Author Topic: Wlidcard SSL really how to?  (Read 133 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Wlidcard SSL really how to?
« on: May 23, 2020, 07:04:50 PM »
I searched all the forum about wildcard SSL problem, there are few "solutions" that users post there, but no one of them really works.

I did part of steps that really need for wildcard:

1) CWP7 > WebServer Settings > WebServers Conf Editor > '/usr/local/apache/conf.d/vhosts/' > DOMAIN.conf > Edit:
Quote
ServerAlias www.mydomain.tld
change to
Quote
ServerAlias *.mydomain.tld

2) DNS Functions > List DNS Zones > mydomain.tld.db > Edit Records > Add A record Record:
Quote
Name: *
Quote
Direction IPv4 address: domain_server_ip

What the other need to do?
« Last Edit: May 23, 2020, 07:06:46 PM by sergdev777 »

Offline
***
Re: Wlidcard SSL really how to?
« Reply #1 on: May 23, 2020, 07:40:42 PM »
To get wildcard ssl from LetsEncrypt, you have to validate over DNS.  I posted a pretty good guide on here on how to do it, bit it's complicated to set up at first.
Google Hangouts:  rcschaff82@gmail.com

Offline
*
Re: Wlidcard SSL really how to?
« Reply #2 on: May 24, 2020, 07:32:26 AM »
To get wildcard ssl from LetsEncrypt, you have to validate over DNS.  I posted a pretty good guide on here on how to do it, bit it's complicated to set up at first.
Do you mean this guide?
http://forum.centos-webpanel.com/index.php?topic=4686.0

If yes, I forwarded step by step, its not work for me(CentOS7).


Install haveged:  yum install haveged OK

Generate a tsig:
cd /etc/named/ OK
dnssec-keygen -a HMAC-SHA512 -b 512 -n acme return: dnssec-keygen: fatal: the key name was not specified

Create a new zone called acme.schaffner.org:
/etc/named.conf
Code: [Select]
zone "acme.schaffner.org" {
        type master;
        file "/var/named/acme.schaffner.org.db";
        allow-update {
                key "acme";
        };
};
Done

/var/named/acme.schaffner.org.db
Code: [Select]
$ORIGIN .
$TTL 86400      ; 1 day
acme.schaffner.org      IN SOA  ns1.schaffner.org. rcschaff82.gmail.com. (
                                2020021035 ; serial
                                86400      ; refresh (1 day)
                                7200       ; retry (2 hours)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                86400      ; minimum (1 day)
                                )
$TTL 14400      ; 4 hours
                        NS      ns1.schaffner.org.  ;   THIS IS IMPORTANT.  DO NOT USE BOTH NAMESERVERS FOR LE
$ORIGIN acme.schaffner.org.
$TTL 60 ; 1 minute
Done, but it's displayed corrupted in DNS Functions > List DNS Zones >Edit Records

Now the fun part.  You must add a cname for every domain that you want to have a wildcard certificate.  Add the following to those domains dns entries ((**NOTE: This also works for domains not hosted on your server, ex godaddy))
Code: [Select]
_acme-challenge 600     IN      CNAME   _acme-challenge.acme.schaffner.org.
_acme-challenge.* 600     IN      CNAME   _acme-challenge.acme.schaffner.org.
Done

Now you are setup to generate wildcard certificates.  IN this example I added the above cnames to domain.com
Code: [Select]
NSUPDATE_SERVER=localhost NSUPDATE_KEY=/etc/named/acme.key ./.acme.sh/acme.sh --issue --test -d *.domain.com --challenge-alias acme.schaffner.org --dns dns_nsupdate --debug 2Return: -bash: ./.acme.sh/acme.sh: No such file or directory

*schaffner.org changed with my server domain name.

Moreover, restart DNS failed because named.conf
« Last Edit: May 24, 2020, 08:01:10 AM by sergdev777 »

Offline
***
Re: Wlidcard SSL really how to?
« Reply #3 on: May 24, 2020, 12:06:15 PM »
go figure, and update screwed up the tutorial. I also forgot a step in part 2(My Bad)


Step 2 is now )
cd /etc/named
dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme
cat K*.private
(Copy the line after KEY:)
nano /etc/named.conf
add at the top under the comments
Code: [Select]
key "acme" {
          algorithm hmac-md5;
          secret "(KEY GOES HERE)";
};


