Hello there,
Use of certificates in PF.
PF Version prior 10:
Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert +
intermediate)
Configuration: /usr/local/pf/conf/haproxy-portal.conf
Web admin = /usr/local/pf/conf/ssl//server.crt (Certificate)
/usr/local/pf/raddb/certs/server.key (Private key)
/usr/local/pf/raddb/certs/intermediates.crt (Intermediates)
Configuration: /usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf
RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)
/usr/local/pf/raddb/certs/server.key (Private key)
/usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)
Configuration: /usr/local/pf/conf/radiusd/eap.conf
PF Version 10:
Captive portal = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert +
intermediate)
Configuration: /usr/local/pf/conf/haproxy-portal.conf
Web admin = /usr/local/pf/conf/ssl/server.pem (Private Key + Cert +
intermediate)
Configuration: /usr/local/pf/conf/haproxy-admin.conf
RADIUS = /usr/local/pf/raddb/certs/server.crt (Certificate)
/usr/local/pf/raddb/certs/server.key (Private key)
/usr/local/pf/raddb/certs/ca.pem (Root CA for EAP TLS)
Configuration: /usr/local/pf/conf/radiusd/eap.conf
Hope it shed some light.
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca <http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>)
and PacketFence (http://packetfence.org <http://packetfence.org/>)
> On Nov 12, 2020, at 10:55 PM, ypefti--- via PacketFence-users
> <[email protected]> wrote:
>
> It is some sort of conspiracy.
> No luck at all. Maybe someone will tell me what else to do to install an
> external SSL certificate to PF.
> The server.key is also there, in the same folder. Do I really need *.pem file
> ?
> I didn’t receive it from CA. Fine, I converted *.crt to *.pem, still doesn’t
> fly.
> Why am I getting this error on PF GUI ?
>
> A networking error occurred. Is the API service running?
>
> Eugene
>
> From: E.P. <[email protected] <mailto:[email protected]>>
> Sent: Thursday, November 12, 2020 3:03 PM
> To: 'Michael Brown' <[email protected]
> <mailto:[email protected]>>; [email protected]
> <mailto:[email protected]>
> Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF
>
> Thank you, Michael.
> I did it almost the same way.
> What I don’t understand is the logic of PF and Apache integration.
> It appears that the original Apache config file, i.e. httpd.conf is useless
> and not in use by PF
> I will play and explore the SAN attribute in the certificate
>
> Eugene
>
> From: Michael Brown <[email protected]
> <mailto:[email protected]>>
> Sent: Thursday, November 12, 2020 1:47 PM
> To: [email protected]
> <mailto:[email protected]>
> Cc: [email protected] <mailto:[email protected]>
> Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF
>
> I have a wildcard from Digicert and used this to get the cert:
> Apache: CSR & SSL Installation (OpenSSL)
> <https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm>
>
> <image003.png>
>
> <image001.png>
> Apache: CSR & SSL Installation (OpenSSL)
> Apache: Generating your Apache CSR with OpenSSL and installing your SSL
> certificate and Mod_SSL web server confi...
>
>
> Also, when requesting the duplicate from Digicert it allows you to enter
> additional SANs beyond the *.domain.com <http://domain.com/>. I put my
> pf.domain.com <http://pf.domain.com/> as one of the SANs when requesting the
> duplicate. I also used WinSCP to connect to my packetfence server to get the
> csr and key files. I know that's not needed but just thought I would mention
> it.
>
>
>
>
> On Thursday, November 12, 2020, 04:29:50 PM EST, ypefti--- via
> PacketFence-users <[email protected]
> <mailto:[email protected]>> wrote:
>
>
> More digging, more tries, more frustrations 😉
> Further to my previous email. I replaced three files from SSL folder with
> files that correspond to the new certificated, i.e.
> /usr/local/pf/conf/ssl/server.key
> /usr/local/pf/conf/ssl/server.crt
> /usr/local/pf/conf/ssl/server.pem
>
> PF web interface said bye-bye to me. Why do I see this error in
> /usr/local/pf/logs/httpd.webservices.error
>
> Nov 12 13:04:07 pf httpd_webservices_err: AH00558: httpd: Could not reliably
> determine the server's fully qualified domain name, using
> fe80::250:56ff:fe8a:e674. Set the 'ServerName' directive globally to suppress
> this message
>
> What happened to Apache and PF ?
