| View previous topic :: View next topic |
| Author |
Message |
Chronamut
Joined: 23 Jan 2020
Posts: 2
Location: hamilton ontario canada
|
 Posted: Thu 23 Jan '20 14:46 Post subject: SLL certifying sambar |
 |
|
hey guys, so I have been scratching my head trying to get this to work.
I use register.com to get my domain server name - I used this documentation from sambar to try to set it up:
http://wiesweg.no-ip.org:8080/syshelp/ssl.htm
my site is chronriddles.com
so let's break it down:
I used opensll in /bin to create the 2048 key as register.com requires 2048 not 1024:
openssl genrsa -rand randfile -out key.pem 2048
I then moved it to the config folder.
I then generated the csr:
openssl req -new -key key.pem -out req.pem -config ..\config\openssl.cnf
filled in all the attributes I needed to.
I then took the resulting certificate request code and sent it to register.com.
They verified and I was given 2 files:
chronriddles.crt: my primary certificate I am assuming
RSADomainValidationSecureServerCA.crt would be my intermediate certificate I guess.
now I don't know what to do at this point.
I changed the https to true in the config. I tried combining both files together and renaming them cert.pem as the instructions say to do that - but then I thought maybe it has something to do with certificate chain files like is mentioned so I tried to fun that string but got an error (i pointed it to congif).
openssl x509 -inform DES -in ca-bundle.crt -out ca-bundle.pem -text
(after moving ca-bundle.pem to try that)
or
openssl x509 -inform DES -in ..\config\ca-bundle.crt -out ca-bundle.pem -text
or
openssl x509 -inform DES -in ..\config\ca-bundle.crt -out ..\config\ca-bundle.pem -text
that gave me 2 errors regardless of what I tried:
7556:error:0D0680A8: asn1 encoding routines: ASN1_CHECK_TLEN: wrong tag: .\crypto\asn1\tasn_dec.c:1294:
7556:error:0D07803A: asn1 encoding routines: ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:380:Type=X509
when I tried to run my site it tells me I have a cypher mismatch - so I don't know what I am doing wrong - any help would be greatly appreciated. Do I have to add anything to ca-bundle.crt? How do I get both crt files I received to be seen as cert.pem? Do they have to be combined, or do I have to ru nthe openssl one for certificate chain files?Very confusing..
thanks!
-shawn- |
|
| Back to top |
|
Johannes
Moderator
Joined: 27 Nov 2005
Posts: 162
Location: SK,Canada
|
| Posted: Fri 31 Jan '20 21:20 Post subject: |
|
|
Hi there,
first, the supplied openssl is way to old
secondly, Sambar can not handle the new OpenSSL 1.1.0. The last one which works with Sambar is Openssl1.0.2
If you want to run your site with https, you need to run Apache or Nginx as SSL proxy in front of Sambar. This way all incoming SSL traffic will stop at the proxy and http traffic will than be forwarded to Sambar.
I am working myself on that right now and be half way through. Working on Debian though.
Johannes |
|
| Back to top |
|
Chronamut
Joined: 23 Jan 2020
Posts: 2
Location: hamilton ontario canada
|
| Posted: Sat 01 Feb '20 2:46 Post subject: |
|
|
hey there!
I actually solved the problem and bypassed sambar completely by using cloudflare to https certify it through my domain that i superimposed on sambar - it works and it shows as https 
https://chronriddles.com |
|
| Back to top |
|
Steffen
Joined: 07 Jun 2004
Posts: 418
Location: Netherlands
|
| Posted: Sat 01 Feb '20 9:29 Post subject: |
|
|
| Johannes wrote: | Hi there,
If you want to run your site with https, you need to run Apache or Nginx as SSL proxy in front of Sambar. This way all incoming SSL traffic will stop at the proxy and http traffic will than be forwarded to Sambar.
I am working myself on that right now and be half way through. Working on Debian though.
Johannes |
Yep, running here for years as Reverse Proxy in Apache :
In a vHost and Sambar running on Port 7089 :
ProxyPass / http://127.0.0.1:7089/
ProxyPassReverse / http://127.0.0.1:7089/ |
|
| Back to top |
|
Johannes
Moderator
Joined: 27 Nov 2005
Posts: 162
Location: SK,Canada
|
| Posted: Wed 05 Feb '20 19:51 Post subject: |
|
|
Hi Steffen,
exactly, that is what I want to set up. But as I need STARTTLS for my Sambar Mail, I found out that Nginx can handle mail protocol too as Reverse Proxy.
So will set this up with Nginx to have all covered.
Will let you guys know how this will work, when done.
Johannes |
|
| Back to top |
|
Johannes
Moderator
Joined: 27 Nov 2005
Posts: 162
Location: SK,Canada
|
| Posted: Sat 08 Feb '20 2:59 Post subject: |
|
|
Hi Steffen,
is there anything to set in Sambar to get the visitor's IP in the logs from Sambar?
I have setup one vhost behind Nginx. It is working as expected. But even with the correct settings for proxy_set_header directives, I am not able to see the visitor's IP in Sambar logs. How did you handle that, or do you have the IP from Apache in Sambar logs, as I have from Nginx ?
Any hint would be appreciated.
Thank you.
Johannes |
|
| Back to top |
|
Steffen
Joined: 07 Jun 2004
Posts: 418
Location: Netherlands
|
| Posted: Sat 08 Feb '20 10:08 Post subject: |
|
|
See the discussion about the IP at https://www.apachelounge.com/sambar/viewtopic.php?t=644
I cannot get that the IP is showing up in the logs, only as ENV var for example PHP:
PHP info:
HTTP_X_FORWARDED_SERVER www.land10web.com
HTTP_X_FORWARDED_HOST land10web.com
HTTP_X_FORWARDED_FOR 80.101.236.247 |
|
| Back to top |
|
Johannes
Moderator
Joined: 27 Nov 2005
Posts: 162
Location: SK,Canada
|
| Posted: Sat 08 Feb '20 17:39 Post subject: |
|
|
Hi Steffen,
thank you.
That is in the right direction and I will have to use that already for for one custom form with sambar scripting which I currently have.
As far as the logs go, I did a little "fooling". Disabling the log files in Sambar (Sambar will not write the log files) instead, I created a link from the Nginx access log for the particular domain to the log directory in Sambar. Can read now the "original" Nginx logs as it was done by Sambar from the Sambar Admin area. 
If you are interested to view the visitors IP from the Sambar Admin area, you could do just the same with Apache's logs.
Johannes |
|
| Back to top |
|
