 
> This a certificate that is in use by HTTPS sessions
> 
> Certificate/Key match
> 
> Chain is invalid
> 
> common_name
> 
> 127.0.0.1, emailAddress=supp...@inverse.ca 
> <mailto:emailAddress=supp...@inverse.ca>
> 
> issuer
> 
> C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
> emailAddress=supp...@inverse.ca 
> <mailto:emailAddress=supp...@inverse.ca>
> 
> not_after
> 
> Oct 7 15:29:09 2021 GMT
> 
> not_before
> 
> Oct 7 15:29:09 2020 GMT
> 
> serial
> 
> A500DC03671C0E35
> 
> subject
> 
> C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
> emailAddress=supp...@inverse.ca 
> <mailto:emailAddress=supp...@inverse.ca>
> 
> Is there any way to import and install a company wild card SSL 
> certificate into PF
> 
> Eugene
> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-12 Thread ypefti--- via PacketFence-users

Thank you, MJ,
It looks like questions asked here are replied selectively.
At least out of 4 questions that I asked only this one was finally "noticed" 
after the resend 
I wouldn't bother the list with my questions if the procedure is well 
documented and works.
The existing documentation mentions only this:

"Upon PacketFence installation, self-signed certificates will be created in 
/usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be 
replaced anytime by your 3rd-party or existing wild card certificate without 
problems. Please note that the CN (Common Name) needs to be the same as the one 
defined in the PacketFence configuration file (pf.conf)."

This is very confusing. We all know that CN in the wildcard certificate looks 
like this:
*.example.com
How would I make use of it with PF ?

If you refer me to Let's Encrypt certificates should I understand that I need 
to do it from www.sslforfree.com
And what's the correct procedure to install an SSL certificate to PF. Never saw 
it in the documentation.
I need it for a captive portal.

Eugene

-Original Message-
From: mj via PacketFence-users  
Sent: Wednesday, November 11, 2020 1:38 AM
To: packetfence-users@lists.sourceforge.net
Cc: mj 
Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Hi Eugene,

The list has always been alive, from where we are. :-)

Anyway: I would encourage you to take a look a Let's Encrypt certificates with 
packetfence. I think they are a bit more secure than a wildcard certificate, 
plus they are free and work very well.

(there are some threads on this mailinglist on that subject)

Good luck,
MJ

On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote:
> Since this group suddenly became alive I dare asking my previous again 
> 
> 
> How would I install a wildcard SSL certificate on PF, see more details 
> below
> 
> Eugene
> 
> *From:* E.P. 
> *Sent:* Saturday, October 31, 2020 2:43 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* Wildcard SSL certificate installation on PF
> 
> Guys,
> 
> I’m trying to overcome the issue with a self-signed SSL certificate 
> that PF offers to WiFi authentication via captive portal.
> 
> This a certificate that is in use by HTTPS sessions
> 
> Certificate/Key match
> 
> Chain is invalid
> 
> common_name
> 
> 127.0.0.1, emailAddress=supp...@inverse.ca 
> <mailto:emailAddress=supp...@inverse.ca>
> 
> issuer
> 
> C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
> emailAddress=supp...@inverse.ca 
> <mailto:emailAddress=supp...@inverse.ca>
> 
> not_after
> 
> Oct 7 15:29:09 2021 GMT
> 
> not_before
> 
> Oct 7 15:29:09 2020 GMT
> 
> serial
> 
> A500DC03671C0E35
> 
> subject
> 
> C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
> emailAddress=supp...@inverse.ca 
> <mailto:emailAddress=supp...@inverse.ca>
> 
> Is there any way to import and install a company wild card SSL 
> certificate into PF
> 
> Eugene
> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-11 Thread mj via PacketFence-users


Hi Eugene,

The list has always been alive, from where we are. :-)

Anyway: I would encourage you to take a look a Let's Encrypt 
certificates with packetfence. I think they are a bit more secure than a 
wildcard certificate, plus they are free and work very well.


(there are some threads on this mailinglist on that subject)

Good luck,
MJ

On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote:

Since this group suddenly became alive I dare asking my previous again 

How would I install a wildcard SSL certificate on PF, see more details below

Eugene

*From:* E.P. 
*Sent:* Saturday, October 31, 2020 2:43 PM
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Wildcard SSL certificate installation on PF

Guys,

I’m trying to overcome the issue with a self-signed SSL certificate that 
PF offers to WiFi authentication via captive portal.


This a certificate that is in use by HTTPS sessions

Certificate/Key match

Chain is invalid

common_name

127.0.0.1, emailAddress=supp...@inverse.ca 



issuer

C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
emailAddress=supp...@inverse.ca 


not_after

Oct 7 15:29:09 2021 GMT

not_before

Oct 7 15:29:09 2020 GMT

serial

A500DC03671C0E35

subject

C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
emailAddress=supp...@inverse.ca 


Is there any way to import and install a company wild card SSL 
certificate into PF


Eugene



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

2020-11-10 Thread E.P. via PacketFence-users

Since this group suddenly became alive I dare asking my previous again 

How would I install a wildcard SSL certificate on PF, see more details below

 

Eugene

 

From: E.P.  
Sent: Saturday, October 31, 2020 2:43 PM
To: packetfence-users@lists.sourceforge.net
Subject: Wildcard SSL certificate installation on PF

 

Guys,

I’m trying to overcome the issue with a self-signed SSL certificate that PF 
offers to WiFi authentication via captive portal.

This a certificate that is in use by HTTPS sessions

 

Certificate/Key match

Chain is invalid

common_name

127.0.0.1, emailAddress=supp...@inverse.ca 
  

issuer

C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
emailAddress=supp...@inverse.ca   

not_after

Oct 7 15:29:09 2021 GMT 

not_before

Oct 7 15:29:09 2020 GMT 

serial

A500DC03671C0E35 

subject

C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1, 
emailAddress=supp...@inverse.ca   

 

Is there any way to import and install a company wild card SSL certificate into 
PF

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

Re: [PacketFence-users] Wildcard SSL certificate installation on PF

15 matches

Site Navigation

Mail list logo

Footer information