- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hi folks
just a quick one but to some extent complicated thing: Little background though.
1. R80.10 Standalone Appliance (all-in-one) as usual
2. no PKI done for either VPN or MAB (MAB is not in use)
3. Gaia Portal has typical per-ip Cert error when you try to log in - that's normal
Research:
1. replace files at
/web/conf/server.crt
/web/conf/server.key
with your own one from your *.domain.com set (received as issued with Public CA)
based on sk109593
- result: Tomcat does not wake up at all making your GAIA portal unusable
2. replacing above files is not enough as long as your $CPDIR/conf/openssl.cnf has no CSR issued within the shell (of course not as the CSR was done separately on different device in order to make wildcard cert!)
3. I see no path for importing wildcard cert without generating csr on particular appliance - do you?
GOAL:
1. have all GAIA portal(s) from each appliance within the network using same wildcard cert already in hand from Comodo.
---
any ideas/tips/hints chaps?
much appreciate your assistance as always (PhoneBoy especially) 🙂
Cheers
Jerry
$CPDIR/conf/openssl.cnf is not the correct file to edit here.
The actual config file read by the Gaia Web Portal is /web/conf/httpd2.conf
This file, however, is generated based off the files in /web/templates.
You might look in /var/log/httpd2_error_log to see what the actual errors are.
That may help you change the config in /web/templates.
When you do that, you will need to restart the httpd process to have the necessary configuration files regenerated:
[Expert@HostName]# tellpm process:httpd2
[Expert@HostName]# tellpm process:httpd2 t
I think I found the path's into the httpd-ssl.conf.templ
if I modify this with my files from the /web/conf
would that work?
I'll try all the options Dameon ...
please let me know what you think digging it a little if you can...
In theory it should work.
You need to restart httpd2 as I mentioned above for the changes to take effect.
It should regenerate the files in /web/conf (easy to confirm).
ok so let's summarize what files need to be replaced in /web/conf folder
/web/conf/server.crt
/web/conf/server.key
I've got them replaced, also replaced one another:
SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
#SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle.crt => that one which is unique and does not exist in /web/conf (this file is the CA bundle file from Comodo)
--- still no joy
- template points to above files whilst server.crt and .key is the alias which goes directly towards /web/conf where those files physically exist
... I'm like lost to be frank, none of my combinations works and still got the self-signed on GAIA
ps. bear in mind that in a config file called httpd-ssl.conf.templ I do gave a proper port this is listening on (4434). still no matter which files I've replace (having backups ofc in hand) - no joy
any clues ?
also content of the responsible file
[Expert@cp:0]# cat httpd-ssl.conf | grep /usr/local/apache2/conf/
SSLCertificateFile /usr/local/apache2/conf/server.crt
#SSLCertificateFile /usr/local/apache2/conf/server-dsa.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
#SSLCertificateKeyFile /usr/local/apache2/conf/server-dsa.key
SSLCertificateChainFile /usr/local/apache2/conf/server-ca.crt
#SSLCACertificatePath /usr/local/apache2/conf/ssl.crt
#SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /usr/local/apache2/conf/ssl.crl
#SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle.crl
which makes me think if those files will be from Comodo CA wildcard Cert it should work - but it doesn't or I haven't un-hashed some important params myself ...
Did you uncomment SSLCACertificateFile?
Also did you verify /web/conf/httpd2.conf was updated appropriately after starting?
I did all this seeing no diff frankly ...
So restarting the daemon isn't enough.
Try using clish to change the port (e.g. set web ssl-port xxxx), then change it back to 4434.
That should force the file to be reread.
same thing, first it makes tcp/4444 then back to tcp/4434 and same error in chrome:
NET::ERR_CERT_AUTHORITY_INVALID
I don't think this is the issue with cert but CA root cert on the box ... there is somewhere a conflict between the imported PEM's and p12 one by the GUI Platform Portal record editing SG and CA root somewhere ...
I did made the opsec root ca with Comodo CA - should I remove it or something ?
starting to get really persistent in order to solve that openssl crappy case ...
