topic Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate in Firewall and Security Management

R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Jerry — Fri, 11 Aug 2017 17:23:33 GMT

Hi folks

just a quick one but to some extent complicated thing: Little background though.

1. R80.10 Standalone Appliance (all-in-one) as usual
2. no PKI done for either VPN or MAB (MAB is not in use)
3. Gaia Portal has typical per-ip Cert error when you try to log in - that's normal

Research:

1. replace files at

/web/conf/server.crt
/web/conf/server.key

with your own one from your *.domain.com set (received as issued with Public CA)

based on sk109593

- result: Tomcat does not wake up at all making your GAIA portal unusable

2. replacing above files is not enough as long as your $CPDIR/conf/openssl.cnf has no CSR issued within the shell (of course not as the CSR was done separately on different device in order to make wildcard cert!)
3. I see no path for importing wildcard cert without generating csr on particular appliance - do you?

GOAL:

1. have all GAIA portal(s) from each appliance within the network using same wildcard cert already in hand from Comodo.

---

any ideas/tips/hints chaps?

much appreciate your assistance as always (PhoneBoy especially) 🙂

Cheers

Jerry

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

PhoneBoy — Fri, 11 Aug 2017 18:07:46 GMT

$CPDIR/conf/openssl.cnf is not the correct file to edit here.

The actual config file read by the Gaia Web Portal is /web/conf/httpd2.conf

This file, however, is generated based off the files in /web/templates.

You might look in /var/log/httpd2_error_log to see what the actual errors are.

That may help you change the config in /web/templates.

When you do that, you will need to restart the httpd process to have the necessary configuration files regenerated:

[Expert@HostName]# tellpm process:httpd2

[Expert@HostName]# tellpm process:httpd2 t

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Jerry — Fri, 11 Aug 2017 18:10:41 GMT

Thanks !

I'll try this and update you (all) due course

Cheers

Jerry

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Jerry — Fri, 11 Aug 2017 18:19:20 GMT

funny enough is that I found following entry in template for httpd2

UseCanonicalName Off

shouldn't that be On by any chance?

I'd love to import wildcard crt and key file with no CSR onto the /web/conf folder

If I do so httpd2 won't start or starts anyway but gives me no access go gaia claiming that the source of my cert is still 192.168.1.1

in a log there are all errors but nothing really saying anything in particular about the cert issues

any clues ?

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Jerry — Fri, 11 Aug 2017 18:37:06 GMT

I think I found the path's into the httpd-ssl.conf.templ

if I modify this with my files from the /web/conf

would that work?

I'll try all the options Dameon ...

please let me know what you think digging it a little if you can...

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

PhoneBoy — Fri, 11 Aug 2017 18:39:00 GMT

In theory it should work.

You need to restart httpd2 as I mentioned above for the changes to take effect.

It should regenerate the files in /web/conf (easy to confirm).

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Jerry — Fri, 11 Aug 2017 19:48:04 GMT

ok so let's summarize what files need to be replaced in /web/conf folder

/web/conf/server.crt
/web/conf/server.key

I've got them replaced, also replaced one another:

SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
#SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle.crt => that one which is unique and does not exist in /web/conf (this file is the CA bundle file from Comodo)

--- still no joy

- template points to above files whilst server.crt and .key is the alias which goes directly towards /web/conf where those files physically exist

... I'm like lost to be frank, none of my combinations works and still got the self-signed on GAIA

ps. bear in mind that in a config file called httpd-ssl.conf.templ I do gave a proper port this is listening on (4434). still no matter which files I've replace (having backups ofc in hand) - no joy

any clues ?

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Jerry — Fri, 11 Aug 2017 19:50:27 GMT

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Jerry — Fri, 11 Aug 2017 19:52:44 GMT

also content of the responsible file

[Expert@cp:0]# cat httpd-ssl.conf | grep /usr/local/apache2/conf/
SSLCertificateFile /usr/local/apache2/conf/server.crt
#SSLCertificateFile /usr/local/apache2/conf/server-dsa.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
#SSLCertificateKeyFile /usr/local/apache2/conf/server-dsa.key
SSLCertificateChainFile /usr/local/apache2/conf/server-ca.crt
#SSLCACertificatePath /usr/local/apache2/conf/ssl.crt
#SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /usr/local/apache2/conf/ssl.crl
#SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle.crl

which makes me think if those files will be from Comodo CA wildcard Cert it should work - but it doesn't or I haven't un-hashed some important params myself ...

