====== Web server configuration ======
==== Missing intermediate certificates ====
Sometimes a browser (will most often occur in Android) will tell you that the certificate isn’t trusted even though it is regarded trusted by other platforms and browsers. This is because the browser doesn’t download intermediate certificates automatically, which Microsoft Browsers do. If this happens you need to add the information from the intermediate certificate manually in your .pem file. The certificate authority usually offer a bundle with all the certficates in the chain along with an instruction on how to put the certificate in the right order. It is however possible to do manually as well with the instruction below.
You can find the intermediate certificate through the CA's homepage. For instance, if the customer is using a certificate from the CA GlobalSign you can do a search for "GlobalSign intermediate certificate download". Then find your way to the intermediate certificate which is used, and copy the information.
You might also find the intermediate certificate through MMC and by looking at the certificate path of the certificate you’re using. When you have identified the intermediate cert you can browse it in MMC under the folder Intermediate Certification Authorities\Certificates. When you found it you can export it to a base 64 encoded .cer file. Open the file in notepad and copy all the information from it.
When you have the information, open the cert.pem file and paste it to the bottom of your .pem file. Save the file and restart the Lime CRM Webfront service.
This is also relevant for Mobility installations which are behind nginx proxy.
==== Change the HTTPS/SSL certificate ====
The certificate Lime CRM Server uses is stored in ''%LIME_HOME_PATH%\Lime CRM Server\Web Server\certs'' (default location) in ''.pem'' ([[http://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions|Base64 encoded DER]]) format. (%LIME_HOME_PATH% is a environment variable that is created when you install the limeserver. It redirects you to programdata folder, for example C:\ProgramData\Lundalogik\Lime Pro Server\Web Server\certs\privkey.pem)
=== 1. Export a certificate from Windows certificate store ===
- Launch the Management Console by running ''mmc.exe''.
- Go to **File** | **Add/Remove Snap-in...**
- Select **Certificates** and press **Add**.
- Select **Computer account** and press **Next**.
- Select **Local computer** and press **Finish**.
- Press **OK** to close the snap-in window.
- Expand **Certificates** and navigate to **Personal** | **Certificates**.
- Right-click the certificate you wish to export and select **All Tasks** | **Export...**
- Press **Next**.
- Select **Yes, export the private key** and press **Next**.
- Select **Personal Information Exchange**. Check **Include all certificates in the certification path if possible** and uncheck the other options. Press **Next**.
- Check **Password** and type in a password of your choice (needed later), and press **Next** (Important not to change default encryption method).
- Choose where to export the cert (the whole path with a filename of your choice), press **Next** and **Finish**.
=== 2. Install the certificate ===
In order to use a certificate from Windows certificate store or from a ''.pfx'' file, it has to be converted into ''.pem'' format using the ''certtool'' utility. To convert a ''.pfx'' file to the ''.pem'' format Lime CRM Server requires, navigate to ''C:\Program Files (x86)\Lundalogik\LIME Pro Server\webserver\tools'' and use ''certtool.exe'' as follows:
certtool.exe -pem pfx="path to pfx file" password="pfx password if set" cert="%LIME_HOME_PATH%\LIME Pro Server\Web Server\certs\cert.pem" key="%LIME_HOME_PATH%\Lime Pro Server\Web Server\certs\privkey.pem"
If the certificate has multiple common names (CNs) you will need to supply a CN parameter specifying which name to use when converting. Example:
certtool.exe -pem pfx="path to pfx file" password="pfx password if set" cert="%LIME_HOME_PATH%\LIME Pro Server\Web Server\certs\cert.pem" key="%LIME_HOME_PATH%\Lime Pro Server\Web Server\certs\privkey.pem" CN=lime.example.com
Make sure that the permissions on the cert and key-file are correctly set so that the Lime Service user has rights to read and execute it.
=== 3. Restart Lime CRM Webfront ===
After the change is done the service Lime CRM Webfront needs to be restarted.
==== Troubleshoot ====
* If it seems like the old certificate is still in use, shut down Lime CRM Webfront, open the task manager and kill any nginx processes that are started with the Lime CRM Server user and restart Lime CRM Webfront.
* If you get error Pfx file '[path to pfx file]' could not be found. Try moving the file somewhere it can be easier reached, eg: C:\LLAB
* If you cant restart the webfront it could be because the service user dont have permission to read the pem files. Edit this by right clicking on each file (cert.pem and privkey.pem) Properties>Security>Edit>Add and then add the service user. Give it Full control in the permissions.