Approved method for adding SSL chain file

  • I'm using a server certificate from StartSSL on my server for providing service over https. This requires a chain file to work properly. I can add


    SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem


    in to /etc/apache2/sites-enabled/openmediavault-webgui


    but this will presumably be overwritten if I change the configuration. Is there a recommended way to do this. Would it be possible to add an option to install a chain certificate through the web GUI? Thanks.

    • Offizieller Beitrag

    I would file a feature request on bugtracker to allow this or add an extra options box.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • This does seem to be overwritten when an OMV upgrade is performed. I think that a better way to do this (until the feature is implemented) is therefore to create /etc/apache2/openmediavault-webgui.d/ssl.chain.conf containing:


    Code
    SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem


    or whatever the chain file you are using is called.

  • I also use StartSSL and I was able to chain StartSSL's Intermediate and CA certificates to my signed certificate and use the resulting file successfully.


    Code
    cat myserver.example.com.crt sub.class2.server.ca.pem ca.pem > myserver.example.com_chain.crt
    openssl x509 -in myserver.example.com_chain.crt -out myserver.example.com_chain.pem -outform PEM
    openssl rsa -in myserver.example.com.key -out myserver.example.com.key.pem -outform PEM


    In OMV > System > Certificates > Add > Import...


    Copy and paste myserver.example.com.key.pem into the Private Key
    Copy and paste myserver.example.com_chain.pem into the Certificate


    After you've saved the new certificate, click System > General Settings and select the newly added certificate from the Certificate drop-down in the Secure Connection area.

  • Zitat von "fergbrain"
    Code
    cat myserver.example.com.crt sub.class2.server.ca.pem ca.pem > myserver.example.com_chain.crt
    openssl x509 -in myserver.example.com_chain.crt -out myserver.example.com_chain.pem -outform PEM


    I also tried that, but as result "myserver.example.com_chain.pem" has the same content like "myserver.example.com.crt".

  • This is an old thread but I couldn't find a response or documentation anywhere, so I wanted to point out that simply chaining the certificates in the UI now works.


    i.e. in the certificate section, put the site certificate, then any chained certificates in the order of the chain going from site to root. Something like:


    -----BEGIN CERTIFICATE-----
    ...
    (base 64 encoded site certificate)
    ...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ...
    (base 64 encoded chain certificate)
    ...
    -----END CERTIFICATE-----


    etc

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!