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

PhoneBoy — Fri, 11 Aug 2017 21:05:14 GMT

Did you uncomment SSLCACertificateFile?

Also did you verify /web/conf/httpd2.conf was updated appropriately after starting?

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Jerry — Fri, 11 Aug 2017 21:07:50 GMT

also found this:

[Fri Aug 11 21:56:23.000114 2017] [ssl:warn] [pid 21458] AH01906: a.b.c.d:4434:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Aug 11 21:56:23.000151 2017] [ssl:warn] [pid 21458] AH01909: a.b.c.d:4434:0 server certificate does NOT include an ID which matches the server name

I think I've got an issue with CA Root ... but even OPSEC one I've got root from root CA ...

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Jerry — Fri, 11 Aug 2017 21:08:43 GMT

I did all this seeing no diff frankly ...

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Jerry — Fri, 11 Aug 2017 21:14:48 GMT

changing SSLCACertificateFile by unhashing it makes it even worse, httpd2 won't work

I think this is all about the proper CA root crt file somewhere ... so wired and annoying ...

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

PhoneBoy — Fri, 11 Aug 2017 21:14:51 GMT

So restarting the daemon isn't enough.

Try using clish to change the port (e.g. set web ssl-port xxxx), then change it back to 4434.

That should force the file to be reread.

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Jerry — Fri, 11 Aug 2017 21:24:21 GMT

same thing, first it makes tcp/4444 then back to tcp/4434 and same error in chrome:

NET::ERR_CERT_AUTHORITY_INVALID

I don't think this is the issue with cert but CA root cert on the box ... there is somewhere a conflict between the imported PEM's and p12 one by the GUI Platform Portal record editing SG and CA root somewhere ...

I did made the opsec root ca with Comodo CA - should I remove it or something ?

starting to get really persistent in order to solve that openssl crappy case ...

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

PhoneBoy — Fri, 11 Aug 2017 22:35:30 GMT

That's what it seems like to me as well.

Keep in mind there's the Gaia portal but there's also Multiportal, which is low-level infrastructure that allows the same IP/port to be used for multiple things (Gaia portal, SmartView, Mobile Access Blade, etc).

Not sure which one is responsible in this specific case...

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Or_Lindner — Sun, 13 Aug 2017 13:02:19 GMT

Hi,

1) Can you please clarify regarding: Gaia Portal has typical per-ip Cert error when you try to log in - that's normal

2) Did you run 8-12 steps in sk109593 (including RSA key)?

The question is relevant to the state before all mentioned changes (in /web/templates) have done.

The CSR step is require only once (wildcard) and by performing steps 8-12, it should be replaced correctly.

Note: The CSR (which done once) need to be generated according to the steps mentioned in sk109593.

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Jerry — Sun, 13 Aug 2017 13:31:33 GMT

Thanks Or

let me clarify then:

1. I've done the csr_gen when on the same shell when I was generating CSR for CA in order to get the wildcard cert from them. the procedure I've followed is typical for mab utilization not gaia portal if that answers you question

2. I have followed all the steps of course but see what phoneboy wrote to me yesterday here. he has the point !

3. csr can be generated on gaia for use within 2 different "places" - I've unfortunately done the one for httpd not httpd2 (gaia portal) I guess therefore my CSR generation for httpd2 cannot be done, otherwise I need to make it again from scratch loosing all the deployments I've done already with my existing since couple of days certificate.

hope it all makes a little bit of sense now, if not - let me know I'm happy to run this with you

ps. my original quest was "can I import entire either pfx or p12 or all of the pem files onto the gaia webserver folders in order to have gaia portal running already issued wildcard cert".

Jerry

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Or_Lindner — Sun, 13 Aug 2017 14:47:08 GMT

Hi Jerry,

1) Can you please attach "phoneboy" answer? I didn't find it in this thread.

2) httpd2 is a symbolic link to httpd --> It's the same apache server.

Re: R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Jerry — Sun, 13 Aug 2017 15:04:05 GMT

sure mate see below in sequence:

That's what it seems like to me as well.

Not sure which one is responsible in this specific case...

So restarting the daemon isn't enough.

Try using clish to change the port (e.g. set web ssl-port xxxx), then change it back to 4434.

That should force the file to be reread.

Did you uncomment SSLCACertificateFile?

Also did you verify /web/conf/httpd2.conf was updated appropriately after starting?

In theory it should work.

You need to restart httpd2 as I mentioned above for the changes to take effect.

It should regenerate the files in /web/conf (easy to confirm).