Obtaining a StartCom Murmur Certificate

From Mumble Wiki
Jump to: navigation, search
Icons oxygen 48x48 status task-attention.png
This article is deprecated and not valid for current versions of the Mumble client or the Mumble server

Icons oxygen 48x48 status task-attention.png

IMPORTANT: Please use Let's Encrypt instead. StartCom has lost trust as a Certificate Authority and will cease operation on 2018-01-01; more information is available here.

Apart from the missing trust, the free certificates are limited, and a revocation (should it become necessary) will cost money.

Icons oxygen 48x48 actions view-pim-notes.png
IMPORTANT CAVEAT: Level 1 StartCom certificates (ie, the kind you don't pay money for) do not have the TLS bit set in their certificates, which will prevent your Murmur from registering itself as a public server. If you want your server listed in the public server list (shown in the connect dialog for everyone).

There are only three solutions:

  1. Go back to using an automatically-generated, self-signed Murmur certificate.
  2. Paying for Class 2 validation which will have the TLS bit enabled.
  3. Paying for a certificate from an alternate certificate provider. :(

Creating Key and CSR

This is a quick hands-on guide for obtaining and installing a Class 1 server certificate in murmur on a reasonably modern Linux system.

First of all, we need to generate a key and a signing request. It doesn't matter what you input for country, state etc as it will all get replaced by the CA.

$ openssl req -nodes -newkey rsa:2048 -nodes -keyout mumble.key -out server_mumble.csr 
Generating a 2048 bit RSA private key
writing new private key to 'mumble.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []: 
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request 
A challenge password []:
An optional company name []:

This will create server_mumble.csr.

Getting the Certificate signed

After authenticating to the StartSSL website (assuming you've already added your domain to StartSSL and verified it), click "Certificates Wizard", select "Web Server SSL/TLS Certificate" from the Certificate Target dropdown box, and click "Continue".

Skip the key generation step because we've already generated a key using OpenSSL above. You will now have a text area were you can paste the contents of server_mumble.csr. Paste the contents of server_mumble.csr and click "Continue".

Putting it into Murmur

After the certificate is generated the contents of the textarea should be placed in a new file, ssl_mumble.crt.

wget --no-check-certificate https://www.startssl.com/certs/sub.class1.server.ca.pem
cat sub.class1.server.ca.pem > ssl_mumble_concat.crt
cat ssl_mumble.crt >> ssl_mumble_concat.crt

The sub.class1.server.ca.pem and ssl_mumble.crt files can now safely be deleted as they are unused:

rm sub.class1.server.ca.pem ssl_mumble.crt

Now the file ssl_mumble_concat.crt contains the certificate, and mumble.key contains the key. Move the files into the same folder as murmur.ini and edit the following two lines:


Restart murmur and you're done.

If you've previously ran murmur, it will have autogenerated certificates and stored these in it's internal configuration database, which takes precedence over the .ini file. To remove these, add the -wipessl parameter to murmur when starting it.

If you've followed the above instructions, but murmur reports "Failed to find certificate matching private key" on startup, your system certificates are possibly outdated. Debian 5.0 Lenny is affected by this. To solve this issue, add the StartCom Certificate Authority certificate to the certificates file by running the next command in the directory containing ssl_mumble_concat.crt:

wget --no-check-certificate http://www.startssl.com/certs/ca.pem
cat ca.pem >> ssl_mumble_concat.crt
rm ca.pem