Quote
/var/named/acme.schaffner.org.db
Code: [Select]
$ORIGIN .
$TTL 86400      ; 1 day
acme.schaffner.org      IN SOA  ns1.schaffner.org. rcschaff82.gmail.com. (
                                2020021035 ; serial
                                86400      ; refresh (1 day)
                                7200       ; retry (2 hours)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                86400      ; minimum (1 day)
                                )
$TTL 14400      ; 4 hours
                        NS      ns1.schaffner.org.  ;   THIS IS IMPORTANT.  DO NOT USE BOTH NAMESERVERS FOR LE
$ORIGIN acme.schaffner.org.
$TTL 60 ; 1 minute
Done, but it's displayed corrupted in DNS Functions > List DNS Zones >Edit Records
I don't care what CWP says.  What's the ouput of
Code: [Select]
named-checkzone acme.schaffner.org /var/named/acme.schaffner.org.db
Quote
Code: [Select]
NSUPDATE_SERVER=localhost NSUPDATE_KEY=/etc/named/acme.key ./.acme.sh/acme.sh --issue --test -d *.domain.com --challenge-alias acme.schaffner.org --dns dns_nsupdate --debug 2
Return: -bash: ./.acme.sh/acme.sh: No such file or directory

run /scripts/install_acme





Google Hangouts:  rcschaff82@gmail.com

Offline
*
Re: Wlidcard SSL really how to?
« Reply #4 on: May 24, 2020, 07:20:46 PM »
Thank you rcschaff! Now all pass without incidents, but still no wildcard SSL worked.

Are you sure secret "(key)", not ("key")?
Code: [Select]
key "acme" {
          algorithm hmac-md5;
          secret "(KEY GOES HERE)";
};

And do need this code together with this in etc/named.conf?
Code: [Select]
zone "acme.schaffner.org" {
        type master;
        file "/var/named/acme.schaffner.org.db";
        allow-update {
                key "acme";
        };
};
« Last Edit: May 24, 2020, 07:25:45 PM by sergdev777 »

Offline
***
Re: Wlidcard SSL really how to?
« Reply #5 on: May 24, 2020, 07:34:07 PM »
Check /root/.acme.sh/ folder.


You should see a folder named (domain)
int there you will find several files including .key .bundle and .crt

You will need to copy those file to /etc/pki/tls
.key goes in /private folder
.bundle and .crt go it /certs folder

I guess I will make a script to do wildcard certificates to make things easier.
Google Hangouts:  rcschaff82@gmail.com

Offline
*
Re: Wlidcard SSL really how to?
« Reply #6 on: May 24, 2020, 08:21:54 PM »
Code: [Select]
named-checkzone acme.schaffner.org /var/named/acme.schaffner.org.db

[/quote]



Check /root/.acme.sh/ folder.
int there you will find several files including .key .bundle and .crt
There is not .crt file, but there is .csr files(?!)

I guess I will make a script to do wildcard certificates to make things easier.
This is a great idea, will the script be compatible with CentOS7?
« Last Edit: May 24, 2020, 08:45:51 PM by sergdev777 »

Offline
***
Re: Wlidcard SSL really how to?
« Reply #7 on: May 24, 2020, 08:29:05 PM »
Quote
dns_master_load: /var/named/acme.doslar.ru.db:13: extra input text
/var/named/acme.doslar.ru.db: file does not end with newline
zone acme.doslar.ru/IN: loading from master file /var/named/acme.doslar.ru.db failed: extra input text
zone acme.doslar.ru/IN: not loaded due to errors.
Open acme.doslar.ru.db

go to the last line and hit enter, then save


Quote
Check /root/.acme.sh/ folder.
int there you will find several files including .key .bundle and .crt
There is not .crt file, but there is .csr files(?!)

Probably because the zone was never loaded for the dns to succeed

[quote ]I guess I will make a script to do wildcard certificates to make things easier.[/quote]This is a great idea, will the script be compatible with CentOS7?
[/quote]

Of course it will be.  Just have to work on it :)
Google Hangouts:  rcschaff82@gmail.com

Offline
*
Re: Wlidcard SSL really how to?
« Reply #8 on: May 24, 2020, 08:41:08 PM »
Quote
dns_master_load: /var/named/acme.doslar.ru.db:13: extra input text
/var/named/acme.doslar.ru.db: file does not end with newline
zone acme.doslar.ru/IN: loading from master file /var/named/acme.doslar.ru.db failed: extra input text
zone acme.doslar.ru/IN: not loaded due to errors.
Open acme.doslar.ru.db

go to the last line and hit enter, then save
Done ok


Also DNS not restarted, because /etc/named.conf:14: bad secret 'bad base64 encoding'
Code: [Select]
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a any DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

key "acme" {
          algorithm hmac-md5;
          secret "[trIHAr8vNJrEWQWYkcZiM4POxGh+IhtbxU/P85yeXGxOvSP23hWnmTnKkT4Fc9hffjTToAHqTIlwW+0lCKjTpw==]"; LINE 14
};
« Last Edit: May 24, 2020, 08:45:39 PM by sergdev777 »

