How to setup SSL for zotonic?

[kerry liu]

Hi,

I really confused with ssl_certfile, ssl_keyfile and cacertfile, I use
the below steps to create those files, but seems failed to setup https
for zotonic:

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout
ssl_keyfile.pem -out ssl_cacertfile.pem
openssl req -out server.csr -key ssl_keyfile.pem -new

Question is how to create ssl_certfile?

Many thx for your help.

Best regards
Kerry

[Ivan Martinez]

I'm also confused with the certificates configuration, the lack of a certificate naming convention makes things difficult. What I have is:
- key.pem, my private key.
- request.pem, the certificate request.
- ssl.pem, the signed certificate that contains key.pem.
I suppose ssl_certificate must be "ssl.pem" and ssl_keyfile "key.pem" but what about ssl_cacertfile?. Is it the "cacerts certificates file" mentioned here?:
http://docs.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html#importCmd
Is ssl_cacertfile a mandatory parameter?.
Thank you,
Iván Martínez

[Marc Worrell]

Hi,

Maybe the 0.9 ssl docs can take away a bit of your confusion.

http://zotonic.com/docs/ref/modules/mod_ssl.html

- Marc

Sent from my iPhone

[Ivan Martinez]

Thank you Marc, I understand from 0.9 docs that I only need ssl_certfile and ssl_keyfile, since I'm using a self-signed certificate. I'm running Zotonic 0.8.1 and following the instructions for 0.6 published here:
http://zotonic.com/https-support
It doesn't seem to work but I don't get any error either, it's like nothing changed. I even tried setting wrong paths to the certificate files as follows:

{listen_port_ssl, 8443},
{ssl, true},
{ssl_certfile, "/wrong_path/website.local.pem"},
{ssl_keyfile, "/wrong_path/website.local.key"}

Still no error message, my Zotonic seems to ignore these settings. I looked in the modules list of the admin console but couldn't find anything related to SSL. Am I forgetting to install or enable anything?.

Thank you,
Ivan

[Marc Worrell]

In 0.8 the SSL is handled by starting a separate listener from the main supervisor.

Check src/zotonic_sup.erl

It just hands all settings you pass to MochiWeb for initializing a SSL listener.

Very strange that you seem to have problems, as MaxClass.com is running on 0.8 and uses the same code.

Maybe you can check what happens in the listeners?

We might need to add some extra checks, which is also very useful for the 0.9

- Marc

[Ivan Martinez]

Hello Marc,
I'm not sure how to check what happens with the listeners. I run Zotonic and did the following in the console:

(zoton...@localhost.localdomain)3> z_config:get_dirty(ssl_certfile).
undefined
(zoton...@localhost.localdomain)4> z_config:get_dirty(ssl_keyfile).
undefined
(zoton...@localhost.localdomain)5> z_config:get_dirty(ssl_cacertfile).
undefined
(zoton...@localhost.localdomain)6> z_config:get_dirty(ssl).
false

Looks like it's not reading any SSL parameter from the config file. This should be "/priv/sites/mysite/config" file, right?.
Thank you,
Ivan

[Andreas Stenius]

Hi Ivan,

I've not followed the discussion from beginning, but the z_config:get_dirty/1 reads the priv/config file (hint: there's no site or context passed in to be able to deduce which other config file to read).

Hope this helps.

//Andreas

2012/10/28 Ivan Martinez <super...@gmail.com>

[Ivan Martinez]

Thank you Andreas, I have added the certificate configuration to priv/config and now it works. I don't know why I didn't see the example in config.in, probably because I didn't expect to find it there. There is something I don't understand: if the certificate is domain-specific, how come it is configured in the general priv/config file instead of /priv/sites/mysite/config for the website whose domain I want to secure?. If I need to add two certificates for two domains in the same Zotonic server, how is it done?.
Thank you,
Ivan Martinez

El lunes, 29 de octubre de 2012 09:16:42 UTC+1, Andreas Stenius escribió:

Hi Ivan,

I've not followed the discussion from beginning, but the z_config:get_dirty/1 reads the priv/config file (hint: there's no site or context passed in to be able to deduce which other config file to read).

Hope this helps.

//Andreas

2012/10/28 Ivan Martinez <super...@gmail.com>

Hello Marc,
I'm not sure how to check what happens with the listeners. I run Zotonic and did the following in the console:

(zotonic001@localhost.localdomain)3> z_config:get_dirty(ssl_certfile).
undefined
(zotonic001@localhost.localdomain)4> z_config:get_dirty(ssl_keyfile).
undefined
(zotonic001@localhost.localdomain)5> z_config:get_dirty(ssl_cacertfile).
undefined
(zotonic001@localhost.localdomain)6> z_config:get_dirty(ssl).

[Arjan Scherpenisse]

On 11/03/2012 08:16 PM, Ivan Martinez wrote:

Thank you Andreas, I have added the certificate configuration to priv/config and now it works. I don't know why I didn't see the example in config.in, probably because I didn't expect to find it there. There is something I don't understand: if the certificate is domain-specific, how come it is configured in the general priv/config file instead of /priv/sites/mysite/config for the website whose domain I want to secure?. If I need to add two certificates for two domains in the same Zotonic server, how is it done?.

That is not possible. virtual hosting with SSL is impossible: each IP+port combination needs its own SSl certificate; certificates.

In Zotonic 0.9, we have refactored SSL support so that SSL sites can run on different ports, each vhost a different SSL port.

See Marc's wonderful SSL doc page on this topic (0.9 specific!)
http://zotonic.com/docs/ref/modules/mod_ssl.html

Arjan