Hello everyone. i am issuing a SSL certificate with namecheap. To use a "real one".
What kind of the server type do i have to choose? 1 .- Apache / cpanel 2.- Microsoft IIS / Tomcat Thanks. 2017-08-23 11:41 GMT-05:00 Maxim Solodovnik <[email protected]>: > Hello Nick, > > please check this: https://builds.apache.org/view/M-R/view/ > OpenMeetings/job/Openmeetings%203.3.x/site/openmeetings- > server/RTMPSAndHTTPS.html > I'm not sure what is the difference between v1 and v2, too much text :( > > Thanks a lot for the contribution! > > On Wed, Aug 23, 2017 at 3:30 PM, Yakovlev N. <[email protected]> > wrote: > >> Maxim, >> >> red5.key missed >> >> >> >> The second edition. J >> >> >> >> Using self-signed certificates. >> >> Prerequicites: >> >> - CA's root certificate: ca.crt >> >> - server key: red5.key (distinguished Name while creating key should be >> assign to FQDN of your site, for example - vkc.company.com) >> >> - self-signed server certificate: red5.crt >> >> Preparing of OM server. >> >> 1. Rename the existing keystore file red5/conf/keystore.jks to >> red5/conf/keystore.jks.bak >> >> Rename the existing truststore file red5/conf/truststore.jks to >> red5/conf/truststore.jks.bak >> >> 2. Export existing keys into PKCS12 format: >> >> enter to folder the ca.crt and red5.crt placed >> >> openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 >> -name red5 -certfile ca.crt >> >> 3. Import resulting red5.p12 into keystore: >> >> keytool -importkeystore -srcstorepass changeit -srckeystore red5.p12 >> -srcstoretype PKCS12 -deststorepass changeit -destkeystore >> /opt/red5/conf/keystore.jks -alias red5 >> >> This command creates the keystore.jks with password changeit (may be >> any password) >> >> 4. Import your CA's root certificate into the keystore: >> >> keytool -import -alias root -keystore /opt/red5/conf/keystore.jks >> -trustcacerts -file ca.crt >> >> (need to enter password to keystore.jks - changeit) >> >> 5. copy keystore to truststore >> >> cd /opt/red5/conf >> >> cp keystore.jks truststore.jks >> >> 6. Change /opt/red5/conf/red5.properties >> >> rtmps.keystorepass=changeit >> >> rtmps.truststorepass=changeit >> >> jmx.keystorepass=changeit >> >> 7. Set up SSL according "SSL for the web interface" section. >> >> 8. Set RTMPS according "Tunneling RTMPS" or "Native RTMPS" sections. >> >> 9. Restart OM service or whole OM server. Now OM server is ready to >> accept SSL-connections. >> >> >> >> Preparing of clients. >> >> 1. Add the ca.crt certificate as trusted into the CA's list on all >> windows PC at the system level (certmgr.msc applet). >> >> 2. Add the ca.crt certificate as trusted into Firefox if it used (Firefox >> uses own store of certificates). >> >> 3. Add the ca.crt certificate into %JAVA%\lib\security\cacerts with >> keytool utility on a PC that organizes screensharing. >> >> For example, Java Version 8 Update 144 has been installed on Windows >> machine by default location path. >> >> Copy ca.crt to a folder : c:\ca.crt >> >> Start command line interface as administrator: >> >> runas /user:AdminAccount cmd.exe >> >> Enter admin password >> >> Enter to bin directory of java: >> >> cd "c:\Program Files\Java\jre1.8.0_144\bin" >> >> Import ca.crt into keystore: >> >> keytool -import -alias root -keystore ..\lib\security\cacerts -file >> c:\ca.crt >> >> Enter the password to keystore: changeit >> >> Now the clients are ready to connect to OM via SSL. >> >> >> >> >> >> *From:* Yakovlev N. [mailto:[email protected]] >> *Sent:* Wednesday, August 23, 2017 11:04 AM >> >> *To:* [email protected] >> *Subject:* RE: [ANNOUNCE] HTTPS is now required >> >> >> >> Hi Maxim, >> >> This is the first eddition of "self-signed" section. >> >> >> >> Using self-signed certificates. >> >> Prerequicites: >> >> - CA's root certificate: ca.crt >> >> - self-signed server certificate: red5.crt (distinguished Name while >> creating certificate should be assign to FQDN of your site, for example - >> vkc.company.com) >> >> Preparing of OM