Offline
***
Re: Wlidcard SSL really how to?
« Reply #9 on: May 24, 2020, 08:46:00 PM »
1)  post your acme file

2) get rid of the brackets around the key. Might want to regenerate it now as it's been exposed.
Google Hangouts:  rcschaff82@gmail.com

Offline
*
Re: Wlidcard SSL really how to?
« Reply #10 on: May 24, 2020, 08:57:16 PM »
1)
Code: [Select]
$ORIGIN .
$TTL 86400      ; 1 day
acme.doslar.ru      IN SOA  ns1.doslar.ru. sergdev777.gmail.com. (
                                2020021035 ; serial
                                86400      ; refresh (1 day)
                                7200       ; retry (2 hours)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                86400      ; minimum (1 day)
                                )
$TTL 14400      ; 4 hours
                        NS      ns1.doslar.ru.  ;   THIS IS IMPORTANT.  DO NOT USE BOTH NAMESERVERS FOR LE
$ORIGIN acme.doslar.ru.
$TTL 60 ; 1 minute


2) Works!)

*3) Another error because I added CNAME token in doslar.ru.db with exist name _acme-challenge
dns_master_load: /var/named/doslar.ru.db:33: _acme-challenge.doslar.ru: multiple RRs of singleton type
Code: [Select]
; Generated by CWP
; Zone file for doslar.ru
$TTL 14400
@    86400        IN      SOA     ns1.doslar.ru. sergei.davidov.co.il. (
2020052488 ; serial, todays date+todays
3600            ; refresh, seconds
7200            ; retry, seconds
1209600         ; expire, seconds
86400 )         ; minimum, seconds
@ 86400 IN NS ns1.doslar.ru.
@ 86400 IN NS ns2.doslar.ru.
@ IN A 45.77.53.216
localhost.doslar.ru. IN A 127.0.0.1
@ IN MX 0 doslar.ru.
mail 14400 IN CNAME doslar.ru.
smtp 14400 IN CNAME doslar.ru.
pop  14400 IN CNAME doslar.ru.
pop3 14400 IN CNAME doslar.ru.
imap 14400 IN CNAME doslar.ru.
webmail 14400 IN A 45.77.53.216
cpanel 14400 IN A 45.77.53.216
cwp 14400 IN A 45.77.53.216
www 14400 IN CNAME doslar.ru.
ftp 14400 IN CNAME doslar.ru.
_dmarc 14400 IN TXT "v=DMARC1; p=none"
@ 14400 IN TXT "v=spf1 +a +mx +ip4:45.77.53.216 ~all"
ns1.doslar.ru.     14400   IN      A       136.244.81.190  ; #ns1
ns2.doslar.ru.     14400   IN      A       95.179.161.170  ; #ns2
default._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF0HE6hTjv6XgJw02H+q22ULp2jJ1MV8MAzTN+82WT+IKQN8dhXvYqtqFEOP0sYRqcnSWnzxUJrC8JZxMEFx4bWS2LjZkvnFw+SS1tzbRIQk+AKcr3qllzqNgjoMnQfxQushbUAfbQproVJQavzKvtm9YYS4vZIVMeXFQx0I3+BwIDAQAB"
_acme-challenge 600     IN      CNAME   _acme-challenge.acme.doslar.ru.
_acme-challenge.* 600     IN      CNAME   _acme-challenge.acme.doslar.ru.
*  IN A 45.77.53.216
_acme-challenge 600     IN      CNAME   uLWyv07d65GnjxtuGzoZXGh2cE8owWh3W0SXKDsW2TM
« Last Edit: May 24, 2020, 09:09:27 PM by sergdev777 »

Offline
***
Re: Wlidcard SSL really how to?
« Reply #11 on: May 24, 2020, 09:27:00 PM »
1) Try changing to this:
Code: [Select]
$ORIGIN .
$TTL 86400      ; 1 day
acme.doslar.ru      IN SOA  ns1.doslar.ru. sergdev777.gmail.com. (
                                2020021035 ; serial
                                86400      ; refresh (1 day)
                                7200       ; retry (2 hours)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                86400      ; minimum (1 day)
                                )
$TTL 14400      ; 4 hours
@     14400       IN      NS      ns1.doslar.ru.
$ORIGIN acme.doslar.ru.
$TTL 60 ; 1 minute


2 or 3) Delete  _acme-challenge 600     IN      CNAME   uLWyv07d65GnjxtuGzoZXGh2cE8owWh3W0SXKDsW2TM

It should have been a txt record
« Last Edit: May 24, 2020, 09:28:57 PM by rcschaff »
Google Hangouts:  rcschaff82@gmail.com