Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Platinum

R80.10 GAiA Portal - Problems Importing already issued WILDCARD 2048 Certificate

Hi folks

just a quick one but to some extent complicated thing: Little background though.

1. R80.10 Standalone Appliance (all-in-one) as usual
2. no PKI done for either VPN or MAB (MAB is not in use)
3. Gaia Portal has typical per-ip Cert error when you try to log in - that's normal

Research:

1. replace files at

/web/conf/server.crt
/web/conf/server.key

with your own one from your *.domain.com set (received as issued with Public CA)

based on sk109593

- result: Tomcat does not wake up at all making your GAIA portal unusable

2. replacing above files is not enough as long as your $CPDIR/conf/openssl.cnf has no CSR issued within the shell (of course not as the CSR was done separately on different device in order to make wildcard cert!)
3. I see no path for importing wildcard cert without generating csr on particular appliance - do you?

GOAL:

1. have all GAIA portal(s) from each appliance within the network using same wildcard cert already in hand from Comodo.

---

any ideas/tips/hints chaps?

much appreciate your assistance as always (PhoneBoy especially) 🙂

Cheers

Jerry

Jerry
0 Kudos
71 Replies
Highlighted
Admin
Admin

$CPDIR/conf/openssl.cnf is not the correct file to edit here.

The actual config file read by the Gaia Web Portal is /web/conf/httpd2.conf

This file, however, is generated based off the files in /web/templates.

You might look in /var/log/httpd2_error_log to see what the actual errors are.

That may help you change the config in /web/templates.

When you do that, you will need to restart the httpd process to have the necessary configuration files regenerated:

[Expert@HostName]# tellpm process:httpd2

[Expert@HostName]# tellpm process:httpd2 t

 

0 Kudos
Highlighted
Platinum

I think I found the path's into the httpd-ssl.conf.templ

if I modify this with my files from the /web/conf

would that work?

I'll try all the options Dameon ...

please let me know what you think digging it a little if you can...

Jerry
0 Kudos
Highlighted
Admin
Admin

In theory it should work.

You need to restart httpd2 as I mentioned above for the changes to take effect.

It should regenerate the files in /web/conf (easy to confirm).

0 Kudos
Highlighted
Platinum

ok so let's summarize what files need to be replaced in /web/conf folder

/web/conf/server.crt
/web/conf/server.key

I've got them replaced, also replaced one another:

SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
#SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle.crt      => that one which is unique and does not exist in /web/conf (this file is the CA bundle file from Comodo)

--- still no joy Smiley Sad

- template points to above files whilst server.crt and .key is the alias which goes directly towards /web/conf where those files physically exist

... I'm like lost to be frank, none of my combinations works and still got the self-signed on GAIA 

ps. bear in mind that in a config file called httpd-ssl.conf.templ I do gave a proper port this is listening on (4434). still no matter which files I've replace (having backups ofc in hand) - no joy

any clues ?

Jerry
0 Kudos
Highlighted
Platinum

still same error ... any idea ?

Jerry
0 Kudos
Highlighted
Platinum

also content of the responsible file 

[Expert@cp:0]# cat httpd-ssl.conf | grep /usr/local/apache2/conf/
SSLCertificateFile /usr/local/apache2/conf/server.crt
#SSLCertificateFile /usr/local/apache2/conf/server-dsa.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
#SSLCertificateKeyFile /usr/local/apache2/conf/server-dsa.key
SSLCertificateChainFile /usr/local/apache2/conf/server-ca.crt
#SSLCACertificatePath /usr/local/apache2/conf/ssl.crt
#SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /usr/local/apache2/conf/ssl.crl
#SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle.crl

which makes me think if those files will be from Comodo CA wildcard Cert it should work - but it doesn't Smiley Sad or I haven't un-hashed some important params myself ...

Jerry
0 Kudos
Highlighted
Admin
Admin

Did you uncomment SSLCACertificateFile?

Also did you verify /web/conf/httpd2.conf was updated appropriately after starting?

0 Kudos
Highlighted
Platinum

I did all this seeing no diff frankly ...

Jerry
0 Kudos
Highlighted
Admin
Admin

So restarting the daemon isn't enough.

Try using clish to change the port (e.g. set web ssl-port xxxx), then change it back to 4434.

That should force the file to be reread.

0 Kudos
Highlighted
Platinum

same thing, first it makes tcp/4444 then back to tcp/4434 and same error in chrome:

NET::ERR_CERT_AUTHORITY_INVALID

I don't think this is the issue with cert but CA root cert on the box ... there is somewhere a conflict between the imported PEM's and p12 one by the GUI Platform Portal record editing SG and CA root somewhere ...

