Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
StevePearson
Participant
Jump to solution

R80.20 migrate_server problems

I've been performing a management server upgrade from R80.20 to R81.10 by building a new VM and transferring the config using the migrate_server script, but have encountered a couple of issues along the way.

Firstly, the server is also an Endpoint management server, so the Gaia web interface is on port 4434 rather than the standard 443.

I noticed that it doesn't pull across the Gaia config completely. It pulled the GUI client list but not the users!

First issue.

If you set the web ssl-port to 4434 BEFORE running the migrate-server script to import the config, then it errors at 4% and hangs, but if you leave it at 443, the import runs through correctly.

However, once complete and rebooted, when you try to change the ssl-port (in clish in the normal way) it appears to change, reports changed correctly when checked, but doesn't work! Instead you get an apache error. The only way to do it is to run CPSTOP first, then change the port in clish, then run CPSTART.

Second issue.

The server uses a 3rd party wildcard certificate to secure the Gaia web interface. This has been working for years with no issues. Each time the cert is renewed by the provider I copy the .cer and the .key files into the /web/conf folder, rename them to server. and restart the httpd2 process.

After this migration, the portal is using the default cert, but I was expecting this as its an OS config so not expecting migrate_server to bring this across. However, when I copy the files and restart the process (no errors reported), it still doesn't use the wildcard cert.

Has anyone else encountered these issues at all?

Thanks,

Steve

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

migrate_server does not backup the Gaia OS configuration; that must be done separately.
Not sure why the platform portal port being different would, therefore, matter.
Make sure you’re following the procedure here to replace the Gaia portal cert: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

migrate_server does not backup the Gaia OS configuration; that must be done separately.
Not sure why the platform portal port being different would, therefore, matter.
Make sure you’re following the procedure here to replace the Gaia portal cert: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
StevePearson
Participant

The solution you indicate is correct for changing the certificate but in this case it did not work. It appears that as part of the migrate_server process the UEMP modifies the file /web/conf/extra/httpd-ssl.conf to change the location of the Server Certificate and Key files.

These were changed to:

SSLCertificateFile "/opt/CPuepm-R81.10/engine/conf/ssl/sic_cert.pem"

SSLCertificateKeyFile "/opt/CPuepm-R81.10/engine/conf/ssl/sic_cert-key.pem"

To resolve the issue, these were commented out and the following lines added instead:

SSLCertificateKeyFile /usr/local/apache2/conf/server.crt

SSLCertificateKeyFile /usr/local/apache2/conf/server.key

Once this was done, and httpd2 process was restarted, it used the correct certificate.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events