server. >> >> 1. Rename the existing keystore file red5/conf/keystore.jks to >> red5/conf/keystore.jks.bak >> >> Rename the existing truststore file red5/conf/truststore.jks to >> red5/conf/truststore.jks.bak >> >> 2. Export existing keys into PKCS12 format: >> >> enter to folder the ca.crt and red5.crt placed >> >> openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 >> -name red5 -certfile ca.crt >> >> 3. Import resulting red5.p12 into keystore: >> >> keytool -importkeystore -srcstorepass changeit -srckeystore red5.p12 >> -srcstoretype PKCS12 -deststorepass changeit -destkeystore >> /opt/red5/conf/keystore.jks -alias red5 >> >> This command creates the keystore.jks with password changeit (may be >> any password) >> >> 4. Import your CA's root certificate into the keystore: >> >> keytool -import -alias root -keystore /opt/red5/conf/keystore.jks >> -trustcacerts -file ca.crt >> >> (need to enter password to keystore.jks - changeit) >> >> 5. copy keystore to truststore >> >> cd /opt/red5/conf >> >> cp keystore.jks truststore.jks >> >> 6. Change passwords in /opt/red5/conf/red5.properties: >> >> rtmps.keystorepass=changeit >> >> rtmps.truststorepass=changeit >> >> jmx.keystorepass=changeit >> >> 7. Set up SSL according "SSL for the web interface" section. >> >> 8. Set up RTMPS according "Tunneling RTMPS" or "Native RTMPS" sections. >> >> 9. Restart OM service or whole OM server. Now OM server is ready to >> accept SSL-connections. >> >> >> >> Preparing of clients. >> >> 1. Add the ca.crt certificate as trusted into the CA's list on all >> windows PC at the system level (certmgr.msc applet). >> >> 2. Add the ca.crt certificate as trusted into Firefox if it used (Firefox >> uses own store of certificates). >> >> 3. Add the ca.crt certificate into %JAVA%\lib\security\cacerts with >> keytool utility on a PC that organizes screensharing. >> >> For example, Java Version 8 Update 144 has been installed on Windows >> machine by default location path. >> >> Copy ca.crt to a folder : c:\ca.crt >> >> Start command line interface as administrator: >> >> runas /user:AdminAccount cmd.exe >> >> Enter admin password >> >> Enter to bin directory of java: >> >> cd "c:\Program Files\Java\jre1.8.0_144\bin" >> >> Import ca.crt into keystore: >> >> keytool -import -alias root -keystore ..\lib\security\cacerts -file >> c:\ca.crt >> >> Enter the password to keystore: changeit >> >> Now the clients are ready to connect to OM via SSL https:// >> vkc.company.com:5443. >> >> >> >> Nik >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected] >> <[email protected]>] >> *Sent:* Wednesday, August 23, 2017 8:58 AM >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> I believe this is correct. >> >> >> >> will try to add "Self-signed" section to site >> >> >> >> On Wed, Aug 23, 2017 at 12:54 PM, Yakovlev N. <[email protected]> >> wrote: >> >> OK. >> >> I would like to sum up all the work with the SSL and I think one will be >> interesting for our community. >> >> 1. The self-signed certificates can be used but using of them requires >> some manual operations: >> >> 1.1. The certificates (root CA and server) must be installed into >> /opt/red5/conf/keystore.jks and /opt/red5/conf/truststore.jks on OM server >> >> as described at http://openmeetings.apache.org/RTMPSAndHTTPS.html >> page. >> >> 1.2. It's not necessary to add the root certificate into java/cacerts >> on OM server because all works OK with java/cacerts installed by default. >> >> 1.3. The root certificate must be added as trusted into the CA list on >> all windows PC at the system level (certmgr.msc applet). >> >> 1.4. The root certificate must be added as trusted into Firefox if it >> is used (FF has own store for the certificates). >> >> 1.5. The root certificate must be added into >> %JAVA%\lib\security\cacerts with keytool utility on a PC that organizes >> screensharing. >> >> 2. The use of real certificates is more preferable since it does not >> require as much work as described above. >> >> There