In case you are planning to use this certificate for OM only please select Tomcat. All instructions are referring to *.crt files in such case you most probably need to specify "Apache"
On Thu, Aug 24, 2017 at 12:36 AM, Ramón Zárate Moedano <[email protected]> wrote: > No no .. when you ask an SSL namecheap asks the type of server you are > using to install this SSL cert. > > > > > 2017-08-23 12:26 GMT-05:00 Maxim Solodovnik <[email protected]>: > >> Why do you need additional server? >> Are you going to set up proxy? >> >> On Thu, Aug 24, 2017 at 12:19 AM, Ramón Zárate Moedano <[email protected]> >> wrote: >> >>> Hello everyone. >>> >>> i am issuing a SSL certificate with namecheap. To use a "real one". >>> >>> What kind of the server type do i have to choose? >>> 1 .- Apache / cpanel >>> 2.- Microsoft IIS / Tomcat >>> >>> >>> Thanks. >>> >>> 2017-08-23 11:41 GMT-05:00 Maxim Solodovnik <[email protected]>: >>> >>>> Hello Nick, >>>> >>>> please check this: https://builds.apache.or >>>> g/view/M-R/view/OpenMeetings/job/Openmeetings%203.3.x/site/o >>>> penmeetings-server/RTMPSAndHTTPS.html >>>> I'm not sure what is the difference between v1 and v2, too much text :( >>>> >>>> Thanks a lot for the contribution! >>>> >>>> On Wed, Aug 23, 2017 at 3:30 PM, Yakovlev N. <[email protected]> >>>> wrote: >>>> >>>>> Maxim, >>>>> >>>>> red5.key missed >>>>> >>>>> >>>>> >>>>> The second edition. J >>>>> >>>>> >>>>> >>>>> Using self-signed certificates. >>>>> >>>>> Prerequicites: >>>>> >>>>> - CA's root certificate: ca.crt >>>>> >>>>> - server key: red5.key (distinguished Name while creating key should >>>>> be assign to FQDN of your site, for example - vkc.company.com) >>>>> >>>>> - self-signed server certificate: red5.crt >>>>> >>>>> Preparing of OM server. >>>>> >>>>> 1. Rename the existing keystore file red5/conf/keystore.jks to >>>>> red5/conf/keystore.jks.bak >>>>> >>>>> Rename the existing truststore file red5/conf/truststore.jks to >>>>> red5/conf/truststore.jks.bak >>>>> >>>>> 2. Export existing keys into PKCS12 format: >>>>> >>>>> enter to folder the ca.crt and red5.crt placed >>>>> >>>>> openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 >>>>> -name red5 -certfile ca.crt >>>>> >>>>> 3. Import resulting red5.p12 into keystore: >>>>> >>>>> keytool -importkeystore -srcstorepass changeit -srckeystore >>>>> red5.p12 -srcstoretype PKCS12 -deststorepass changeit -destkeystore >>>>> /opt/red5/conf/keystore.jks -alias red5 >>>>> >>>>> This command creates the keystore.jks with password changeit (may >>>>> be any password) >>>>> >>>>> 4. Import your CA's root certificate into the keystore: >>>>> >>>>> keytool -import -alias root -keystore /opt/red5/conf/keystore.jks >>>>> -trustcacerts -file ca.crt >>>>> >>>>> (need to enter password to keystore.jks - changeit) >>>>> >>>>> 5. copy keystore to truststore >>>>> >>>>> cd /opt/red5/conf >>>>> >>>>> cp keystore.jks truststore.jks >>>>> >>>>> 6. Change /opt/red5/conf/red5.properties >>>>> >>>>> rtmps.keystorepass=changeit >>>>> >>>>> rtmps.truststorepass=changeit >>>>> >>>>> jmx.keystorepass=changeit >>>>> >>>>> 7. Set up SSL according "SSL for the web interface" section. >>>>> >>>>> 8. Set RTMPS according "Tunneling RTMPS" or "Native RTMPS" sections. >>>>> >>>>> 9. Restart OM service or whole OM server. Now OM server is ready to >>>>> accept SSL-connections. >>>>> >>>>> >>>>> >>>>> Preparing of clients. >>>>> >>>>> 1. Add the ca.crt certificate as trusted into the CA's list on all >>>>> windows PC at the system level (certmgr.msc applet). >>>>> >>>>> 2. Add the ca.crt certificate as trusted into Firefox if it used >>>>> (Firefox uses own store of certificates). >>>>> >>>>> 3. Add the ca.crt certificate into %JAVA%\lib\security\cacerts with >>>>> keytool utility on a PC that organizes screensharing. >>>>> >>>>> For example, Java Version 8 Update 144 has been installed on >>>>> Windows machine by default location path. >>>>> >>>>> Copy ca.crt to a folder : c:\ca.crt >>>>> >>>>> Start command line interface as administrator: >>>>> >>>>> runas /user:AdminAccount cmd.exe >>>>> >>>>> Enter admin password >>>>> >>>>> Enter to bin directory of java: >>>>> >>>>> cd "c:\Program Files\Java\jre1.8.0_144\bin" >>>>> >>>>> Import ca.crt into keystore: >>>>> >>>>> keytool -import -alias root -keystore ..