postaszewski Absent Member.
Absent Member.
2820 views

import godaddy ssl cert into edirectory gets pki 1253 error

I am trying to import a godaddy ssl cert into edirectory. It is for a server that is running apache that hosts a website that we would like to have secured by an edirectory login when the site is visited.

This certificate was originally on a previous server that was replaced/migrated to SLES 10 sp3 from NW6.5 sp8. The SLES server has the same name and same IP.

I have re-keyed the certificate with godaddy. So the crt files that I downloaded godaddy pertain to the new SLES server.

I tried creating a .pem file by combining the crt file from godaddy and the key file (serverkey.pem from the /etc/ssl/servercerts directory). I then used openssl to make the .pem file into a pfx file by using the command: openssl pkcs12 -clcerts -export -in <filename>.pem -out <filename>.pfx

Next I used imanager to create a new server certificate by importing the pfx file. When i clicked finish at the end it gave me a PKI Error 1253 or 1,253

I don't know what i'm doing wrong.

Thanks,

-Paul
Labels (2)
0 Likes
11 Replies
brianrbenson1 Absent Member.
Absent Member.

Re: import godaddy ssl cert into edirectory gets pki 1253 er

I'm afraid that you aren't really providing enough info from your re-key process to know if the mistake is there or not. For example, did you include the godaddy certificate chain? ie. intermediate certificates.

If your goal is to secure Apache. Then I recommend that you leave the edir certs alone and just do Apache.

Look at the "/etc/apache2/vhost.d/vhost-ssl.conf" file and change the appropriate entries. Also, you may need to add the ca cert bundles from godaddy to the lines below those.

SSLCertificateFile /etc/ssl/servercerts/servercert.pem
SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem

Touchstone Technology Network Consulting Engineer www.touchstonetech.com
0 Likes
postaszewski Absent Member.
Absent Member.

Re: import godaddy ssl cert into edirectory gets pki 1253 er

I have an open SR with novell on configuring apache with ssl, and they told me that I have to have the godaddy cert imported into edirectory, and since that's a different department, it would require me having to open another SR.

I need the goddaddy cert in place so that I don't get the stupid "this site isn't safe" bs in the browser when doing https. People here aren't smart enough to click the "continue to site - not recommended" link 😉

When I made the pem file, i tried it two ways... including the intermediate and not including it. Neither way worked. They both gave a 1253 error when importing into edir.
0 Likes
warper2
New Member.

Re: import godaddy ssl cert into edirectory gets pki 1253 error

postaszewski wrote:

>
> I have an open SR with novell on configuring apache with ssl, and they
> told me that I have to have the godaddy cert imported into edirectory,
> and since that's a different department, it would require me having to
> open another SR.
>
> I need the goddaddy cert in place so that I don't get the stupid "this
> site isn't safe" bs in the browser when doing https. People here aren't
> smart enough to click the "continue to site - not recommended" link 😉
>
> When I made the pem file, i tried it two ways... including the
> intermediate and not including it. Neither way worked. They both gave
> a 1253 error when importing into edir.
>
>


Again don't use edir at all for this if it is for apache2. I do it all the
time without any issues. It is even better in clustering services with
apache because you just create another ssl vhost file with the appropriate
certs in there and path and it just works.

If Novell is telling you that edir has to have it they are wrong.

0 Likes
postaszewski Absent Member.
Absent Member.

Re: import godaddy ssl cert into edirectory gets pki 1253 er

All I want is to be prompted with a login box when the site is visited. The username and passwords that are entered must be from edirectory users. So the login box must authenticate to edir/ldap something in order for this to work how i want it to. That's how i had it on nw6.5.

Can someone tell me how to accomplish this w/o the stupid site not trusted error?
0 Likes
postaszewski Absent Member.
Absent Member.

Re: import godaddy ssl cert into edirectory gets pki 1253 er

I've basically tried what i found in this thread, and gotten the same result as they did... and of course there was no reply as to why there's a 1253 error.

http://forums.novell.com/novell/novell-product-discussion-forums/open-enterprise-server/oes-linux/oes-l-administration/324574-import-third-party-certificate-open-enterprise-server-2-linux.html
0 Likes
brianrbenson1 Absent Member.
Absent Member.

Re: import godaddy ssl cert into edirectory gets pki 1253 er

Now you have two different things you are trying to acomplish here.