are only two places where the certificates have to be >> installed: see 1.1 and 1.5 above. >> >> 3. The http://openmeetings.apache.org/RTMPSAndHTTPS.html page should be >> changed and supplemented. >> >> It will allow to exсlude a lot of questions for OM users. Those >> questions that I had to meet. >> >> >> >> Is all correct? >> >> >> >> Nik >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected]] >> *Sent:* Wednesday, August 23, 2017 7:41 AM >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> I believe this is standard behavior for Windows systems >> >> >> >> On Tue, Aug 22, 2017 at 6:37 PM, Yakovlev N. <[email protected]> >> wrote: >> >> After adding CA into windows system store entering into rooms works good. >> >> Does FF use not only own ca-store but ca-store in system?! Or it’s not >> FF? >> >> >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected]] >> *Sent:* Tuesday, August 22, 2017 2:05 PM >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> ERR_UNKNOWN_ISSUER most probably caused by the fact >> >> 1) server cert was added to trusted >> >> 2) CA was not added >> >> >> >> in case of Windows it worth to add CA at system level AND to the browser >> (CA tab with permission to verify sites code etc. I would check all >> checkboxes) >> >> >> >> On Tue, Aug 22, 2017 at 4:41 PM, Yakovlev N. <[email protected]> >> wrote: >> >> Yes, the ca certificate was added as trusted. >> >> I found one difference in behavior of FF when it connected to https-sites >> with the self-signed certificates. >> >> Typically, the first connection prompts you to add the site to an >> exception but OM server does not give us this option. >> >> See pls two screenshots. >> >> This occurs before the СA is added to the Trusted CAs lists. If first an >> root certificate is added to the CAs list then we can access to an OM >> cabinet with green lock icon but will have the errors in the rooms as I >> wrote before. >> >> There is something in OM webserver….. >> >> >> >> Nik >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected]] >> *Sent:* Tuesday, August 22, 2017 11:54 AM >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> I guess CA was added to trusted CA's of FF? >> >> >> >> On Tue, Aug 22, 2017 at 3:40 PM, Maxim Solodovnik <[email protected]> >> wrote: >> >> This is the issue of "self-signed" certificate. >> >> "Real" certificate provides the way to ensure it wasn't revoked. >> >> >> >> I would recommend to set up one of the free real certificates to prod >> system >> >> >> >> On Tue, Aug 22, 2017 at 2:45 PM, Yakovlev N. <[email protected]> >> wrote: >> >> Hi Maxim, >> >> you was right when suggested to add a ca certificate into client machine >> with screensharing. I added the root certificate not correctly via "java >> control panel->security->manage certificates". It's wrong and not neсessary. >> The certificate must be inserted into java/keystore with keytool utility. >> >> Now screen sharing works as expected. >> >> But... >> >> I tried to connect from another machines to the machine with >> screensharing and all worked fine with remote desktop if IE used but not >> Firefox. >> >> The error screenshots are attached and the errors take place when >> entering into any rooms. >> >> Do you know how to resolve it? And why only FF ? >> >> The latest version of FF and Adobe Flash Player for FF is used. >> >> >> >> Nik >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected]] >> *Sent:* Monday, August 21, 2017 11:46 AM >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> I guess first thing to do is to ensure >> >> jre is used by javaws >> >> and >> >> jre containing cacert >> >> >> >> is the same jre >> >> >> >> can be checked using by inspecting PATH >> >> and checking which binaries are actually started using system task manager >> >> >> >> On Mon, Aug 21, 2017 at 3:00 PM, Yakovlev N. <[email protected]> >> wrote: >> >> First i tried to add only one CA certificate to java on a client >> machine. >> >> Than the site