\lib\security\cacerts -file >>>>> c:\ca.crt >>>>> >>>>> Enter the password to keystore: changeit >>>>> >>>>> Now the clients are ready to connect to OM via SSL. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *From:* Yakovlev N. [mailto:[email protected]] >>>>> *Sent:* Wednesday, August 23, 2017 11:04 AM >>>>> >>>>> *To:* [email protected] >>>>> *Subject:* RE: [ANNOUNCE] HTTPS is now required >>>>> >>>>> >>>>> >>>>> Hi Maxim, >>>>> >>>>> This is the first eddition of "self-signed" section. >>>>> >>>>> >>>>> >>>>> Using self-signed certificates. >>>>> >>>>> Prerequicites: >>>>> >>>>> - CA's root certificate: ca.crt >>>>> >>>>> - self-signed server certificate: red5.crt (distinguished Name while >>>>> creating certificate should be assign to FQDN of your site, for example - >>>>> vkc.company.com) >>>>> >>>>> Preparing of OM server. >>>>> >>>>> 1. Rename the existing keystore file red5/conf/keystore.jks to >>>>> red5/conf/keystore.jks.bak >>>>> >>>>> Rename the existing truststore file red5/conf/truststore.jks to >>>>> red5/conf/truststore.jks.bak >>>>> >>>>> 2. Export existing keys into PKCS12 format: >>>>> >>>>> enter to folder the ca.crt and red5.crt placed >>>>> >>>>> openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 >>>>> -name red5 -certfile ca.crt >>>>> >>>>> 3. Import resulting red5.p12 into keystore: >>>>> >>>>> keytool -importkeystore -srcstorepass changeit -srckeystore >>>>> red5.p12 -srcstoretype PKCS12 -deststorepass changeit -destkeystore >>>>> /opt/red5/conf/keystore.jks -alias red5 >>>>> >>>>> This command creates the keystore.jks with password changeit (may >>>>> be any password) >>>>> >>>>> 4. Import your CA's root certificate into the keystore: >>>>> >>>>> keytool -import -alias root -keystore /opt/red5/conf/keystore.jks >>>>> -trustcacerts -file ca.crt >>>>> >>>>> (need to enter password to keystore.jks - changeit) >>>>> >>>>> 5. copy keystore to truststore >>>>> >>>>> cd /opt/red5/conf >>>>> >>>>> cp keystore.jks truststore.jks >>>>> >>>>> 6. Change passwords in /opt/red5/conf/red5.properties: >>>>> >>>>> rtmps.keystorepass=changeit >>>>> >>>>> rtmps.truststorepass=changeit >>>>> >>>>> jmx.keystorepass=changeit >>>>> >>>>> 7. Set up SSL according "SSL for the web interface" section. >>>>> >>>>> 8. Set up RTMPS according "Tunneling RTMPS" or "Native RTMPS" sections. >>>>> >>>>> 9. Restart OM service or whole OM server. Now OM server is ready to >>>>> accept SSL-connections. >>>>> >>>>> >>>>> >>>>> Preparing of clients. >>>>> >>>>> 1. Add the ca.crt certificate as trusted into the CA's list on all >>>>> windows PC at the system level (certmgr.msc applet). >>>>> >>>>> 2. Add the ca.crt certificate as trusted into Firefox if it used >>>>> (Firefox uses own store of certificates). >>>>> >>>>> 3. Add the ca.crt certificate into %JAVA%\lib\security\cacerts with >>>>> keytool utility on a PC that organizes screensharing. >>>>> >>>>> For example, Java Version 8 Update 144 has been installed on >>>>> Windows machine by default location path. >>>>> >>>>> Copy ca.crt to a folder : c:\ca.crt >>>>> >>>>> Start command line interface as administrator: >>>>> >>>>> runas /user:AdminAccount cmd.exe >>>>> >>>>> Enter admin password >>>>> >>>>> Enter to bin directory of java: >>>>> >>>>> cd "c:\Program Files\Java\jre1.8.0_144\bin" >>>>> >>>>> Import ca.crt into keystore: >>>>> >>>>> keytool -import -alias root -keystore ..