Web server configuration

Sometimes a browser (will most often occur in Android) will tell you that the certificate isn’t trusted even though it is regarded trusted by other platforms and browsers. This is because the browser doesn’t download intermediate certificates automatically, which Microsoft Browsers do. If this happens you need to add the information from the intermediate certificate manually in your .pem file. The certificate authority usually offer a bundle with all the certficates in the chain along with an instruction on how to put the certificate in the right order. It is however possible to do manually as well with the instruction below.

You can find the intermediate certificate through the CA's homepage. For instance, if the customer is using a certificate from the CA GlobalSign you can do a search for “GlobalSign intermediate certificate download”. Then find your way to the intermediate certificate which is used, and copy the information.

You might also find the intermediate certificate through MMC and by looking at the certificate path of the certificate you’re using. When you have identified the intermediate cert you can browse it in MMC under the folder Intermediate Certification Authorities\Certificates. When you found it you can export it to a base 64 encoded .cer file. Open the file in notepad and copy all the information from it.

When you have the information, open the cert.pem file and paste it to the bottom of your .pem file. Save the file and restart the Lime CRM Webfront service.

This is also relevant for Mobility installations which are behind nginx proxy.

The certificate Lime CRM Server uses is stored in %LIME_HOME_PATH%\Lime CRM Server\Web Server\certs (default location) in .pem (Base64 encoded DER) format. (%LIME_HOME_PATH% is a environment variable that is created when you install the limeserver. It redirects you to programdata folder, for example C:\ProgramData\Lundalogik\Lime Pro Server\Web Server\certs\privkey.pem)

1. Launch the Management Console by running mmc.exe.
2. Go to File | Add/Remove Snap-in…
3. Select Certificates and press Add.
4. Select Computer account and press Next.
5. Select Local computer and press Finish.
6. Press OK to close the snap-in window.
7. Expand Certificates and navigate to Personal | Certificates.
8. Right-click the certificate you wish to export and select All Tasks | Export…
9. Press Next.
10. Select Yes, export the private key and press Next.
11. Select Personal Information Exchange. Check Include all certificates in the certification path if possible and uncheck the other options. Press Next.
12. Check Password and type in a password of your choice (needed later), and press Next (Important not to change default encryption method).
13. Choose where to export the cert (the whole path with a filename of your choice), press Next and Finish.

In order to use a certificate from Windows certificate store or from a .pfx file, it has to be converted into .pem format using the certtool utility. To convert a .pfx file to the .pem format Lime CRM Server requires, navigate to C:\Program Files (x86)\Lundalogik\LIME Pro Server\webserver\tools and use certtool.exe as follows:

certtool.exe -pem pfx="path to pfx file" password="pfx password if set" cert="%LIME_HOME_PATH%\LIME Pro Server\Web Server\certs\cert.pem" key="%LIME_HOME_PATH%\Lime Pro Server\Web Server\certs\privkey.pem"

If the certificate has multiple common names (CNs) you will need to supply a CN parameter specifying which name to use when converting. Example:

certtool.exe -pem pfx="path to pfx file" password="pfx password if set" cert="%LIME_HOME_PATH%\LIME Pro Server\Web Server\certs\cert.pem" key="%LIME_HOME_PATH%\Lime Pro Server\Web Server\certs\privkey.pem" CN=lime.example.com

Make sure that the permissions on the cert and key-file are correctly set so that the Lime Service user has rights to read and execute it.

After the change is done the service Lime CRM Webfront needs to be restarted.

• If it seems like the old certificate is still in use, shut down Lime CRM Webfront, open the task manager and kill any nginx processes that are started with the Lime CRM Server user and restart Lime CRM Webfront.
• If you get error Pfx file '[path to pfx file]' could not be found. Try moving the file somewhere it can be easier reached, eg: C:\LLAB
• If you cant restart the webfront it could be because the service user dont have permission to read the pem files. Edit this by right clicking on each file (cert.pem and privkey.pem) Properties>Security>Edit>Add and then add the service user. Give it Full control in the permissions.