certificate was added for additional checking. >> >> Both cases are unsuccessful. >> >> What I should make the next? >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected]] >> *Sent:* Monday, August 21, 2017 9:51 AM >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> Works for me >> >> >> >> What were your steps? >> >> >> >> BTW no need to add site certificate to trusted certs in case you are >> having Root CA. Verified Root CA will successfully validate site cert >> >> >> >> On Mon, Aug 21, 2017 at 1:44 PM, Yakovlev N. <[email protected]> >> wrote: >> >> No, >> >> It did not help. >> >> The client machine is Windows, the CA root certificate (crt) and the >> client self-signed certificate (p12) have been added into java via java >> control panel->security->manage certificates. >> >> >> >> The full error log is : >> >> >> >> ERROR 08-21 09:39:23.861 63 o.a.o.s.RTMPTSScreenShare [Thread-23] - {} >> >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to >> find valid certification path to requested target >> >> at sun.security.validator.PKIXValidator.doBuild(Unknown >> Source) >> >> at >> sun.security.validator.PKIXValidator.engineValidate(Unknown >> Source) >> >> at sun.security.validator.Validator.validate(Unknown >> Source) >> >> at sun.security.ssl.X509TrustManagerImpl.validate(Unknown >> Source) >> >> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown >> Source) >> >> at sun.security.ssl.X509TrustMana >> gerImpl.checkServerTrusted(Unknown Source) >> >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(Unknown >> Source) >> >> at sun.security.ssl.ClientHandshaker.processMessage(Unknown >> Source) >> >> at sun.security.ssl.Handshaker.processLoop(Unknown >> Source) >> >> at sun.security.ssl.Handshaker.process_record(Unknown >> Source) >> >> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown >> Source) >> >> at sun.security.ssl.SSLSocketImpl >> .performInitialHandshake(Unknown Source) >> >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown >> Source) >> >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown >> Source) >> >> at org.apache.http.conn.ssl.SSLCo >> nnectionSocketFactory.createLayeredSocket(SSLConnectionSocke >> tFactory.java:396) >> >> at org.apache.http.conn.ssl.SSLCo >> nnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) >> >> at org.apache.http.impl.conn.Defa >> ultHttpClientConnectionOperator.connect(DefaultHttpClientCon >> nectionOperator.java:142) >> >> at org.apache.http.impl.conn.Pool >> ingHttpClientConnectionManager.connect(PoolingHttpClientConn >> ectionManager.java:359) >> >> at org.apache.http.impl.execchain >> .MainClientExec.establishRoute(MainClientExec.java:381) >> >> at org.apache.http.impl.execchain.MainClientExec.execute( >> MainClientExec.java:237) >> >> at org.apache.http.impl.execchain.ProtocolExec.execute( >> ProtocolExec.java:185) >> >> at org.apache.http.impl.execchain >> .RetryExec.execute(RetryExec.java:89) >> >> at org.apache.http.impl.client.In >> ternalHttpClient.doExecute(InternalHttpClient.java:185) >> >> at org.apache.http.impl.client.Cl >> oseableHttpClient.execute(CloseableHttpClient.java:118) >> >> at org.apache.http.impl.client.Cl >> oseableHttpClient.execute(CloseableHttpClient.java:56) >> >> at org.red5.client.net.rtmps.RTMP >> TSClientConnector.openConnection(RTMPTSClientConnector.java:139) >> >> at org.red5.client.net.rtmps.RTMP >> TSClientConnector.run(RTMPTSClientConnector.java:64) >> >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >> >> at sun.security.provider.certpath >> .SunCertPathBuilder.build(Unknown Source) >> >> at sun.security.provider.certpath >> .SunCertPathBuilder.engineBuild(Unknown Source) >> >> at java.security.cert.CertPathBuilder.build(Unknown >> Source) >> >> ... 