SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
And now I vaguely wonder if there is a less cumbersome way so different applications running as different users can "share" a certificate in a standard place between them.
Any suggestions?
Well, here's an idea:
Create a system group called "certs".
Add users "apache" and "prosody" to group "certs".
Change permissions and ownership of your certificate and private key to "root:certs" and 640 (rw-r-----).
Leave the certificate and key in the original directories and create the necessary symlinks to them in /etc/httpd/certs and /etc/prosody/certs.
This way, the users in the "certs" group have read access to the certificate and private key.
Mind you, this is just an idea, I haven't tried any of this nor considered any possible security implications. But in theory it might just work. Or not.
My 2 solutions:
1. More cumbersome: get the habit of creating different key/cert pair for different services as soon as possible at the learning stage
2. Aren't the services initially started as root and then they change the user? If so, the key/cert can be read with no problems at the start-up.
The next question that puzzles me is relative to file ownership and permissions. Let me follow up on the example above. I just created a self-signed certificate for the domain "slackbox.fr". The relevant files are:
The certificate: /etc/ssl/mycerts/slackbox.fr.crt ;
The private key: /etc/ssl/private/slackbox.fr.key.
Both files belong to root:root. The private key has permissions rw-------, and I created a symlink /etc/ssl/certs/slackbox.fr.crt which points to the certificate in /etc/ssl/mycerts.
Let's say I want this certificate to be used by the Apache web server and the Prosody XMPP server. Apache runs as user apache and group apache, and likewise, Prosody runs as user prosody and group prosody. If I want these applications to access the *.crt and *.key files, ownership and permissions have to be set accordingly. But right now, the only sane way I've found is to copy these files to the application-specific directories /etc/httpd/certs and /etc/prosody/certs, and give them respectively to the apache user and group, and to the prosody user and group.
Apache initializes itself as root...
Quote:
And now I vaguely wonder if there is a less cumbersome way so different applications running as different users can "share" a certificate in a standard place between them.
Any suggestions?
As soon as you start "sharing" certificates you open a vulnerability where one such application may be used to steal the certificate used by a different application...
Word of advice: Don't! The "free" may be tempting, but I found the barely working web pages, the non-working verification process, the abysmal customer support and the hidden costs just too painful. Either invest 8€ into a cheap Comodo certificate or wait for general availability of Mozilla's "Let's encrypt" certificates.
I'm puzzled. I just visited the Comodo website. Cheapest SSL certificates start at 76 $. Where did you see a certificate for 8 € ?
My 2 solutions:
1. More cumbersome: get the habit of creating different key/cert pair for different services as soon as possible at the learning stage
This is better security as it separates the signing certificate from that application certificate - which allows for revoking a single certificate. Otherwise you have to revoke all certificates, and cause the root public key to be replaced everywhere.
This is why root certificates are generated with 7-10 year lifetimes, and certificates issued to services only last one year. The users don't have to do anything (having loaded the public key for root certificate) when a service gets a new certficiate just prior expiration.
Quote:
2. Aren't the services initially started as root and then they change the user? If so, the key/cert can be read with no problems at the start-up.
Not always. It usually depends on whether the service is using a privileged port or not, as well as how it is started. For instance, systemd (and inetd/xinetd) will start a service as the specified user as the privileged port is opened by the startup system (being systemd/inetd/xinetd) and passed to the service rather than depend on the service properly dropping privileges.
I just found out what misled me. I need a multidomain certificate (slackbox.fr, www.slackbox.fr, mail.slackbox.fr, ftp.slackbox.fr, jabber.slackbox.fr, etc.) and these are much more expensive.
I'm puzzled. I just visited the Comodo website. Cheapest SSL certificates start at 76 $. Where did you see a certificate for 8 € ?
I get mine from namecheap.com for currently 8,07€/year for a domain-validated Comodo PositiveSSL single domain certificate. First year is free if you also register a domain with them. Actually I thought offers like these were common for every domain registrar, but now that you've asked I checked and found a similar offer only at gandi.net.
Right, here goes. After another rainy day of experimenting, everything works perfectly. I have written a script to automate certificate generation as much as possible. Here it is:
..snip..
The test report on SSL Labs is now perfect, except of course for the trust part, since the stuff is self-signed.
Cheers,
Niki
Hey thanks for the discussion. I've been studying it the past few days, and the information has been helpful.
(BTW Note the typo in your shell script stateOrProvineName -> stateOrProvinceName)
I also wanted to note, going beyond self-signed is still hard to be "perfect" on the SSL Labs tests. I see 90-95% on ssl configuration, and on the trust part 100%.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
