I think I found the path's into the httpd-ssl.conf.templ

if I modify this with my files from the /web/conf

would that work?

I'll try all the options Dameon ...

please let me know what you think digging it a little if you can...

In theory it should work.

You need to restart httpd2 as I mentioned above for the changes to take effect.

It should regenerate the files in /web/conf (easy to confirm).

ok so let's summarize what files need to be replaced in /web/conf folder

/web/conf/server.crt
/web/conf/server.key

I've got them replaced, also replaced one another:

SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
#SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle.crt      => that one which is unique and does not exist in /web/conf (this file is the CA bundle file from Comodo)

--- still no joy

- template points to above files whilst server.crt and .key is the alias which goes directly towards /web/conf where those files physically exist

... I'm like lost to be frank, none of my combinations works and still got the self-signed on GAIA 

ps. bear in mind that in a config file called httpd-ssl.conf.templ I do gave a proper port this is listening on (4434). still no matter which files I've replace (having backups ofc in hand) - no joy

any clues ?

also content of the responsible file 

[Expert@cp:0]# cat httpd-ssl.conf | grep /usr/local/apache2/conf/
SSLCertificateFile /usr/local/apache2/conf/server.crt
#SSLCertificateFile /usr/local/apache2/conf/server-dsa.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
#SSLCertificateKeyFile /usr/local/apache2/conf/server-dsa.key
SSLCertificateChainFile /usr/local/apache2/conf/server-ca.crt
#SSLCACertificatePath /usr/local/apache2/conf/ssl.crt
#SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /usr/local/apache2/conf/ssl.crl
#SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle.crl

which makes me think if those files will be from Comodo CA wildcard Cert it should work - but it doesn't  or I haven't un-hashed some important params myself ...

Did you uncomment SSLCACertificateFile?

Also did you verify /web/conf/httpd2.conf was updated appropriately after starting?

I did all this seeing no diff frankly ...

So restarting the daemon isn't enough.

Try using clish to change the port (e.g. set web ssl-port xxxx), then change it back to 4434.

That should force the file to be reread.

same thing, first it makes tcp/4444 then back to tcp/4434 and same error in chrome:

NET::ERR_CERT_AUTHORITY_INVALID

I don't think this is the issue with cert but CA root cert on the box ... there is somewhere a conflict between the imported PEM's and p12 one by the GUI Platform Portal record editing SG and CA root somewhere ...

I did made the opsec root ca with Comodo CA - should I remove it or something ?

starting to get really persistent in order to solve that openssl crappy case ...

That's what it seems like to me as well.

Keep in mind there's the Gaia portal but there's also Multiportal, which is low-level infrastructure that allows the same IP/port to be used for multiple things (Gaia portal, SmartView, Mobile Access Blade, etc). 

Not sure which one is responsible in this specific case...

changing SSLCACertificateFile by unhashing it makes it even worse, httpd2 won't work

I think this is all about the proper CA root crt file somewhere ... so wired and annoying ...

also found this:

[Fri Aug 11 21:56:23.000114 2017] [ssl:warn] [pid 21458] AH01906: a.b.c.d:4434:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Aug 11 21:56:23.000151 2017] [ssl:warn] [pid 21458] AH01909: a.b.c.d:4434:0 server certificate does NOT include an ID which matches the server name

I think I've got an issue with CA Root ... but even OPSEC one I've got root from root CA ...

Thanks Or

let me clarify then:

1. I've done the csr_gen when on the same shell when I was generating CSR for CA in order to get the wildcard cert from them. the procedure I've followed is typical for mab utilization not gaia portal if that answers you question

2. I have followed all the steps of course  but see what phoneboy wrote to me yesterday here. he has the point !

3. csr can be generated on gaia for use within 2 different "places" - I've unfortunately done the one for httpd not httpd2 (gaia portal) I guess therefore my CSR generation for httpd2 cannot be done, otherwise I need to make it again from scratch loosing all the deployments I've done already with my existing since couple of days certificate.

hope it all makes a little bit of sense now, if not - let me know I'm happy to run this with you

ps. my original quest was "can I import entire either pfx or p12 or all of the pem files onto the gaia webserver folders in order to have gaia portal running already issued wildcard cert".

Jerry

sure mate see below in sequence:

That's what it seems like to me as well.

Keep in mind there's the Gaia portal but there's also Multiportal, which is low-level infrastructure that allows the same IP/port to be used for multiple things (Gaia portal, SmartView, Mobile Access Blade, etc). 

Not sure which one is responsible in this specific case...

So restarting the daemon isn't enough.

Try using clish to change the port (e.g. set web ssl-port xxxx), then change it back to 4434.