27 common frames omitted >> >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to >> find valid certification path to requested target >> >> No context named default was found!! >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected]] >> *Sent:* Monday, August 21, 2017 8:45 AM >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> You can fix it by adding self-signed CA to the java/cacerts at the >> "client" machine (The machine Screen-sharing web-app is started) >> >> >> >> On Mon, Aug 21, 2017 at 11:51 AM, Yakovlev N. <[email protected]> >> wrote: >> >> Tunneling RTMPS >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected]] >> *Sent:* Monday, August 21, 2017 5:56 AM >> >> >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> What type of SSL are you checking? "native" of "tunneled" ? >> >> >> >> On Sun, Aug 20, 2017 at 10:45 AM, Yakovlev N. <[email protected]> >> wrote: >> >> Hi Maxim, >> >> Screensharing with SSL does not work. >> >> >> >> Java outputs the next errors: >> >> ERROR 08-20 06:00:11.429 63 o.a.o.s.RTMPTSScreenShare [Thread-22] - {} >> >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to >> find valid certification path to requested target >> >> >> >> Where can be place the datastore for screensharing and what its file name? >> >> /opt/red5/conf/keystore.screen.jks or /opt/red5/conf/keystore.screen ? >> >> Where should be assigned the password for this keystore? >> >> >> >> The /opt/red5/conf/jee-container.xml and /opt/red5/conf/red5.properties >> files contain the following parameters: >> >> >> >> key="keystoreFile" value=...... >> >> key="keystorePass" value=...... >> >> key="truststoreFile" value=...... >> >> key="truststorePass" value=...... >> >> >> >> rtmps.keystorepass=xxxxx >> >> rtmps.keystorefile=conf/keystore.jks >> >> rtmps.truststorepass=xxxxx >> >> rtmps.truststorefile=conf/truststore.jks >> >> >> >> But for screensharing I could not find relevant information. >> >> >> >> Best regards, >> >> Nik >> >> >> >> *From:* Yakovlev N. [mailto:[email protected]] >> *Sent:* Saturday, August 19, 2017 8:23 AM >> *To:* [email protected] >> *Subject:* RE: [ANNOUNCE] HTTPS is now required >> >> >> >> Hi Maxim, >> >> SSL is working fine. >> >> I found a mistake in http://openmeetings.apache.org/RTMPSAndHTTPS.html >> manual: >> >> All keytool commands must have the filename keystore.jks but none >> keystore without extension. J >> >> This also applies to the filename truststore: it should be >> truststore.jks. >> >> >> >> Otherwise the names of kestore and truststore should be changed in >> /opt/red5/conf/red5.properties. >> >> >> >> Nik >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected] >> <[email protected]>] >> *Sent:* Saturday, August 19, 2017 7:23 AM >> *To:* Openmeetings user-list >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> I'll try to check steps with self-signed cert and will report back >> >> >> >> On Sat, Aug 19, 2017 at 11:21 AM, Yakovlev N. <[email protected]> >> wrote: >> >> Hello Ramon, >> >> All the hope of Maxim….:) >> >> >> >> Nik >> >> >> >> *From:* Ramón Zárate Moedano [mailto:[email protected]] >> *Sent:* Saturday, August 19, 2017 2:22 AM >> >> >> *To:* [email protected] >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> Hello everyone ... >> >> >> >> i just cannot install SSL (from namecheap) ... this is beyond my skills. >> >> >> >> Is there someone who can help me with the installation in exchange for >> some money???? >> >> >> >> Thanks in advance. >> >> >> >> >> >> >> >> 2017-08-18 1:23 GMT-05:00 Yakovlev N. <[email protected]>: >> >> Hi Maxim, >> >> Thanks for reply. >> >> I've reinstalled two times certificates but ssl does not work. >> >> 1. Both certificates root-CA and client one were added into >> /etc/pki/ca-trust/extracted/java/cacerts (this place is for Centos) with >> commands: >> >> keytool -import -keystore cacerts -file red5.crt -alias red5 >> >> keytool -import -keystore cacerts -trustcacerts -file ca.crt -alias root >> >> 2. As you recommend OM was started with red5-debug + option >> "-Djavax.net.debug=all" >> >> Logs have nothing while a ssl session was established. >> >> To exclude the impact of browsers, I tried to start up a session using >> telnet. >> >> Session to port 5080 (none ssl) were fixed in loggs but sessions to 5443 >> did not. >> >> In this case, the netstat command shows ESTABLISHED status to port 5443. >> >> Firewall is off. >> >> According to http://openmeetings.apache.org/RTMPSAndHTTPS.html two >> config files have to be changed: >> >> 1. Edit red5/conf/jee-container.xml file: >> >> Comment Tomcat without SSL enabled section >> >> UNComment Tomcat with SSL enabled section >> >> 2. Edit red5/webapps/openmeetings/public/config.xml and set >> >> <protocol>https</protocol> >> >> <red5httpport>5443</red5httpport> >> >> Are these changes enough or need more? >> >> >> >> Best regards, >> >> Nik >> >> >> >> *From:* Maxim Solodovnik [mailto:[email protected]] >> *Sent:* Thursday, August 17, 2017 10:28 AM >> *To:* Openmeetings user-list >> >> >> *Subject:* Re: [ANNOUNCE] HTTPS is now required >> >> >> >> Here is useful link >> >> I'm using these scripts (with some modifications) Chrome shows green icon >> :) >> >> https://stackoverflow.com/questions/7580508/getting-chrome- >> to-accept-self-signed-localhost-certificate/43666288#43666288 >> >> >> >> On Thu, Aug 17, 2017 at 2:25 PM, Maxim Solodovnik <[email protected]> >> wrote: >> >> The steps on the site are for the "real" certificates ... >> >> 1) add certificate to trusted certs of Java >> >> >> >> means Java need to know about your certificate I'm using self-signed CA >> for testing and I'm adding it to >> >> /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts >> >> >> >> Additionally I would recommend to run red5 using red5-debug and modify it >> by adding "*-Djavax.net.debug=all*" to see all SSL messages >> >> >> >> On Thu, Aug 17, 2017 at 1:23 PM, Yakovlev N. <[email protected]> >> wrote: >> >> Hello Maxim, >> Don't worry that my question was missed because we all understand how >> much work you do. >> Your message made me return to the question of HTTPS for OM. >> >> So... >> >> 1) add certificate to trusted certs of Java >> >> Lets see an output of command keytool: >> >> cd /opt/red5/conf >> keytool -list -keystore keystore >> Enter keystore password: >> xxxxx >> Keystore type: JKS >> Keystore provider: SUN >> >> Your keystore contains 2 entries >> >> vkc.krvostok.ru, Aug 16, 2017, PrivateKeyEntry, >> Certificate fingerprint (SHA1): 7D:39:11:AA:76:5F:BF:D1:E5:57: >> 99:67:D5:1C:B8:25:1A:D9:88:0F >> root, Aug 16, 2017, trustedCertEntry, >> Certificate fingerprint (SHA1): FF:2B:E0:44:3C:0F:83:36:6F:F0: >> 6E:2F:1F:9A:83:F9:B0:1F:E1:45 >> >> Is it OK? >> >> 2) add certificate to trusted certs of browser (icon should be green) >> Done >> >> 3) correctly create red5 keystore/truststore >> Done according to the reference http://openmeetings.apache.org >> /RTMPSAndHTTPS.html >> truststore is a copy of keystore >> OK? >> >> Maxim, I would like to draw on one detail. >> A simple way to test of a SSL-connection is to use the next command: >> openssl s_client -connect FQDN:port >> For example, >> openssl s_client -connect www.mail.ru:443, >> openssl s_client -connect www.ya.ru:443 >> and so on. >> This way does not use browsers and allows to test ssl-connections at a >> lower level than using browsers. >> This command does not work and hangs for my OM as I wrote before and I >> think that the question is not in the types of certificates (trusted or >> selfsigned ones). >> But where is the problem? I don't now yet... >> >> Nik >> >> -----Original Message----- >> From: Maxim Solodovnik [mailto:[email protected]] >> >> Sent: Wednesday, August 16, 2017 5:51 PM >> To: Openmeetings user-list >> Subject: Re: [ANNOUNCE] HTTPS is now required >> >> Hello Nik, >> >> I'm trying to answer all emails, sorry if I missed yours :( To make >> self-signed certificate work with red5 you MUST >> 1) add certificate to trusted certs of Java >> 2) add certificate to trusted certs of browser (icon should be green) >> 3) correctly create red5 keystore/truststore >> >> to provide thurther help I need you detailed steps >> >> On Wed, Aug 16, 2017 at 8:30 PM, Yakovlev N. <[email