I did made the opsec root ca with Comodo CA - should I remove it or something ?

starting to get really persistent in order to solve that openssl crappy case ...

Jerry
0 Kudos
Highlighted
Admin
Admin

That's what it seems like to me as well.

Keep in mind there's the Gaia portal but there's also Multiportal, which is low-level infrastructure that allows the same IP/port to be used for multiple things (Gaia portal, SmartView, Mobile Access Blade, etc). 

Not sure which one is responsible in this specific case...

Highlighted
Platinum

changing SSLCACertificateFile by unhashing it makes it even worse, httpd2 won't work

I think this is all about the proper CA root crt file somewhere ... so wired and annoying ...

Jerry
0 Kudos
Highlighted
Platinum

also found this:

[Fri Aug 11 21:56:23.000114 2017] [ssl:warn] [pid 21458] AH01906: a.b.c.d:4434:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Aug 11 21:56:23.000151 2017] [ssl:warn] [pid 21458] AH01909: a.b.c.d:4434:0 server certificate does NOT include an ID which matches the server name

I think I've got an issue with CA Root ... but even OPSEC one I've got root from root CA ...

Jerry
0 Kudos
Highlighted
Platinum

Thanks !

I'll try this and update you (all) due course

Cheers

Jerry

Jerry
0 Kudos
Highlighted
Platinum

funny enough is that I found following entry in template for httpd2

UseCanonicalName Off

shouldn't that be On by any chance?

I'd love to import wildcard crt and key file with no CSR onto the /web/conf folder

If I do so httpd2 won't start or starts anyway but gives me no access go gaia claiming that the source of my cert is still 192.168.1.1

in a log there are all errors but nothing really saying anything in particular about the cert issues

any clues ?

Jerry
0 Kudos
Highlighted
Employee
Employee

Hi,

1) Can you please clarify regarding: Gaia Portal has typical per-ip Cert error when you try to log in - that's normal

2) Did you run 8-12 steps in sk109593 (including RSA key)?

The question is relevant to the state before all mentioned changes (in /web/templates) have done.

The CSR step is require only once (wildcard) and by performing steps 8-12, it should be replaced correctly.

Note: The CSR (which done once) need to be generated according to the steps mentioned in sk109593.

0 Kudos
Highlighted
Platinum

Thanks Or

let me clarify then:

1. I've done the csr_gen when on the same shell when I was generating CSR for CA in order to get the wildcard cert from them. the procedure I've followed is typical for mab utilization not gaia portal if that answers you question

2. I have followed all the steps of course Smiley Happy but see what phoneboy wrote to me yesterday here. he has the point !

3. csr can be generated on gaia for use within 2 different "places" - I've unfortunately done the one for httpd not httpd2 (gaia portal) I guess therefore my CSR generation for httpd2 cannot be done, otherwise I need to make it again from scratch loosing all the deployments I've done already with my existing since couple of days certificate.

hope it all makes a little bit of sense now, if not - let me know I'm happy to run this with you

ps. my original quest was "can I import entire either pfx or p12 or all of the pem files onto the gaia webserver folders in order to have gaia portal running already issued wildcard cert".

Jerry

Jerry
0 Kudos
Highlighted
Employee
Employee

Hi Jerry,

1) Can you please attach "phoneboy" answer? I didn't find it in this thread.

2) httpd2 is a symbolic link to httpd --> It's the same apache server.

0 Kudos
Highlighted
Platinum

sure mate see below in sequence:

That's what it seems like to me as well.

Keep in mind there's the Gaia portal but there's also Multiportal, which is low-level infrastructure that allows the same IP/port to be used for multiple things (Gaia portal, SmartView, Mobile Access Blade, etc). 

Not sure which one is responsible in this specific case...

So restarting the daemon isn't enough.

Try using clish to change the port (e.g. set web ssl-port xxxx), then change it back to 4434.

That should force the file to be reread.

Did you uncomment SSLCACertificateFile?

Also did you verify /web/conf/httpd2.conf was updated appropriately after starting?

In theory it should work.

You need to restart httpd2 as I mentioned above for the changes to take effect.

It should regenerate the files in /web/conf (easy to confirm).

Jerry
0 Kudos
Highlighted
Platinum

0 Kudos
Highlighted
Platinum

ps. any clues / hints highly appreciated Smiley Happy

Jerry
0 Kudos
Highlighted
Copper

I load cert/keys without using a CSR.  What error messages are you getting when you try and restart httpd after loading the cert/key?