That's what it seems like to me as well.
Keep in mind there's the Gaia portal but there's also Multiportal, which is low-level infrastructure that allows the same IP/port to be used for multiple things (Gaia portal, SmartView, Mobile Access Blade, etc).
Not sure which one is responsible in this specific case...
changing SSLCACertificateFile by unhashing it makes it even worse, httpd2 won't work
I think this is all about the proper CA root crt file somewhere ... so wired and annoying ...
also found this:
[Fri Aug 11 21:56:23.000114 2017] [ssl:warn] [pid 21458] AH01906: a.b.c.d:4434:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Aug 11 21:56:23.000151 2017] [ssl:warn] [pid 21458] AH01909: a.b.c.d:4434:0 server certificate does NOT include an ID which matches the server name
I think I've got an issue with CA Root ... but even OPSEC one I've got root from root CA ...
Thanks !
I'll try this and update you (all) due course
Cheers
Jerry
funny enough is that I found following entry in template for httpd2
UseCanonicalName Off
shouldn't that be On by any chance?
I'd love to import wildcard crt and key file with no CSR onto the /web/conf folder
If I do so httpd2 won't start or starts anyway but gives me no access go gaia claiming that the source of my cert is still 192.168.1.1
in a log there are all errors but nothing really saying anything in particular about the cert issues
any clues ?
Hi,
1) Can you please clarify regarding: Gaia Portal has typical per-ip Cert error when you try to log in - that's normal
2) Did you run 8-12 steps in sk109593 (including RSA key)?
The question is relevant to the state before all mentioned changes (in /web/templates) have done.
The CSR step is require only once (wildcard) and by performing steps 8-12, it should be replaced correctly.
Note: The CSR (which done once) need to be generated according to the steps mentioned in sk109593.
Thanks Or
let me clarify then:
1. I've done the csr_gen when on the same shell when I was generating CSR for CA in order to get the wildcard cert from them. the procedure I've followed is typical for mab utilization not gaia portal if that answers you question
2. I have followed all the steps of course but see what phoneboy wrote to me yesterday here. he has the point !
3. csr can be generated on gaia for use within 2 different "places" - I've unfortunately done the one for httpd not httpd2 (gaia portal) I guess therefore my CSR generation for httpd2 cannot be done, otherwise I need to make it again from scratch loosing all the deployments I've done already with my existing since couple of days certificate.
hope it all makes a little bit of sense now, if not - let me know I'm happy to run this with you
ps. my original quest was "can I import entire either pfx or p12 or all of the pem files onto the gaia webserver folders in order to have gaia portal running already issued wildcard cert".
Jerry
Hi Jerry,
1) Can you please attach "phoneboy" answer? I didn't find it in this thread.
2) httpd2 is a symbolic link to httpd --> It's the same apache server.
sure mate see below in sequence:
That's what it seems like to me as well.
Keep in mind there's the Gaia portal but there's also Multiportal, which is low-level infrastructure that allows the same IP/port to be used for multiple things (Gaia portal, SmartView, Mobile Access Blade, etc).
Not sure which one is responsible in this specific case...
So restarting the daemon isn't enough.
Try using clish to change the port (e.g. set web ssl-port xxxx), then change it back to 4434.
That should force the file to be reread.
Did you uncomment SSLCACertificateFile?
Also did you verify /web/conf/httpd2.conf was updated appropriately after starting?
In theory it should work.
You need to restart httpd2 as I mentioned above for the changes to take effect.
It should regenerate the files in /web/conf (easy to confirm).
see the whole topic here:
ps. any clues / hints highly appreciated
I load cert/keys without using a CSR. What error messages are you getting when you try and restart httpd after loading the cert/key?
Thanks Bryce, I will let you know as soon as I find a moment to t-shoot it again, maybe today maybe tomorrow but I will definitely update you guys.
ps. I have had not modified anything just wanted to import (load) keys meaning Cert and Key file. GAIA portal then didn't start so I have assumed that the error I'm having is mostly related to the wrong ROOT CA cert but this can be wrong, the whole devices has ROOT CA from the same CA.
any idea?
once I've done the testing I'll tell you from logs what errors I've got but I think not much I've read from them so far ...