protected]> >> wrote: >> > Hi Andreas, >> > OK, your opinion is your opinion and I respect it. >> > We speak about an internal OM service but not about the world one... >> > I understand the trusted certificates are more preferable but in my >> case unnecessary I think. >> > I'm not sure blacklists are my cases... >> > >> > Nik >> > >> > -----Original Message----- >> > From: [email protected] [mailto:[email protected]] >> > Sent: Wednesday, August 16, 2017 4:18 PM >> > To: [email protected] >> > Subject: Re: [ANNOUNCE] HTTPS is now required >> > >> > Hi Nik, >> > >> > sorry - I cannot agree to your "I cannot agree". Most email client >> programs do check certificates and deny connections if certificate is not >> trusted. May be 5% will work - but 95% will not (and tomorrow percentage is >> higher than today). I can not recommend to use any self-signed certificate >> (except for internal tasks). Additionally maybe you are added to blacklists >> if you are "on the air" using a self-signed certificate. >> > >> > Best regards >> > Andreas >> > >> > Am Mittwoch, 16. August 2017, 16:01:52 CEST schrieb Yakovlev N.: >> >> I don't agree. >> >> I use selfsigned certiticates on other corporate services successfully >> (mail, cloud and so on). >> >> Yes, browsers ask questions but this is no problem. In this case such >> certificates must be added as trusted ones. >> >> >> >> Nik >> >> >> >> -----Original Message----- >> >> From: [email protected] [mailto:[email protected]] >> >> Sent: Wednesday, August 16, 2017 3:44 PM >> >> To: [email protected] >> >> Subject: Re: [ANNOUNCE] HTTPS is now required >> >> >> >> Self-signed will not be accepted by most browsers and will not work. >> The goal of SSL *IS THE POSSIBILITY OF VERIFICATION OF THE PAGE OWNER*... >> >> >> >> Try certificates from lets encrypt - they are free ;) >> >> >> >> Best regards >> >> Andreas >> >> >> >> Am Mittwoch, 16. August 2017, 15:25:17 CEST schrieb Yakovlev N.: >> >> > Hi, Maxim! >> >> > I have some problems with SSL and no ideas to solve them. >> >> > Five months ago I asked community how to install SSL on OM but >> nobody answered. >> >> > (http://mail-archives.apache.org/mod_mbox/openmeetings-user/ >> 201703.mbox/browser Subject: SSL with OM Date Mon, 20 Mar 2017 >> 08:30:40 GMT ) >> >> > The manual listed on page http://openmeetings.apache.org >> /RTMPSAndHTTPS.html did not help me. >> >> > No any errors in logs, browser hangs and shows an empty page. >> >> > Firefox outputs "Executing TLS-handshaking with vkc.krvostok.ru" on >> the left bottom side. >> >> > The "openssl s_client -connect vkc.krvostok.ru:5443" command >> hangs also and outputs only one line: CONNECTED(00000003). >> >> > Firewall is off, tcp-5443 port is listening on the OM host. >> >> > >> >> > Is there any roadmap of using selfsigned serfificates for OM? >> >> > >> >> > Best regards >> >> > Nik >> >> > >> >> > -----Original Message----- >> >> > From: Maxim Solodovnik [mailto:[email protected]] >> >> > Sent: Wednesday, August 16, 2017 7:23 AM >> >> > To: Openmeetings user-list >> >> > Subject: [ANNOUNCE] HTTPS is now required >> >> > >> >> > Hello All, >> >> > >> >> > Google developers are trying to move WWW to HTTPS To force this >> transition they restrict features available to HTTP sites in >> Chrome/Chromium Latest restriction is: Camera and microphone will not be >> available to JS/Flash code for HTTP sites: proof: >> >> > >> >> > "Microphone and Camera access no longer works on insecure origins. >> To use this feature, you should consider switching your application to a >> secure origin, such as HTTPS. See https://goo.gl/rStTGz for more >> details." >> >> > >> >> > So please set up HTTPS for your OM site to prevent camera/microphone >> issues. >> >> > >> >> > -- >> >> > WBR >> >> > Maxim aka solomax >> >> > >> >> > >> >> >> >> >> >> >> > >> > >> >> >> >> -- >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> >> >> >> >> >> -- >> >> WBR >> Maxim aka solomax >> > > > > -- > WBR > Maxim aka solomax >
