All-in-one StartSSL cert in shared environment

T

his tutorial works for CentOS only. For your specific OS tutorial use the tags or serach function in the sidebar area.

 

As a webdesigner/freelancer and newborn admin You have a few 'clients' on your box. You're upset with all those browser/mail-client SSL warnings which You and your clients must bypass all the time and you have a working mailserver (i.e. imap=dovecot/smtp=exim) and a webserver (apache). You don't want to spend hundreads of dollars for a commercial SSL. Time to act!

Task: Obtain a free SSL certificate from StartSSL (a certificate which major browsers will approve), install that certificate into servers (dovecot,exim,apache), configure Mozilla Thunderbird autoconfig (configuration auto-discovery) mailserver settings for your clients to use.

First, visit http://www.startssl.com or go directly to panel https://www.startssl.com/?app=12. You must authenticate yourself first, sth like creating an account because the Terms and Conditions of StartCom requires subscribers to provide the correct and complete personal details during registration. Without fulfilling this requirement, a subscriber (you) is not entitled for an account with StartSSL™. It is upon the subscriber to prove the validity of the details submitted should StartCom make such a request. This is nothing, as you will get SSL certificate FOR FREE and there is no other such free CA on the market.

Assuming:
- domain.com   - your main domain, containing web-panel, roundcube or anything with https web-access
- mail.domain.com  - your mailserver subdomain


Create directory for your certs, ie /etc/ssl/

$ mkdir /etc/ssl
$ cd /etc/ssl
 

Generating a Certificate signing request (CSR)

Do the same as in previous tutorial

$ openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout domain.com.key -out domain.com.csr
 

Of course instead 'domain.com' use your own domain name.

 

Obtaining certificate from StartSSL

1.

Authenticate

2.

Validate that you own a domain.com

Enter your domain, you will receive a code via e-mail message, that code you have to enter in next step for verification.

3.

Certificate wizard

Chose Web Server SSL/TLS Certificate

4.

Skip key generator as we generated our key already

 

5.

Paste the contents of domain.com.csr into the textarea

(with --- BEGIN --- and --- END --- text)

$ more domain.com.csr
 

6.

In this step choose the verified domain (domain.com) and enter your mail.domain.com as a subdomain.
Simply certificate will be valid for both domain.com and mail.domain.com.

7.

If everything went ok you shoul get your certificate in next step.
Copy it all (with --- BEGIN --- and --- END --- text) and paste to

$ nano domain.com.crt
 

Also download CA and chain certificates:

$ wget https://www.startssl.com/certs/ca.pem
$ wget https://www.startssl.com/certs/sub.class1.server.ca.pem
 

At this moment in /etc/ssl/ you should have five files:

- ca.pem
- domain.com.csr
- domain.com.crt
- domain.com.key
- sub.class1.server.ca.pem

OK.

 

Setting StartSSL certificate in Apache

Go to your /etc/httpd.conf or wherewer you have your domain.com vhost configured.

$ nano /etc/httpd/conf/httpd.conf
 

and in domain.com virtualhost ADD:

SSLEngine on
SSLCertificateFile /etc/ssl/domain.com.crt
SSLCertificateKeyFile /etc/ssl/domain.com.key
SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/ca.pem
 

Save, restart Apache

$ service httpd restart
 

If all went OK, go to http://www.sslshopper.com/ssl-checker.html

enter your domain.com in the input field and hit 'Check SSL'

you should have pass a full validation like on the screen below

Voila.

You may now navigate your clients to i.e. https://domain.com/roundcube - isn't it pretty now?

 

Now's the time for mailservers.

First, as for the mailservers we have to create bundled certificate as they don't accept chained certificates in a separate configuration option.

This is simple as merging textfiles.

$ cd /etc/ssl
$ cp domain.com.crt domain.com.pem
$ cat sub.class1.server.ca.pem >> domain.com.pem
$ cat ca.pem >> domain.com.pem
 

Now we should have a domain.com.pem file with hierarchy of

- your domain.com certificate at the top -
- below sub.class1.server.ca.pem -
- and CA root.pem at the bottom

 

SSL already configured?

The next steps require that you have SSL/TLS mailserver properly configured already (i.e.  self-signed certificate).
If you haven't configured SSL yet (see previous tutorial).

 

Inserting certificate into Dovecot (IMAP/POP3)

$ nano /etc/dovecot/dovecot.conf
 

and change your certs accordingly:

 

Save, exit and restart servers

$ service exim restart
$ service dovecot restart
 

Autoconfig (Auto Discovery in Thunderbird)

This is efficient especially in a Shared hosting where are many users and many domains but wait, we have cert only for one domain (mail.domain.com) not mail.client1.com, mail.otherclient.net ... and so on. Luckily here comes autoconfig (autodiscovery) feature that i.e. Thunderbird uses (you can see it in action when you adding an account and TB trying to guess mail settings, yep, these settings you can adjust).

So what we do here is that we're using a little force and ask Thunderbird (and other mail software) to tell to your client "Hi, I've found those settings for your mail account" and make our clients use mail.domain.com (which is SSL OK) rather than mail.clientdomain.com (which isn't SSL OK), so they doesn't see the SSL warnings so they're not less happy ;-)

You should have defined a default vhost already in your apache configuration.

I assume here your default virtualhost points to /var/www/html/

$ mkdir -p /var/www/html/autoconfig/mail
$ cd /var/www/html/autoconfig/mail/
$ touch config-v1.1.xml
 

You can read about the whole proccess here https://developer.mozilla.org/en-US/docs/Thunderbird/Autoconfiguration

and prepare your configuration similar to this config-v1.1.xml https://autoconfig.thunderbird.net/v1.1/freenet.de

E.g. have you noticed %EMAILADDRESS%, great, isnt'it? Now we don't have to tell the clients to login with full-mail not username only! Great feature!

You can paste and adjust settings

Remember, save as filename config-v1.1.xml

 

Now the apache alias.

Autoconfig feature looks always for the file which is located at http://domain.com/.well-known/autoconfig/mail/config-v1.1.xml


Because we don't want create that file in every client domain directory on our server, what we wanna do is an alias - that for any new domain it always will be fetched OK

$ nano /etc/httpd/conf/httpd.conf
 

and paste

Alias /.well-known "/var/www/html/"
 

Restart Apache.

You should now have ability to fetch that config xml file typing any of your or your-client's domains

i.e. http://yourclientdomain1.com/.well-known/autoconfig/mail/config-v1.1.xml and you should get that xml file in response

Now try with Thunderbird new account.

Voila.