Re: [PacketFence-users] Captive portal SSL not using defined cert after PF7 upgrade

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Oh, ok, now I understand what Fabrice meant about haproxy terminating the ssl tunnel. Thanks for that explanation.
Sorry, I didn't pick that up right away.

I changed var/conf/haproxy.conf to point at my certificates, and every time I restart the service, it rewrites haproxy.conf file back to using server.pem.

So reading your response again, it sounds like my concatenated certificate might need to be named 'server.pem'.
If I rename my certificate to 'server.pem', it works as desired.
Is that the way to do it? Or am I still off-base?
'server.pem' won't get overwritten by an ugrade?

Thanks so much,
Darryl

From: Louis Munro [mailto:lm...@in...]
Sent: Friday, April 28, 2017 4:29 PM
To: pac...@li...
Subject: Re: [PacketFence-users] Captive portal SSL not using defined cert after PF7 upgrade

A bit of background seems in order.

In PF 7.0 HAProxy sits in front of the httpd process for the portal.
HAProxy terminates the TLS connection, not httpd.

So you must tell HAProxy where to find your server certificate and key.

Look at the var/conf/haproxy.conf.
You will find the lines that configure ssl for each of the frontends.
Those lines point to the server.pem file, which must contain the concatenation of both your server certificate(s) and server key.

The conf/httpd.conf.d/ssl-certificates.conf files have nothing to do with that.

On Apr 28, 2017, at 9:33 AM, Virginie Girou <vir...@ut...<mailto:vir...@ut...>> wrote:

Hello,

I am exactly in the same case.
Here is the content of /usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf :

# Apache SSL certificates configuration
# This file is manipulated on PacketFence's startup before being given to Apache
SSLCertificateFile %%install_dir%%/conf/ssl/certif_ut-capitole_fr.crt
SSLCertificateKeyFile %%install_dir%%/conf/ssl/cle_ut-capitole_fr.key
SSLCertificateChainFile %%install_dir%%/conf/ssl/cachain_digicert.pem

I follow your advice :
cat certif_ut-capitole_fr.crt cle_ut-capitole_fr.key certif2_ut-capitole_fr.pem

But where must "certif2_ut-capitole_fr.pem" be used ? Which config file ?

Thanks

Regards,
--
Louis Munro
lm...@in...<mailto:lm...@in...>  ::  www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org>)

________________________________

>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is for the sole use of the intended recipient(s), and may contain confidential and/or privileged information, pertaining to business conducted under the direction and supervision of EarthColor, Inc. All e-mail messages, which may have been established as expressed views and/or opinions (stated either within the e-mail message or any of its attachments), are left to the sole responsibility of that of the sender, and are not necessarily attributed to EarthColor, Inc. Unauthorized interception, review, use, disclosure or distribution of any such information contained within this e-mail message and/or its attachment(s), is(are) strictly prohibited. If you are not the intended recipient, please contact the sender by replying to this e-mail message, along with the destruction of all copies of the original e-mail message (along with any attachments).