Haproxy terminate the ssl tunnel and not apache anymore (for the portal).
So just this file is enough /usr/local/pf/conf/ssl/server.pem
Regards
Fabrice
Le 2017-08-23 à 03:24, Will Halsall via PacketFence-users a écrit :
>
> I just added the intermediate certificate to the cat process:
>
>
>
> cat /usr/local/pf/conf/ssl/server.crt
> /usr/local/pf/conf/ssl/server.key
> /usr/local/pf/conf/ssl/intermediates.crt
> >/usr/local/pf/conf/ssl/server.pem
>
>
>
>
>
>
>
> and uncommented the intermediate certificate in ssl-certificates.conf
>
> Packetfence/conf/httpd.conf.d/ssl-certificates.conf:SSLCertificateChainFile
> %%install_dir%%/conf/ssl/intermediates.crt
>
>
>
>
>
> See if that helps
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:*Thomas, Gregory A via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Tuesday, August 22, 2017 8:21 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Thomas, Gregory A
> *Subject:* Re: [PacketFence-users] Captive portal SSL not using
> defined cert after PF7 upgrade
>
>
>
> I know this is an older post but I am having some problems with the
> cert getting to the user’s computer.
>
>
>
> I have concatenated the crt and key file to a pem. The thing is, I am
> using a wild card cert with a chain so on some machines the user is
> seeing an error of an invalid cert. When looking at the cert they are
> seeing it is from *.uwp.edu (which is the valid name) I am guessing it
> is invalid because it is missing the chain crt.
>
>
>
> Is there any way to include the chain in the pem file?
>
>
>
> --
>
> Gregory A. Thomas
>
> Student Life Support Specialist
>
> University of Wisconsin-Parkside
>
> thom...@uwp.edu
> </owa/redir.aspx?C=PJoLX1MXo0SU0MLM7GrPmwxJzaMkdtAIgi4jkK-AXpCwJ307G0bt2lvFPw4WGoqQ06Tt1qwrKAA.&URL=mailto%3athomasg%40uwp.edu>
>
> 262.595.2432
>
>
>
> *From:*Virginie Girou [mailto:virginie.gi...@ut-capitole.fr]
> *Sent:* Tuesday, May 2, 2017 3:27 AM
> *To:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Subject:* Re: [PacketFence-users] Captive portal SSL not using
> defined cert after PF7 upgrade
>
>
>
> Hello,
>
> thank you it works now !
>
> Virginie Girou
> Equipe systeme
> DSI - UT1 Capitole
> Tel : +33 (0)5.61.63.39.19
>
> Le 28/04/2017 23:53, Sokolowski, Darryl a écrit :
>
> Fantastic!
>
> We’re up and running!
>
> Thanks again to all for your help!
>
>
>
> Darryl
>
>
>
> *From:*Louis Munro [mailto:lmu...@inverse.ca]
> *Sent:* Friday, April 28, 2017 5:46 PM
> *To:* packetfence-users@lists.sourceforge.net
> <mailto:packetfence-users@lists.sourceforge.net>
> *Subject:* Re: [PacketFence-users] Captive portal SSL not using
> defined cert after PF7 upgrade
>
>
>
>
>
> On Apr 28, 2017, at 5:25 PM, Sokolowski, Darryl
> <ds...@earthcolor.com <mailto:ds...@earthcolor.com>> wrote:
>
>
>
> Oh, ok, now I understand what Fabrice meant about haproxy
> terminating the ssl tunnel. Thanks for that explanation.
>
> Sorry, I didn’t pick that up right away.
>
>
>
> I changed var/conf/haproxy.conf to point at my certificates,
> and every time I restart the service, it rewrites haproxy.conf
> file back to using server.pem.
>
>
>
>
>
> That's the expected behaviour.
>
> That file is actually generated based on your configuration, every
> time your start the service.
>
>
>
>
>
> So reading your response again, it sounds like my concatenated
> certificate might need to be named ‘server.pem’.
>
> If I rename my certificate to ‘server.pem’, it works as desired.
>
> Is that the way to do it? Or am I still off-base?
>
>
>
>
>
> That's the way to go.
>
>
>
>
>
> ‘server.pem’ won’t get overwritten by an ugrade?
>
>
>
>
>
> This is what the packetfence.spec file does:
>
>
>
> #Make ssl certificate
>
> if [ ! -f /usr/local/pf/conf/ssl/server.crt ]; then
>
> openssl req -x509 -new -nodes -days 365 -batch\
>
> -out /usr/local/pf/conf/ssl/server.crt\
>
> -keyout /usr/local/pf/conf/ssl/server.key\
>
> -nodes -config /usr/local/pf/conf/openssl.cnf
>
> cat /usr/local/pf/conf/ssl/server.crt
> /usr/local/pf/conf/ssl/server.key > /usr/local/pf/conf/ssl/server.pem
>
> fi
>
> So as long as you have a file named
> "/usr/local/pf/conf/ssl/server.crt" it won't overwrite the
> server.pem.
>
>
>
>
>
>
>
>
>
> I agree that this should be configurable.
>
> I'm adding it to the whishlist for 7.1 or 7.2.
>
>
>
>
>
>
>
> Regards,
> --
>
> Louis Munro
> lmu...@inverse.ca <mailto:lmu...@inverse.ca> :: www.inverse.ca
> <http://www.inverse.ca>
> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu
> <http://www.sogo.nu>) and PacketFence (www.packetfence.org
> <http://www.packetfence.org>)
>
>
>
>
>
> ------------------------------------------------------------------------
>
>
> >>> CONFIDENTIALITY NOTICE <<<
>
> This electronic mail (e-mail) message, including any and/or all
> attachments, is for the sole use of the intended recipient(s), and
> may contain confidential and/or privileged information, pertaining
> to business conducted under the direction and supervision of
> EarthColor, Inc. All e-mail messages, which may have been
> established as expressed views and/or opinions (stated either
> within the e-mail message or any of its attachments), are left to
> the sole responsibility of that of the sender, and are not
> necessarily attributed to EarthColor, Inc. Unauthorized
> interception, review, use, disclosure or distribution of any such
> information contained within this e-mail message and/or its
> attachment(s), is(are) strictly prohibited. If you are not the
> intended recipient, please contact the sender by replying to this
> e-mail message, along with the destruction of all copies of the
> original e-mail message (along with any attachments).
> !DSPAM:67760,5903cfd8169611367415823!
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> !DSPAM:67760,5903cfd8169611367415823!
>
>
>
> _______________________________________________
>
> PacketFence-users mailing list
>
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
>
> !DSPAM:67760,5903cfd8169611367415823!
>
>
>
> <https://www.farn-ct.ac.uk/about/Events>
>
> This message is intended only for the use of the person(s) to
> whom it is addressed, and may contain privileged and confidential
> information.
> If it has come to you in error, please contact the sender as soon as
> possible,
> and note that you must take no action based on the content, nor must
> you copy,
> distribute, or show the content to any other person.
>
>
> In accordance with its legal obligations, Farnborough College of
> Technology reserves the right to monitor the content of e-mails sent and
> received, but will not do so routinely.
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
