How to setup HTTPS/SSL for SWA?

[mveerdon]

I'm currently running Scalix 11.4.2 on a hosted server and using SWA frequently via HTTP.
I want to use HTTPS for SWA, but I don't know how to configure this.

Can somebody help/advise?

[Andreas Schüssler]

Look here for example.

Greets
Andi

[mveerdon]

When I execute the WIKI I get an error during the second step.

Change directory and create the certificate

root@scalix:~# cd /etc/pki/tls/misc/
root@scalix:/etc/pki/tls/misc# ./CA -newca
root@scalix:/etc/pki/tls/misc# ./CA -newreq
root@scalix:/etc/pki/tls/misc# ./CA -sign
root@scalix:/etc/pki/tls/misc# mkdir /var/myCA
root@scalix:/var/myCA# cp -a /etc/pki/CA/cacert.pem cacert.pem <- Clave pública (CA)
root@scalix:/var/myCA# cp -a /etc/pki/CA/private/cakey.pem cakey.pem <- Clave privada (CA)
root@scalix:/var/myCA# cp -a /etc/pki/tls/cert.pem cert.pem <- Certificado Servidor
root@scalix:/var/myCA# cp -a /etc/pki/tls/misc/newcert.pem newcert.pem

The error is:

[root@x misc]# ./CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
unable to load CA private key
18871:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY
cat: newcert.pem: No such file or directory
Signed certificate is in newcert.pem
[root@x misc]#
[root@x misc]# mkdir /var/myCA
mkdir: cannot create directory `/var/myCA': File exists

Can somebody advise?

[Andreas Schüssler]

Do you has made your own certificates for SSL support? I think no....
For this you need OpenSSL. If you understand german, then there is a good howto... Link

Greets
Andi

[mveerdon]

Sorry, but my German is not good enough.

Can somebody else help me?

[mveerdon]

Is there somebody who can help me?

[mveerdon]

Nobpdy how can assist me how to install SSL/HTTPS?

[smpoole7]

Unfortunately, what's in the Wiki *IS* the primary source of information on this. That may be why you've received no other replies.

I bought the book "Scalix Administrators Guide" by Marcus Feilner from Pakt Publishing, at least in part, for a good walkthrough on how to set up SSL for Scalix access. After reading the book, I was a little discouraged: according to him (and from what I've seen elsewhere), it's not easy. Apparently, RHEL comes with SSL enabled by default, but it takes work on other distros. Also, even if you get it working, you'll probably have to redo everything when you upgrade the software.

To be fair to Scalix, if you're paying for support, I'm sure they'd be glad to help you do it. It's only fair that people who pay for support should get more than those who download for nothing. Also, some of this is an Apache issue -- it's just difficult to get SSL working on Apache in general.

I was talking to a good friend the other day -- another major Open Source booster (just like me!) -- and he said that there are inexplicable things in the F/OSS world. For example ... why is it so easy to set up an SSL/HTTPS server in the Windows world (it's basically point-and-click over there), but so blasted much work if you're using Apache on 'Nix?

[mveerdon]

smpoole7,
I want to use the WIKI, but I'm receiving an error with it, so this forum is my helpdesk

Looking at all reactions, SSL is a difficult topic on a non Windows platform....

But maybe somebody can help me.....

[tonysu]

Another possible option which I myself still haven't fully been implement yet is using Stunnel, particularly if you also need to configure Outlook connections.

Stunnel should be able to wrap all network protocols including HTTP.

Problem for me has been to create and install a working self-signed certificate, otherwise Stunnel seems to likely work fine.

[ravelox]

When I execute the WIKI I get an error during the second step.

The error is:

[root@x misc]# ./CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
unable to load CA private key
18871:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY
cat: newcert.pem: No such file or directory
Signed certificate is in newcert.pem
[root@x misc]#
[root@x misc]# mkdir /var/myCA
mkdir: cannot create directory `/var/myCA': File exists

Can somebody advise?

What are the contents of the openssl.cnf file ? The error shows that the private key can't be loaded. Take a look at the private_key setting and check to see if the file exists.

Cheers

Dave

[smpoole7]

Another possible option which I myself still haven't fully been implement yet is using Stunnel, particularly if you also need to configure Outlook connections

Feilner covers that in his book as well. I may end up doing that, if I can't get SSL working on our new CentOS machine. (We've been using OpenSuse 10.2.) If I find a shortcut, I'll certainly post it here.

As I said, though, it is a little surprising how hard this stuff is to get working sometimes with F/OSS.

[smpoole7]

mveerdon,

Sorry, I didn't notice that in your previous post. The answer is what ravelox said: look for that file and make sure it's there.

[Valerion]

I wouldn't recommend using stunnel for HTTPS. While it's possible you lose a lot of functionality, like being able to accept/deny based on where the request is coming from, and your logs will show everything coming from localhost, so you can't do any tracking.

mod_ssl is actually fairly easy to set up once you understand it. You need to declare the vhost as a SSL-capable vhost (SSLEngine), it needs to listen on port 443 and you need to define that NamedVirtualHosts can run on port 443. And then you define the location to the certificates.

http://www.modssl.org/