Jerry
Well how do you unpack the cert and key?
I've had issues in the past where when I created the p12, I had already packed the key with a secret. So when you unpack the .p12 - you need to remove the shared secret otherwise I don't think apache will be able to load it.
good point. I've used the files from Comodo and they were precisely unpacked.
I did myself p12 to load via Dash to MAB and GAIA portal although the server.crt and server.key I've had from the bundle I've received from Comodo.
Did I messed up something with wrong files? Oh ... that might be the best tip so far mate !!!
I'll double check ... give me some time pls.
Cheers
ok Bryce, look at this please:
in /web/conf folder you've got normally 2 files which when corrupted or wrong GAIA Portal does not come up after httpd restart:
server.crt and server.key
when I replace those files with my wildcard CRT file and my KEYFILE.KEY (of course renaming them accordingly) Portal won't come up on specific port I'm using (not 443 and not 4434 - totally custom).
did I missed something?
[Expert@cp:0]# pwd
/web/conf
[Expert@cp:0]# ls -l
total 108
-rw-r----- 1 admin users 4103 Feb 11 2014 ca-bundle.crt
drwxr-xr-x 3 admin root 4096 Aug 11 22:19 extra
-rw-r--r-- 1 admin root 20654 Aug 11 22:20 httpd2.conf
-rw-r----- 1 admin users 20654 Aug 11 19:23 httpd2.conf.backup
-rw-r--r-- 1 admin root 446 Aug 10 16:31 httpd2_mp.conf
-rwsr-xr-x 1 admin root 22496 Jul 11 16:13 login
lrwxrwxrwx 1 admin root 46 Jul 11 16:19 mime.types -> /web/cpshared/web/Apache/2.2.0/conf/mime.types
-rw-r----- 1 admin users 4103 Feb 11 2014 server-ca.crt
-rw-r----- 1 admin users 1598 Aug 11 08:10 server.crt
-rw-r----- 1 admin users 1704 Aug 11 08:10 server.key
-rw------- 1 admin users 1704 Aug 11 10:10 server.key_BKP
when you load your CERTS - you've mentioned you've load them extracting your already existing p12 using the passphrase? which files you've replaced in that folder?
I can do that as well but I do have all the components in place so no need as I've made my p12 from them.
any idea?
I try to load the .p12 from the management server first, and push it via policy -- but that doesn't work 100% of the time for whatever reason.
This is basically how I manually load my certs using a p12 I generated without a CSR.
I run this script with the .p12 name as the argument {$1}
if ( cd /web/conf | grep -i 'No such file or drectory')
then
echo "No /web/conf folder - Aborting";
exit;
fi
timestamp="$(date "+%Y.%m.%d-%H.%M.%S")"
cd /web/conf
cp /web/conf/server.key /web/conf/server.key_BKP_$timestamp
cp /web/conf/server.crt /web/conf/server.crt_BKP_$timestamp
curl_cli ftp://locationofencryptedp12/{$1} --user ****:**** -o ./{$1}
cpopenssl pkcs12 -in {$1} -password pass:************ -nokeys -out /web/conf/server.crt
cpopenssl pkcs12 -in {$1} -password pass:************ -nocerts -nodes -out /web/conf/server.key
tellpm process:httpd2
sleep 3
tellpm process:httpd2 t
When you attempt to start httpd2 after changing the files - do you have anything in /var/log/messages or the /var/log/httpd2_error_log ?
I will update you with my findings shortly.
Sounds like a plan to me. Looks like I need to crack down on it asap. Let me spend some time to investigate and provide you log records if relevant.
Thanks!
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
23 | |
16 | |
12 | |
9 | |
8 | |
8 | |
7 | |
7 | |
7 | |
5 |
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 02:00 PM (EDT)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - AMERAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY