Standalone Server Roundcube

ted1 2020-06-07 19:27:22 UTC #41

Sorry. I forgot to say that Digicert said the private key is not from Digicert.
He did say the private key is generated along with the CSR and saved in the keychain.

There is also a com.apple.servermgrd file within the Certificates.p12 file and looks like this

I seem to be able to examine the contents of this certificate

This won't verify the wrong key file is being used but thought it was conclusive about the
contents of Certificates.p12. I'll try to use this one as well.
Thx, Ted

gongomgra 2020-06-08 14:45:21 UTC #42

Hi @ted1,

I hope you can find the right private key for your certificate using the guide that @jota provided you with . If not, I think you will need to create a new certificate and private key, ask Digicert to sign the new certificate and install it along with the newly generated private key.

ted1 2020-06-09 01:46:37 UTC #43

I will get back to you tomorrow after talking to the account manager at Digicert.
Thx, Ted

gongomgra 2020-06-09 11:15:56 UTC #44

Hi @ted1,

Thanks for the info. I hope you can resolve it with the DIgicert support team.

ted1 2020-06-10 01:06:08 UTC #45

If you didn't know I'm using Macmini running Macosx Catalina.
Please read below:
This is about all I can get from them.
Thx, Ted

Hello Ted, thank you for reaching out

The private key is located on the same machine that you created the CSR, the ways you can use that key or get it depends on the operating system and server you're using.

On Linux machines, the key file is typically generated within the same folder as the CSR. The CSR creation process creates the .csr file you submit to us as well as the .key file for you to use.

On Windows Machines, it's a bit different - If you created the CSR using our utility, MMC, or IIS, the private key will be within the Windows key store and can be had if you export a PFX file ( public + private key combined ) from that machine -. The easiest way to do this is with our utility found at www.digicert.com/util - A guide to do this can be found here: https://www.digicert.com/util/pfx-certificate-management-utility-import-export-instructions.htm - Our utility also has the option to export the files ( public key and private key ) separately if needed.

If neither of the above works for you, and you are not sure where that private key is, you can always create a new CSR ( Guides here: https://www.digicert.com/csr-creation.htm ) and reissue your certificate in your account inside the order page. Creating a new CSR will get you a new private key, which you can then use for your purposes from there - our utility download page has various guides on how to create a csr, import, and export certificates and private keys, so if you have access to a Windows machine ( even if it's not the server you're using for your website ) I would suggest using that, then moving the keys where you need them.

Regards,

Steven
DigiCert Support

gongomgra 2020-06-10 09:20:50 UTC #46

Hi @ted1,

Thanks for the info. If you can't find the private key related to the SSL certificate, you will need to create a new pair of certificate and private key, and ask Digicert to sign it again. You can find more information about how to generate them using the guide below

https://docs.bitnami.com/installer/apps/roundcube/administration/create-ssl-certificate-apache/

Note the private key will be generated by default at INSTALLDIR/apache2/conf/server.key and that setting a password for this key is optional.

ted1 2020-06-11 10:27:08 UTC #47

I'm in the process of running this string of code in the Bitnami terminal and haven't finished with everything just yet.
Does the Bitnami app use its own version of apache ?? My site is using the apache version included with Macosx Catalina. It's not a very big site. It's only one page. However, the question could also be asked, does the Bitnami terminal use the same apache server that comes with Macosx operating system ??
Thx,

ted1 2020-06-14 14:57:45 UTC #48

It appears that I'm stuck without the INSTALLDIR directory. If I type "cd INSTALLDIR" I get "no directory"
Because the Bitnami Stack Environment is not installed I can't access it.
I have access to "/opt/bitnami/apache2/conf/server.key" if I mount the volume from the Roundcube app using finder.
Then, I can type commands using the Bitnami Terminal.

For example, I don't know where INSTALLDIR/apache2/conf/server.key is located.
Don't I need the Stack Environment before I can generate the private key and machine certificate ??
Thx, Ted

jota 2020-06-15 08:29:45 UTC #49

Hi @ted1,

I just found this article in the Digicert site where they explain how to export a SSL certificate from the Mac OS keychain to a file, did they share that information?

https://www.digicert.com/kb/ssl-support/p12-import-export-mac-mavericks-server.htm#export_certificate

You will need to export the private key and store it in the Apache's directory (/opt/bitnami/apache2/conf). Once you do that, you can verify that the private key and the public key match following the guide I mentioned above

INSTALLDIR is the path where the bitnami stack is installed. That's /opt/bitnami inside the virtual machine. Please also note that server.key is not the filename of your certificate, you will need to use the proper name when running the command

ted1 2020-06-16 01:59:56 UTC #50

The instructions(Mavericks) you just provided me with show exporting the private key but renaming it.

You will see that tedmachine.info.p12 is now loaded into apache/conf.
However, when I tried to run the verification code you included in your last reply I get

If you could verify the last few characters of that code it might help me run this code again.
What is -i... at the end ?? Is this correct ?? I'm sure it's correct. I don't know.
So, you will see that the public key is loaded into the apache/conf folder including the private key (either Certificates.p12 or tedmachine.info.p12). The DigiCertCA.crt file is also included. While you were on vacation gongomgra showed me an instruction on how use apache to generate a new csr and submitting it to the certificate authority. This also generated the private key. However, please see reply, Jun 10 45/49. Steven from Digicert indicates the private key is generated when the public key is created. It's stored in the system keychain and doesn't appear to come directly from Digicert but is generated on the server by the certificate app or Macosx Server App 5.10. What ever I use apache needs to see this private key.

Thx, Ted

jota 2020-06-16 07:10:25 UTC #51

Hi @ted1,

You ran one single command with all the commands I posted above. They are separated commands and they need to be run one by one.

cd /opt/bitnami/apache2/conf
openssl x509 -in eagle4000_tedmachine_info.crt -pubkey -noout -outform pem | sha256sum
openssl pkey -in tedmachine.info.p12 -pubout -outform pem | sha256sum

You can also try to run this long command but it basically does the same

cd /opt/bitnami/apache2/conf ; openssl x509 -in eagle4000_tedmachine_info.crt -pubkey -noout -outform pem | sha256sum ; openssl pkey -in Certificates.p12 -pubout -outform pem | sha256sum

If the info you receive is the same one, it's because they are the public and private keys you need to use. You will need to update the Apache's configuration and set the SSLCertificateKeyFile to this

SSLCertificateKeyFile "/opt/bitnami/apache2/conf/tedmachine.info.p12"

and restart Apache

sudo /opt/bitnami/ctlscript.sh restart apache

Happy to help!

Was my answer helpful? Click on

ted1 2020-06-17 00:45:55 UTC #52

Once again the public key has no trouble but the private key can't be loaded.

The private key is using "." instead of "_" but doubt this has anything to do with the matter.
What I realize now is that apache has been turned off ever since I edited the bitnami.conf file.
Apache can't be restarted because it can't be started from the beginning.
https://docs.bitnami.com/installer/apps/roundcube/administration/create-ssl-certificate-apache/
This explains how to generate a csr straight from apache but don't know if this is the right path to take.
I tried to loosen the permissions on the file tedmachine.info.p12 with no results.
The public key was generated by Digicert. The private key is generated on my own machine.
If we generate both the public and private keys apache might have a more favorable private key to use.
tedmachine.info.p12 can't be loaded.
This doesn't directly mean the contents are not acceptable but that they can't be read.
Thx, Ted

jota 2020-06-17 06:56:47 UTC #53

Hi @ted1,

It seems the tedmachine.info.p12 file doesn't have the correct format, can you try to transfer it to a .key file?

cd /opt/bitnami/apache2/conf
openssl pkcs12 -in tedmachine.info.p12 -nodes -out tedmachine.info.key -nocerts

You can find more information here: https://stackoverflow.com/questions/16075846/how-to-change-a-p12-file-to-key-file

Once you have the .key file, please verify that the checksums are the correct ones

cd /opt/bitnami/apache2/conf
openssl x509 -in eagle4000_tedmachine_info.crt -pubkey -noout -outform pem | sha256sum
openssl pkey -in tedmachine.info.key -pubout -outform pem | sha256sum

ted1 2020-06-18 01:40:25 UTC #54

Yes. I changed the name of the private key in bitnami/conf to tedmachine.info.key. I didn't forget to do this.
It's very encouraging to see the two certs not matching !! Not matching ??
Because I didn't even get the private key to load until now !! Right ??

The only possible reason for not matching in my view is that the public certificate was reissued.
Yes. Reissued under the guidance of the Digicert tech. He insisted I reissue the cert and install it correctly.
I was more than willing to do this. But, what I'm wondering if the cert was reissued did the old private key get left in the keychain ?? Left in the keychain while the new cert was installed possibly causing a mismatch. The only thing to do would be to rid the keychain completely of the cert, intermediate cert and any private key and start over.
Reissuing the entire certificate again.
When right clicking the private key inside in keychain there are a few options:
1. create a cert with imported private key
2. request a cert from a cert authority with imported private key
3. create a cert authority with imported private key
It may need to be cleaned up if nothing else.
If the Digicert tech installed the reissued cert the private key should be OK too, then.
Thx, Ted

jota 2020-06-18 06:37:12 UTC #55

Hi @ted1,

If they do not match is because you didn't use that one to generate the certificate or you reissued it as you mentioned. Please talk to the DigiCert team and explain this. They should give you a solution to the problem so you get new certificates or a way to recover the old file.

Thanks

ted1 2020-06-21 23:58:02 UTC #56

I was already to get busy and download the new public key using the new csr upon reissuing a new certificate.
However, after thinking I realized the two keys don't match which doesn't explain what happens when the certificate is actually downloaded. The certificate bundle, including the intermediate key gets downloaded. The private key is generated during this operation but happens on the server probably when the csr is developed by Macosx Server App. If the csr was used to generate the certificate more than once the private key may or may not agree with the current public key. It seems like they still should match even as the current certificate was reissued. The Digicert support agent insisted that I reissue the certificate so he could assist and see that was done right. I was more than willing to go ahead with this at the time. If the private key and public still don't match don't I have to delete ALL of the certificates and private key from the keychain ??

It's very likely I will need to reissue the certificate again. However, if the imported private key is still in place when that happens I could be in the same trap I'm in right now. I was about to begin the process of deleting all of these items from the keychain but decided to think it over first. I did manage to delete the csr files and public and intermediate keys from the desktop which may or may not be needed going forward and can be easily generated again. When I called Digicert this time support said the public and private keys do in fact match. But, as I have discovered that may not be the case.
Thx, Ted

jota 2020-06-22 07:43:08 UTC #57

Hi @ted1,

Let's start this from scratch and forget about the keychain in your Mac OS X machine. They way we suggest the users to generate a certificate is the following one:

https://docs.bitnami.com/general/apps/roundcube/administration/create-ssl-certificate-apache/

IMPORTANT: all the commands must be run inside the Bitnami Mac OS X VM

If you open that link, you can see that ...

sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 2048

... generates a private key.

sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr

... and this one generates the certificate. You will need to send that cert.csr file to the Digicert team to sign the certificate. They will sign it and create the .crt file. You can either wait for them to finish or generate a temporary .crt file

sudo openssl x509 -in /opt/bitnami/apache2/conf/cert.csr -out /opt/bitnami/apache2/conf/server.crt -req -signkey /opt/bitnami/apache2/conf/server.key -days 365

Note: This temporary .crt file will make Apache to work but you will get warnings when accessing the site using HTTPS because it's not a valid certificate