>
> And what drives me mad is the fact that if I put old certificate files back I
> still can't login via PF GUI.
> Having this error:
>
> A networking error occurred. Is the API service running?
>
> Eugene
>
> -----Original Message-----
> From: [email protected] <mailto:[email protected]> <[email protected]
> <mailto:[email protected]>>
> Sent: Thursday, November 12, 2020 11:26 AM
> To: [email protected]
> <mailto:[email protected]>
> Cc: 'mj' <[email protected] <mailto:[email protected]>>
> Subject: RE: [PacketFence-users] Wildcard SSL certificate installation on PF
>
> Thank you, MJ,
> It looks like questions asked here are replied selectively.
> At least out of 4 questions that I asked only this one was finally "noticed"
> after the resend 😉
> I wouldn't bother the list with my questions if the procedure is well
> documented and works.
> The existing documentation mentions only this:
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> "Upon PacketFence installation, self-signed certificates will be created in
> /usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be
> replaced anytime by your 3rd-party or existing wild card certificate without
> problems. Please note that the CN (Common Name) needs to be the same as the
> one defined in the PacketFence configuration file (pf.conf)."
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> This is very confusing. We all know that CN in the wildcard certificate looks
> like this:
> *.example.com <http://example.com/>
> How would I make use of it with PF ?
>
> If you refer me to Let's Encrypt certificates should I understand that I need
> to do it from www.sslforfree.com <http://www.sslforfree.com/> And what's the
> correct procedure to install an SSL certificate to PF. Never saw it in the
> documentation.
> I need it for a captive portal.
>
> Eugene
>
> -----Original Message-----
> From: mj via PacketFence-users <[email protected]
> <mailto:[email protected]>>
> Sent: Wednesday, November 11, 2020 1:38 AM
> To: [email protected]
> <mailto:[email protected]>
> Cc: mj <[email protected] <mailto:[email protected]>>
> Subject: Re: [PacketFence-users] Wildcard SSL certificate installation on PF
>
> Hi Eugene,
>
> The list has always been alive, from where we are. :-)
>
> Anyway: I would encourage you to take a look a Let's Encrypt certificates
> with packetfence. I think they are a bit more secure than a wildcard
> certificate, plus they are free and work very well.
>
> (there are some threads on this mailinglist on that subject)
>
> Good luck,
> MJ
>
> On 11/10/20 5:31 PM, E.P. via PacketFence-users wrote:
> > Since this group suddenly became alive I dare asking my previous again
> > 😉
> >
> > How would I install a wildcard SSL certificate on PF, see more details
> > below
> >
> > Eugene
> >
> > *From:* E.P. <[email protected] <mailto:[email protected]>>
> > *Sent:* Saturday, October 31, 2020 2:43 PM
> > *To:* [email protected]
> > <mailto:[email protected]>
> > *Subject:* Wildcard SSL certificate installation on PF
> >
> > Guys,
> >
> > I’m trying to overcome the issue with a self-signed SSL certificate
> > that PF offers to WiFi authentication via captive portal.
> >
> > This a certificate that is in use by HTTPS sessions
> >
> > Certificate/Key match
> >
> > Chain is invalid
> >
> > common_name
> >
> > 127.0.0.1, [email protected] <mailto:[email protected]>
> > <mailto:[email protected] <mailto:[email protected]>>
> >
> > issuer
> >
> > C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1,
> > [email protected] <mailto:[email protected]>
> > <mailto:[email protected] <mailto:[email protected]>>
> >
> > not_after
> >
> > Oct 7 15:29:09 2021 GMT
> >
> > not_before
> >
> > Oct 7 15:29:09 2020 GMT
> >
> > serial
> >
> > A500DC03671C0E35
> >
> > subject
> >
> > C=CA, ST=QC, L=Montreal, O=Inverse, CN=127.0.0.1,
> > [email protected] <mailto:[email protected]>
> > <mailto:[email protected] <mailto:[email protected]>>
> >
> > Is there any way to import and install a company wild card SSL
> > certificate into PF
> >
> > Eugene
> >
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > <mailto:[email protected]>
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
> >
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
>
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>_______________________________________________
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