0 Kudos
Highlighted
Platinum

Thanks Bryce, I will let you know as soon as I find a moment to t-shoot it again, maybe today maybe tomorrow but I will definitely update you guys.

ps. I have had not modified anything just wanted to import (load) keys meaning Cert and Key file. GAIA portal then didn't start so I have assumed that the error I'm having is mostly related to the wrong ROOT CA cert but this can be wrong, the whole devices has ROOT CA from the same CA.

any idea?

once I've done the testing I'll tell you from logs what errors I've got but I think not much I've read from them so far ...

Jerry

Jerry
0 Kudos
Highlighted
Copper

Well how do you unpack the cert and key?

I've had issues in the past where when I created the p12, I had already packed the key with a secret.  So when you unpack the .p12 - you need to remove the shared secret otherwise I don't think apache will be able to load it.

Highlighted
Platinum

good point. I've used the files from Comodo and they were precisely unpacked.

I did myself p12 to load via Dash to MAB and GAIA portal although the server.crt and server.key I've had from the bundle I've received from Comodo.

Did I messed up something with wrong files? Oh ... that might be the best tip so far mate !!!

I'll double check ... give me some time pls.

Cheers

Jerry
0 Kudos
Highlighted
Platinum

ok Bryce, look at this please:

in /web/conf folder you've got normally 2 files which when corrupted or wrong GAIA Portal does not come up after httpd restart:

server.crt and server.key

when I replace those files with my wildcard CRT file and my KEYFILE.KEY (of course renaming them accordingly) Portal won't come up on specific port I'm using (not 443 and not 4434 - totally custom).

did I missed something?

Jerry
0 Kudos
Highlighted
Platinum

[Expert@cp:0]# pwd
/web/conf
[Expert@cp:0]# ls -l
total 108
-rw-r----- 1 admin users 4103 Feb 11 2014 ca-bundle.crt
drwxr-xr-x 3 admin root 4096 Aug 11 22:19 extra
-rw-r--r-- 1 admin root 20654 Aug 11 22:20 httpd2.conf
-rw-r----- 1 admin users 20654 Aug 11 19:23 httpd2.conf.backup
-rw-r--r-- 1 admin root 446 Aug 10 16:31 httpd2_mp.conf
-rwsr-xr-x 1 admin root 22496 Jul 11 16:13 login
lrwxrwxrwx 1 admin root 46 Jul 11 16:19 mime.types -> /web/cpshared/web/Apache/2.2.0/conf/mime.types
-rw-r----- 1 admin users 4103 Feb 11 2014 server-ca.crt
-rw-r----- 1 admin users 1598 Aug 11 08:10 server.crt
-rw-r----- 1 admin users 1704 Aug 11 08:10 server.key
-rw------- 1 admin users 1704 Aug 11 10:10 server.key_BKP

when you load your CERTS - you've mentioned you've load them extracting your already existing p12 using the passphrase? which files you've replaced in that folder?

I can do that as well but I do have all the components in place so no need as I've made my p12 from them.

any idea?

Jerry
0 Kudos
Highlighted
Copper

I try to load the .p12 from the management server first, and push it via policy -- but that doesn't work 100% of the time for whatever reason. 

This is basically how I manually load my certs using a p12 I generated without a CSR.

I run this script with the .p12 name as the argument {$1}

if     (  cd /web/conf | grep -i 'No such file or drectory')

then

   echo "No /web/conf folder - Aborting";

   exit;

fi

 

timestamp="$(date "+%Y.%m.%d-%H.%M.%S")"

 

cd /web/conf

cp /web/conf/server.key /web/conf/server.key_BKP_$timestamp

cp /web/conf/server.crt /web/conf/server.crt_BKP_$timestamp

 

curl_cli ftp://locationofencryptedp12/{$1} --user ****:**** -o ./{$1}

 

cpopenssl pkcs12 -in {$1} -password pass:************ -nokeys -out /web/conf/server.crt

cpopenssl pkcs12 -in {$1} -password pass:************ -nocerts -nodes -out /web/conf/server.key

 

tellpm process:httpd2

sleep 3

tellpm process:httpd2 t

When you attempt to start httpd2 after changing the files - do you have anything in /var/log/messages or the /var/log/httpd2_error_log ?

0 Kudos
Highlighted
Platinum

I will update you with my findings shortly.

Sounds like a plan to me. Looks like I need to crack down on it asap. Let me spend some time to investigate and provide you log records if relevant.

Thanks!

Jerry
0 Kudos