You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

  1. Die Datei /etc/pki/tls/openssl.cnf bearbeiten

    /etc/pki/tls/openssl.cnf
    Am Ende einfügen:
 
[ alternate_names ]
DNS.1        = acd-lb.domain.de
DNS.2        = acd-lb.domain.local
DNS.3        = acd-lb
 
In diesen Abschnitt einfügen:
 
[ v3_ca ]
subjectAltName      = @alternate_names
 
In diesen Abschnitt einfügen bzw. verändern:
 
[ v3_ca ]
keyUsage = digitalSignature, keyEncipherment
 
In diesen Abschnitt verändern bzw. einkommentieren:
 
[ CA_default ]
copy_extensions = copy
 

  2. Verzeichnis für die Keys anlegen und Generierung des Private Keys und Zertifikats:

    Prüfen
    mkdir /etc/ssl/newkey
openssl genrsa -out /etc/ssl/newkey/cert.key 3072
openssl req -new -x509 -key /etc/ssl/newkey/cert.key -sha256 -out /etc/ssl/newkey/cert.pem -days 730

Die Fragen wie folgt (beispielsweise) beantworten:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:Bavaria
Locality Name (eg, city) [Default City]:Munich
Organization Name (eg, company) [Default Company Ltd]:jtel GmbH
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:acd-lb.domain.de
Email Address []:lewis.graham@jtel.de

  3. Prüfen des generierten Zertifikats (prüfen ob die Alternative Namen eingetragen wurden):

    Prüfen
    openssl x509 -in certificate.pem  -text -noout


Prüfen ob bei diesen Eintrag alle DNS Namen stehen:
X509v3 Subject Alternative Name:
 

  4. Zertifikat in haproxy.cfg eintragen:

    haproxy.cfg
    frontend acdportal_http
        mode            http
        bind            :80
        redirect        scheme https if !{ ssl_fc }

#---------------------------------------------------------------------
# this is the internal HTTPS dispatcher frontend for the acd portal
#---------------------------------------------------------------------
frontend acdportal_https
        mode            http
        bind            :443 ssl crt /etc/ssl/newkey/comb.pem  #verify optional
        acl soap_req    url_reg ^\/CarrierPortal/AcdAgentClientService.*
        acl stat_req    url_reg ^\/haproxy
        acl root_req    path /
        acl admn_req    path /admin
        acl mini_req    path /miniclient
        acl icss_req    path /PBX0/MY/mypbx.css
#        acl inno_req    url_beg /PBX0/
        timeout         client 1d
        option          forwardfor header X-JTEL
        reqadd          X-Forwarded-Proto:\ https
        redirect        location /CarrierPortal/sysadmin/login if admn_req
        redirect        location /CarrierPortal/login/jtel/jtel if root_req
        redirect        location /CarrierPortal/mclogin/jtel/jtel if mini_req
#        redirect        location /CarrierPortal/ResourceDispatcher/system/skin/inno11/mypbx.css if icss_req
        use_backend     stat_admin  if stat_req
        use_backend     jtel_soap   if soap_req
#        use_backend     inno11      if inno_req
        default_backend jtel_portal





 

  • No labels