That should force the file to be reread.

Did you uncomment SSLCACertificateFile?

Also did you verify /web/conf/httpd2.conf was updated appropriately after starting?

In theory it should work.

You need to restart httpd2 as I mentioned above for the changes to take effect.

It should regenerate the files in /web/conf (easy to confirm).

see the whole topic here:

https://community.checkpoint.com/thread/5457-r8010-gaia-portal-problems-importing-already-issued-wil... 

ps. any clues / hints highly appreciated

Thanks Bryce, I will let you know as soon as I find a moment to t-shoot it again, maybe today maybe tomorrow but I will definitely update you guys.

ps. I have had not modified anything just wanted to import (load) keys meaning Cert and Key file. GAIA portal then didn't start so I have assumed that the error I'm having is mostly related to the wrong ROOT CA cert but this can be wrong, the whole devices has ROOT CA from the same CA.

any idea?

once I've done the testing I'll tell you from logs what errors I've got but I think not much I've read from them so far ...

Jerry

Well how do you unpack the cert and key?

I've had issues in the past where when I created the p12, I had already packed the key with a secret.  So when you unpack the .p12 - you need to remove the shared secret otherwise I don't think apache will be able to load it.

good point. I've used the files from Comodo and they were precisely unpacked.

I did myself p12 to load via Dash to MAB and GAIA portal although the server.crt and server.key I've had from the bundle I've received from Comodo.

Did I messed up something with wrong files? Oh ... that might be the best tip so far mate !!!

I'll double check ... give me some time pls.

Cheers

ok Bryce, look at this please:

in /web/conf folder you've got normally 2 files which when corrupted or wrong GAIA Portal does not come up after httpd restart:

server.crt and server.key

when I replace those files with my wildcard CRT file and my KEYFILE.KEY (of course renaming them accordingly) Portal won't come up on specific port I'm using (not 443 and not 4434 - totally custom).

did I missed something?

[Expert@cp:0]# pwd
/web/conf
[Expert@cp:0]# ls -l
total 108
-rw-r----- 1 admin users 4103 Feb 11 2014 ca-bundle.crt
drwxr-xr-x 3 admin root 4096 Aug 11 22:19 extra
-rw-r--r-- 1 admin root 20654 Aug 11 22:20 httpd2.conf
-rw-r----- 1 admin users 20654 Aug 11 19:23 httpd2.conf.backup
-rw-r--r-- 1 admin root 446 Aug 10 16:31 httpd2_mp.conf
-rwsr-xr-x 1 admin root 22496 Jul 11 16:13 login
lrwxrwxrwx 1 admin root 46 Jul 11 16:19 mime.types -> /web/cpshared/web/Apache/2.2.0/conf/mime.types
-rw-r----- 1 admin users 4103 Feb 11 2014 server-ca.crt
-rw-r----- 1 admin users 1598 Aug 11 08:10 server.crt
-rw-r----- 1 admin users 1704 Aug 11 08:10 server.key
-rw------- 1 admin users 1704 Aug 11 10:10 server.key_BKP

when you load your CERTS - you've mentioned you've load them extracting your already existing p12 using the passphrase? which files you've replaced in that folder?

I can do that as well but I do have all the components in place so no need as I've made my p12 from them.

any idea?

I try to load the .p12 from the management server first, and push it via policy -- but that doesn't work 100% of the time for whatever reason. 

This is basically how I manually load my certs using a p12 I generated without a CSR.

I run this script with the .p12 name as the argument {$1}

if     (  cd /web/conf | grep -i 'No such file or drectory')

then

   echo "No /web/conf folder - Aborting";

   exit;

fi

 

timestamp="$(date "+%Y.%m.%d-%H.%M.%S")"

 

cd /web/conf

cp /web/conf/server.key /web/conf/server.key_BKP_$timestamp

cp /web/conf/server.crt /web/conf/server.crt_BKP_$timestamp

 

curl_cli ftp://locationofencryptedp12/{$1} --user ****:**** -o ./{$1}

 

cpopenssl pkcs12 -in {$1} -password pass:************ -nokeys -out /web/conf/server.crt

cpopenssl pkcs12 -in {$1} -password pass:************ -nocerts -nodes -out /web/conf/server.key

 

tellpm process:httpd2

sleep 3

tellpm process:httpd2 t

When you attempt to start httpd2 after changing the files - do you have anything in /var/log/messages or the /var/log/httpd2_error_log ?

I will update you with my findings shortly.

Sounds like a plan to me. Looks like I need to crack down on it asap. Let me spend some time to investigate and provide you log records if relevant.

Thanks!