Re: [PacketFence-users] Captive portal SSL not using defined cert after PF7 upgrade

Thomas, Gregory A via PacketFence-users Tue, 22 Aug 2017 12:37:14 -0700

I know this is an older post but I am having some problems with the cert 
getting to the user's computer.


I have concatenated the crt and key file to a pem. The thing is, I am using a 
wild card cert with a chain so on some machines the user is seeing an error of 
an invalid cert. When looking at the cert they are seeing it is from *.uwp.edu 
(which is the valid name) I am guessing it is invalid because it is missing the 
chain crt.

Is there any way to include the chain in the pem file?

--
Gregory A. Thomas
Student Life Support Specialist
University of Wisconsin-Parkside
thom...@uwp.edu</owa/redir.aspx?C=PJoLX1MXo0SU0MLM7GrPmwxJzaMkdtAIgi4jkK-AXpCwJ307G0bt2lvFPw4WGoqQ06Tt1qwrKAA.&URL=mailto%3athomasg%40uwp.edu>
262.595.2432

From: Virginie Girou [mailto:virginie.gi...@ut-capitole.fr]
Sent: Tuesday, May 2, 2017 3:27 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Captive portal SSL not using defined cert 
after PF7 upgrade

Hello,

thank you it works now !



Virginie Girou

Equipe systeme

DSI - UT1 Capitole

Tel : +33 (0)5.61.63.39.19
Le 28/04/2017 23:53, Sokolowski, Darryl a écrit :
Fantastic!
We're up and running!
Thanks again to all for your help!

Darryl

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: Friday, April 28, 2017 5:46 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Captive portal SSL not using defined cert 
after PF7 upgrade


On Apr 28, 2017, at 5:25 PM, Sokolowski, Darryl 
<ds...@earthcolor.com<mailto:ds...@earthcolor.com>> wrote:

Oh, ok, now I understand what Fabrice meant about haproxy terminating the ssl 
tunnel. Thanks for that explanation.
Sorry, I didn't pick that up right away.

I changed var/conf/haproxy.conf to point at my certificates, and every time I 
restart the service, it rewrites haproxy.conf file back to using server.pem.


That's the expected behaviour.
That file is actually generated based on your configuration, every time your 
start the service.




So reading your response again, it sounds like my concatenated certificate 
might need to be named 'server.pem'.
If I rename my certificate to 'server.pem', it works as desired.
Is that the way to do it? Or am I still off-base?


That's the way to go.




'server.pem' won't get overwritten by an ugrade?


This is what the packetfence.spec file does:


#Make ssl certificate

if [ ! -f /usr/local/pf/conf/ssl/server.crt ]; then

    openssl req -x509 -new -nodes -days 365 -batch\

        -out /usr/local/pf/conf/ssl/server.crt\

        -keyout /usr/local/pf/conf/ssl/server.key\

        -nodes -config /usr/local/pf/conf/openssl.cnf

    cat /usr/local/pf/conf/ssl/server.crt /usr/local/pf/conf/ssl/server.key > 
/usr/local/pf/conf/ssl/server.pem

fi
So as long as you have a file named  "/usr/local/pf/conf/ssl/server.crt" it 
won't overwrite the server.pem.






I agree that this should be configurable.
I'm adding it to the whishlist for 7.1 or 7.2.



Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca>  ::  
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and 
PacketFence (www.packetfence.org<http://www.packetfence.org>)


________________________________

>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments). !DSPAM:67760,5903cfd8169611367415823!



------------------------------------------------------------------------------

Check out the vibrant tech community on one of the world's most

engaging tech sites, Slashdot.org! http://sdm.link/slashdot



!DSPAM:67760,5903cfd8169611367415823!




_______________________________________________

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users





!DSPAM:67760,5903cfd8169611367415823!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive portal SSL not using defined cert after PF7 upgrade

Reply via email to