1. HTTPS enabled site on tcp/443 using a 3rd party certificate so that the site not trusted error is not coming up.

2. Use a basic auth popup prompt to authenticate apache basic auth to edirectory via LDAP.


We have covered #1. "configure apache2 certs directly without edir is the easiest"

#2 is covered here:
Apache configuration for eDirectory Authentication on SLES 10

Good luck.
-B

Touchstone Technology Network Consulting Engineer www.touchstonetech.com
0 Likes
brianrbenson1 Absent Member.
Absent Member.

Re: import godaddy ssl cert into edirectory gets pki 1253 er

Also, can you explain your re-key process that you went through?

I recommend:
1.generate a new private key and csr.
2.send the csr to godaddy
3.obtain the cert from godaddy
4. use the new private key and cert from godaddy as the values in the apache config that I referenced earlier. (note that you may also need their intermediate ca cert bundle. I'm pretty sure they email this to you)

Touchstone Technology Network Consulting Engineer www.touchstonetech.com
0 Likes
postaszewski Absent Member.
Absent Member.

Re: import godaddy ssl cert into edirectory gets pki 1253 er

brianrbenson;2137540 wrote:
Also, can you explain your re-key process that you went through?

I recommend:
1.generate a new private key and csr.
2.send the csr to godaddy
3.obtain the cert from godaddy
4. use the new private key and cert from godaddy as the values in the apache config that I referenced earlier. (note that you may also need their intermediate ca cert bundle. I'm pretty sure they email this to you)


What's the best way to generate the private key and csr... Just so i know i'm doing it right?

Also, is there a TID on how to configure the ssl cert within apache? So I could follow it step by step.

I see that you said to do:
Look at the "/etc/apache2/vhost.d/vhost-ssl.conf" file and change the appropriate entries. Also, you may need to add the ca cert bundles from godaddy to the lines below those.

SSLCertificateFile /etc/ssl/servercerts/servercert.pem <---- This is the godaddy cert?
SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem <----- This is the private key generated that I sent to godaddy w/ the csr?

I don't know how to properly create pem files. Godaddy sends me .crt files.

Please excuse my ignorance. I'm new to linux. This is a huge learning curve for me.

I really appreciate all the help.

-Paul
0 Likes
Knowledge Partner
Knowledge Partner

Re: import godaddy ssl cert into edirectory gets pki 1253 error

In article <postaszewski.503yu0@no-mx.forums.novell.com>, Postaszewski
wrote:
> I don't know how to properly create pem files. Godaddy sends me .crt
> files.
>

Ah yes, the format 'fun' where they send you a binary format when you
really need the ASCII format.
try this
http://moze.koze.net/?p=81


Andy Konecny
KonecnyConsulting.ca in Toronto
-----------------------------------------------------------------------
-
Andy's Profile: http://forums.novell.com/member.php?userid=75037


___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
brianrbenson1 Absent Member.
Absent Member.

Re: import godaddy ssl cert into edirectory gets pki 1253 er

OK, Godaddy has a writeup of how to install their certs in apache.
Installing an SSL Certificate in Apache - Search the Go Daddy Help Center

As for generating the Private key and CSR, this is what I tend to do.

*Create Private Key: (this does not get sent to godaddy)
openssl genrsa -out /etc/ssl/servercerts/webserverkey.pem 2048


*Create Certificate Signing Request (CSR): (Send this to godaddy)
openssl req -new -key /etc/ssl/servercerts/webserverkey.pem -out /root/webservercsr.pem

-send /root/weservercsr.pem to godady.
-copy the cert that they provide to /etc/ssl/servercerts/webservercert.pem
(you may have to follow, konecnya's instructions to convert it, im not sure) to check do
cat webservercert.pem
--if it has begin cert and end cert sections, then it is already in the correct pem format.

* Get their intermediate CA bundle chain
wget -O /etc/ssl/certs/gd_bundle.crt 'https://certs.godaddy.com/anonymous/repository.seam?streamfilename=gd_bundle.crt&actionMethod=anonymous%2Frepository.xhtml%3Arepository.streamFile%28%27%27%29&cid=170422'

** Now to setup Apache, I used the pahs above as examples to create the following config
SSLCertificateFile /etc/ssl/servercerts/webservercert.pem
SSLCertificateKeyFile /etc/ssl/servercerts/webserverkey.pem
SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt

and restart apache

Touchstone Technology Network Consulting Engineer www.touchstonetech.com
0 Likes
brianrbenson1 Absent Member.
Absent Member.

Re: import godaddy ssl cert into edirectory gets pki 1253 er

Also, the wget command has errors above, the wiki made spaces in it when I pasted it. so be aware of that.

Touchstone Technology Network Consulting Engineer www.touchstonetech.com
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.