Jump to content
Vodia PBX forum
koolandrew

Replace default Vodia Networks Inc PBX HTTPS/SSL certificate

Recommended Posts

 

Hello,

 

We recently purchased a 2048bit PositiveSSL Wildcard Certificate from Comodo and would like to install it over the Vodia Networks Inc. default certificate.

 

Comodo sent us the following files:

 

  • Root CA Certificate - AddTrustExternalCARoot.crt

  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt

  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt

  • Your PositiveSSL Wildcard Certificate - STAR_domain_com.crt

 

Needless to say we also own the private key.

 

Our goal is to remove the default Vodia Networks Inc certificate (Screenshot attached). Following the Vodia Wiki we went to Setting --> Certificates on the PBX we were able to add all the certificates mentioned above as “Trusted Root CA for server authentication”. However, we were not able to add our wildcard certificate in combination with our private key as either “Domain certificate chain + Private key” or “Server certificate chain + Private key”.

 

This is what we tried:

 

1.) (As domain certificate chain + private key)

1.1) Wildcard certificate + Private key

1.2) Concatenated all certificates adding empty line between certificates + Private key

 

2.) (As server certificate chain + private key)

2.1) Wildcard certificate + Private key

2.2) Concatenated all certificates adding empty line between certificates + Private key

 

3.) (As domain certificate chain + private key)

(Changed -----BEGIN PRIVATE KEY----- to -----BEGIN RSA PRIVATE KEY-----

and -----END PRIVATE KEY----- to -----END RSA PRIVATE KEY----- )

3.1) Wildcard certificate + Private key

3.2) Concatenated all certificates adding empty line between certificates + Private key

 

4.) (As server certificate chain + private key)

(Changed -----BEGIN PRIVATE KEY----- to -----BEGIN RSA PRIVATE KEY-----

and -----END PRIVATE KEY----- to -----END RSA PRIVATE KEY----- ))

4.1) Wildcard certificate + Private key

4.2) Concatenated all certificates adding empty line between certificates + Private key

 

For any combination above, once we click “Save” simply nothing happens. We would be very grateful if someone could help us replace the default Vodia Networks Inc certificate with our own so we can start using https without getting “This connection is untrusted“ messages in the browser.

 

Thank you in advance!

Share this post


Link to post
Share on other sites

Everything needs to be base64-encoded. Use a text editor to make sure that you can see it.

 

If you are using SHA2 certificates, make sure that you are using 5.2.6 or later.

 

First comes the certificate it self, and then the intermediate certs in the cert input field.

 

The private key goes into the input field for the private key. It must not have a password (this is not supported, as it would require you to enter the password when you start the PBX up).

 

If it all does not help, we can import it for you.

Share this post


Link to post
Share on other sites

Following your post we went and tried again.

All our certificates are base64 encoded and visible in a text editor. We are using the same certificates for other services as well. Our private key has no password. We are using a version later than 5.2.6.

As you mentioned, we put our wildcard certificate into the certificate field first, followed by our intermediate certificate. We tried both intermediate certificates at a time as we were given two (COMODORSADomainValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt). In both cases we tried concatenating our wildcard certificate with one of the intermediate certificates with and without leaving a blank line in between.

We also tried adding the private key as:
-----BEGIN PRIVATE KEY-----
and
-----END PRIVATE KEY-----

as well as:

-----BEGIN RSA PRIVATE KEY-----
and
-----END RSA PRIVATE KEY-----

Neither of the above combinations worked either in "Domain certificate chain + private key" or "Server certificate chain + private key" mode. I've spent hours trying to get this to work meticulously entering every possible combination there is.

Is there a log in the PBX that shows what the problem might be? Possibly a debug log that can be enabled?

We are very thankful for you getting back but don't know what else to try to get this to work. Unless we get more detailed instructions we believe this simply can't be done.

Please understand that we can't let a 3rd party handle our key and certificates as it would compromise our whole PKI.

Share this post


Link to post
Share on other sites

Maybe you can send us a private message with the certificates and the general structure of the private key (without the actual private key), so that we can try this out here in the debugger.

Share this post


Link to post
Share on other sites

I dont want to be sending any part of our certs through email or message.

 

1. Why do you have the snom/vodia certifcates, as they are tied to localhost, which as you aware, are pretty well useless. Is there any way to add the credentials of the domain to this cert so we can use it.

2. Is this even possible. Every time we have tried, we get no response. Where are the logs located that would help us trouble shoot this issue.

 

If it cant be done, it cant be done. Just let me know.

Share this post


Link to post
Share on other sites

No, it can be done. We helped some fold with wildcard certificates already long time ago. It is a hassle, but it works (should work). Try to turn TLS logging on to level 9 when you import the certificate. Maybe you can get us another, similar certificate from the same CA so we can try this out.

 

We had the idea to establish a Vodia Root CA, so that we can make this easier for PBX deployments. But the core problem remains that all users need then to trust the Vodia Root CA, which is even more hassle. That is why that dummy built-in certificate is still in there.

 

On a side note, the whole thing around Internet certificates is badly broken IMHO. I few weeks ago I went through the list of "trusted Root CA" on my Android phone, it was shocking who this device is trusting. Maybe we do have a good chance getting on that list is as well!

Share this post


Link to post
Share on other sites

I am not sure why added the Vodia Root CA as it isnt assigned to the server, it is assigned to local host.

 

I agree that the certificate thing is crap, but it doesnt help solve the problem.

 

I turned on tls logging, and here is what i got

 

2] 16:37:38.348 TLS: Private and public key don't match

Share this post


Link to post
Share on other sites

Aha! That is a very important hint. The PBX is not able to match the private key with the top certificate (the private and the public key don't match up). We had that problem when the private key is encrypted, and, of course, if the keys really don't match. Can you double, triple check if you were using the right keys? So we are talking RSA keys with 2048 bits? What hash method? What you could do if you have an Apache running somewhere is trying to use the certs there and see if that works.

Share this post


Link to post
Share on other sites

We have used this setup for our website using apache, on routers, our mail server, but we cannot get it to work on the pbx, and it doesnt appear many others can either.

 

Please just come clean with me, if you cant do it, you cant do it. I get the feeling that you know this already so just let me know and i will move on.

Share this post


Link to post
Share on other sites

I think the problem is that the key is a PKCS#8 key, while the PBX expects a PKCS#1 key. That is the difference between BEGIN RSA PRIVATE KEY and BEGIN PRIVATE KEY.

 

We will add code that in the next version the PBX will "eat" both versions. For now, please convert the #8 into #1 using openssl:

openssl rsa -in pkcs8.pem -out pkcs1.pem

Share this post


Link to post
Share on other sites

We converted the private key as suggested, imported both our wildcard certificate and the private key as "Server certificate chain + private key", rebooted the PBX and it worked!

 

Thanks you so much for bearing with us, problem solved! Kudos!

 

 

I think the problem is that the key is a PKCS#8 key, while the PBX expects a PKCS#1 key. That is the difference between BEGIN RSA PRIVATE KEY and BEGIN PRIVATE KEY.

 

We will add code that in the next version the PBX will "eat" both versions. For now, please convert the #8 into #1 using openssl:

openssl rsa -in pkcs8.pem -out pkcs1.pem

Share this post


Link to post
Share on other sites

Hello,

 

I have spent a month trying to get this done with iPage and Comodo SSL. I have had no luck at all. I am happy to pay to be shown how it is to be done.

 

Thanks.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...