After running all these steps, you will need to modify the Apache's configuration to use these new certificates:

<VirtualHost _default_:443>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"

and restart Apache

sudo /opt/bitnami/ctlscript.sh restart apache

Once Digicert generates the certificate, you will need to copy it to the /opt/bitnami/apache2/conf folder, run these commands

sudo chown root:root /opt/bitnami/apache2/conf/NAME_OF_THE_FILE
sudo chmod 600 /opt/bitnami/apache2/conf/NAME_OF_THE_FILE

update the Apache's configuration

<VirtualHost _default_:443>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/NAME_OF_THE_FILE"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"

and restart Apache again

sudo /opt/bitnami/ctlscript.sh restart apache

ted1 2020-06-25 01:57:37 UTC #58

I'm almost there because apache has decided to start on port 80.
There is a version of apache running in the UNIX command terminal in Macosx Catalina so I turned it off.
It's running the same website files as opt/bitnami/apache2/htdocs. The UNIX version of apache is now stopped to allow the Bitnami version of apache to prevail. Then, my site went down.

The new reissued certificate and server.key is the new cert and private key also generated by apache.

To include all of the scripting involved would be too confusing.
Please check the syntax of the black screen in case I have done something wrong here.
Where, NAME_OF_THE_FILE appears to be the name of the public key or certificate.
It looks to me like eagle4000_tedmachine_info.crt is needed in place of server.crt.
Is this correct ?? Because server.crt is generated by apache or is the original file.
eagle4000_tedmachine_info.crt is generated by Digicert. That's what we need, I thought.
The csr is placed directly into the opt/bitnami/apache2/conf folder by apache.
I was able to verify the time it was created. The csr is copied into the Digicert reissue window but is almost
instant. I don't need the instructions for a temporary cert because the crt file is emailed in a matter of seconds.
The private key was generated before the public crt into the conf folder directly.
My syntax might be off a little. Please see where I may have gone astray.
Thx, Ted

jota 2020-06-25 07:00:57 UTC #59

Hi @ted1,

The server.crt and eagle4000_tedmachine_info.crt files are basically "the same". I mean, they are the public keys of your SSL certificate but with different names. You can rename the .crt file to whatever you want. The important part is that you set it correctly in the Apache's configuration:

SSLCertificateFile "/opt/bitnami/apache2/conf/NAME_OF_THE_FILE"

Ok, so did you send the csr file to Digicert and obtain a new certificate file? That means that "eagle4000_tedmachine_info.crt" is the new public key you obtained, right? In that case, the configuration you have in Apache looks correct and Apache should work properly. You ran the start command and Apache was started correctly. Can you access your site using https now? Are there errors in the Apache's log?

curl -LI http://localhost
curl -LI https://localhost
tail -n 20 /opt/bitnami/apache2/logs/error_log

Thanks

ted1 2020-06-26 02:00:45 UTC #60

If you look at the output the private and public keys don't match. We encountered this before as you recall.

The response I got from Digicert was that the private key is deposited on the server machine while the csr is generated as we talked about. Apache can generate the private and public keys.
What I'm trying to say is that Digicert has no way of signing the private key and that is why the two don't seem to match.
The public key is always signed by Digicert but the private key is all by itself and doesn't seem to like the Digicert signature on the public cert and won't team up with it. There is a Bitnami web page that talks about getting an apache generated csr self signed. This is the only way of getting the two to match as I see it. I had hoped this app can provide https in addition to Roundcube. Yes. I agree. That's a very powerful app. That would make the Macosx Server app virtually useless. The highly skilled software engineers at Bitnami have the task of assisting the public setting up and use of Bitnami software. Unless Digicert is taken out of the equation it appears I will continue to have problems with keys matching. What is needed to get a match ?? I don't have the faintest idea how to get Digicert to sign a private key. After all, Digicert is in the business of security.
Thx, Ted

Bitnami provides free all-in-one installers, virtual machines and cloud images for popular open source applications. Get them now!