Difference between revisions of "Obtaining a StartCom Murmur Certificate"

From Mumble Wiki
Jump to: navigation, search
(clearer warning about missing trust and reference to letsencrypt)
(Add link to cessation of business and reformat caveat)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
 +
{{Deprecated}}
 +
 
{{Iconbox begin|type=warning}}
 
{{Iconbox begin|type=warning}}
'''IMPORTANT''': Please [[Obtaining a Let's Encrypt Murmur Certificate|use Let's Encrypt]] instead. StartCom [https://en.wikipedia.org/wiki/StartCom#Trustworthiness has lost trust] as a Certificate Authority and should thus not be used any more. Apart from the missing trust, the free certificates [https://en.wikipedia.org/wiki/StartCom#Limitations_of_StartSSL_Unlimited_Free_Certificates are limited], and a revocation (should it become necessary) will cost money.
+
'''IMPORTANT''': Please [[Obtaining a Let's Encrypt Murmur Certificate|use Let's Encrypt]] instead. StartCom [https://en.wikipedia.org/wiki/StartCom#Trustworthiness has lost trust] as a Certificate Authority and will cease operation on 2018-01-01; more information is available [https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/LM1SpKHJ-oc/ReT-B5lgAQAJ here].
 +
 
 +
Apart from the missing trust, the free certificates [https://en.wikipedia.org/wiki/StartCom#Limitations_of_StartSSL_Unlimited_Free_Certificates are limited], and a revocation (should it become necessary) will cost money.
 
{{Iconbox end}}
 
{{Iconbox end}}
  
{{Iconbox begin|type=warning}}
+
{{Notice
'''IMPORTANT CAVEAT''': Level 1 StartCom certificates (ie, the kind you don't pay money for) do not have the TLS bit set in their certificates, which will prevent your Murmur from registering itself as a public server. If you want your server listed in the public server list (shown in the connect dialog for everyone).<br />
+
|message='''IMPORTANT CAVEAT''': Level 1 StartCom certificates (ie, the kind you don't pay money for) do not have the TLS bit set in their certificates, which will prevent your Murmur from registering itself as a public server. If you want your server listed in the public server list (shown in the connect dialog for everyone).
<br />
+
 
There are only three solutions:<br />
+
There are only three solutions:
 
# Go back to using an automatically-generated, self-signed Murmur certificate.
 
# Go back to using an automatically-generated, self-signed Murmur certificate.
 
# Paying for [http://forum.startcom.org/viewtopic.php?f=15&t=1769 Class 2 validation which will have the TLS bit enabled].
 
# Paying for [http://forum.startcom.org/viewtopic.php?f=15&t=1769 Class 2 validation which will have the TLS bit enabled].
 
# Paying for a certificate from an alternate certificate provider. :(
 
# Paying for a certificate from an alternate certificate provider. :(
{{Iconbox end}}
+
}}
  
 
== Creating Key and CSR ==
 
== Creating Key and CSR ==

Latest revision as of 15:00, 19 November 2017

Icons oxygen 48x48 status task-attention.png
This article is deprecated and not valid for current versions of the Mumble client or the Mumble server


Icons oxygen 48x48 status task-attention.png

IMPORTANT: Please use Let's Encrypt instead. StartCom has lost trust as a Certificate Authority and will cease operation on 2018-01-01; more information is available here.

Apart from the missing trust, the free certificates are limited, and a revocation (should it become necessary) will cost money.

Icons oxygen 48x48 actions view-pim-notes.png
Note:
IMPORTANT CAVEAT: Level 1 StartCom certificates (ie, the kind you don't pay money for) do not have the TLS bit set in their certificates, which will prevent your Murmur from registering itself as a public server. If you want your server listed in the public server list (shown in the connect dialog for everyone).

There are only three solutions:

  1. Go back to using an automatically-generated, self-signed Murmur certificate.
  2. Paying for Class 2 validation which will have the TLS bit enabled.
  3. Paying for a certificate from an alternate certificate provider. :(

Creating Key and CSR

This is a quick hands-on guide for obtaining and installing a Class 1 server certificate in murmur on a reasonably modern Linux system.

First of all, we need to generate a key and a signing request. It doesn't matter what you input for country, state etc as it will all get replaced by the CA.

$ openssl req -nodes -newkey rsa:2048 -nodes -keyout mumble.key -out server_mumble.csr 
Generating a 2048 bit RSA private key
.........................................+++
..+++
writing new private key to 'mumble.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []: 
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request 
A challenge password []:
An optional company name []:

This will create server_mumble.csr.

Getting the Certificate signed

After authenticating to the StartSSL website (assuming you've already added your domain to StartSSL and verified it), click "Certificates Wizard", select "Web Server SSL/TLS Certificate" from the Certificate Target dropdown box, and click "Continue".

Skip the key generation step because we've already generated a key using OpenSSL above. You will now have a text area were you can paste the contents of server_mumble.csr. Paste the contents of server_mumble.csr and click "Continue".

Putting it into Murmur

After the certificate is generated the contents of the textarea should be placed in a new file, ssl_mumble.crt.

wget --no-check-certificate https://www.startssl.com/certs/sub.class1.server.ca.pem
cat sub.class1.server.ca.pem > ssl_mumble_concat.crt
cat ssl_mumble.crt >> ssl_mumble_concat.crt

The sub.class1.server.ca.pem and ssl_mumble.crt files can now safely be deleted as they are unused:

rm sub.class1.server.ca.pem ssl_mumble.crt

Now the file ssl_mumble_concat.crt contains the certificate, and mumble.key contains the key. Move the files into the same folder as murmur.ini and edit the following two lines:

sslCert=ssl_mumble_concat.crt
sslKey=mumble.key

Restart murmur and you're done.

If you've previously ran murmur, it will have autogenerated certificates and stored these in it's internal configuration database, which takes precedence over the .ini file. To remove these, add the -wipessl parameter to murmur when starting it.

If you've followed the above instructions, but murmur reports "Failed to find certificate matching private key" on startup, your system certificates are possibly outdated. Debian 5.0 Lenny is affected by this. To solve this issue, add the StartCom Certificate Authority certificate to the certificates file by running the next command in the directory containing ssl_mumble_concat.crt:

wget --no-check-certificate http://www.startssl.com/certs/ca.pem
cat ca.pem >> ssl_mumble_concat.crt
rm ca.pem