\lib\security\cacerts -file >>>>> c:\ca.crt >>>>> >>>>> Enter the password to keystore: changeit >>>>> >>>>> Now the clients are ready to connect to OM via SSL https:// >>>>> vkc.company.com:5443. >>>>> >>>>> >>>>> >>>>> Nik >>>>> >>>>> >>>>> >>>>> *From:* Maxim Solodovnik [mailto:[email protected] >>>>> <[email protected]>] >>>>> *Sent:* Wednesday, August 23, 2017 8:58 AM >>>>> *To:* Openmeetings user-list >>>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>>> >>>>> >>>>> >>>>> I believe this is correct. >>>>> >>>>> >>>>> >>>>> will try to add "Self-signed" section to site >>>>> >>>>> >>>>> >>>>> On Wed, Aug 23, 2017 at 12:54 PM, Yakovlev N. <[email protected]> >>>>> wrote: >>>>> >>>>> OK. >>>>> >>>>> I would like to sum up all the work with the SSL and I think one will >>>>> be interesting for our community. >>>>> >>>>> 1. The self-signed certificates can be used but using of them requires >>>>> some manual operations: >>>>> >>>>> 1.1. The certificates (root CA and server) must be installed into >>>>> /opt/red5/conf/keystore.jks and /opt/red5/conf/truststore.jks on OM server >>>>> >>>>> as described at http://openmeetings.apache.org/RTMPSAndHTTPS.html >>>>> page. >>>>> >>>>> 1.2. It's not necessary to add the root certificate into >>>>> java/cacerts on OM server because all works OK with java/cacerts installed >>>>> by default. >>>>> >>>>> 1.3. The root certificate must be added as trusted into the CA list >>>>> on all windows PC at the system level (certmgr.msc applet). >>>>> >>>>> 1.4. The root certificate must be added as trusted into Firefox if >>>>> it is used (FF has own store for the certificates). >>>>> >>>>> 1.5. The root certificate must be added into >>>>> %JAVA%\lib\security\cacerts with keytool utility on a PC that organizes >>>>> screensharing. >>>>> >>>>> 2. The use of real certificates is more preferable since it does not >>>>> require as much work as described above. >>>>> >>>>> There are only two places where the certificates have to be >>>>> installed: see 1.1 and 1.5 above. >>>>> >>>>> 3. The http://openmeetings.apache.org/RTMPSAndHTTPS.html page should >>>>> be changed and supplemented. >>>>> >>>>> It will allow to exсlude a lot of questions for OM users. Those >>>>> questions that I had to meet. >>>>> >>>>> >>>>> >>>>> Is all correct? >>>>> >>>>> >>>>> >>>>> Nik >>>>> >>>>> >>>>> >>>>> *From:* Maxim Solodovnik [mailto:[email protected]] >>>>> *Sent:* Wednesday, August 23, 2017 7:41 AM >>>>> *To:* Openmeetings user-list >>>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>>> >>>>> >>>>> >>>>> I believe this is standard behavior for Windows systems >>>>> >>>>> >>>>> >>>>> On Tue, Aug 22, 2017 at 6:37 PM, Yakovlev N. <[email protected]> >>>>> wrote: >>>>> >>>>> After adding CA into windows system store entering into rooms works >>>>> good. >>>>> >>>>> Does FF use not only own ca-store but ca-store in system?! Or it’s >>>>> not FF? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *From:* Maxim Solodovnik [mailto:[email protected]] >>>>> *Sent:* Tuesday, August 22, 2017 2:05 PM >>>>> *To:* Openmeetings user-list >>>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>>> >>>>> >>>>> >>>>> ERR_UNKNOWN_ISSUER most probably caused by the fact >>>>> >>>>> 1) server cert was added to trusted >>>>> >>>>> 2) CA was not added >>>>> >>>>> >>>>> >>>>> in case of Windows it worth to add CA at system level AND to the >>>>> browser (CA tab with permission to verify sites code etc. I would check >>>>> all >>>>> checkboxes) >>>>> >>>>> >>>>> >>>>> On Tue, Aug 22, 2017 at 4:41 PM, Yakovlev N. <[email protected]> >>>>> wrote: >>>>> >>>>> Yes, the ca certificate was added as trusted. >>>>> >>>>> I found one difference in behavior of FF when it connected to >>>>> https-sites with the self-signed certificates. >>>>> >>>>> Typically, the first connection prompts you to add the site to an >>>>> exception but OM server does not give us this option. >>>>> >>>>> See pls two screenshots. >>>>> >>>>> This occurs before the СA is added to the Trusted CAs lists. If first >>>>> an root certificate is added to the CAs list then we can access to an OM >>>>> cabinet with green lock icon but will have the errors in the rooms as I >>>>> wrote before. >>>>> >>>>> There is something in OM webserver….. >>>>> >>>>> >>>>> >>>>> Nik >>>>> >>>>> >>>>> >>>>> *From:* Maxim Solodovnik [mailto:[email protected]] >>>>> *Sent:* Tuesday, August 22, 2017 11:54 AM >>>>> *To:* Openmeetings user-list >>>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>>> >>>>> >>>>> >>>>> I guess CA was added to trusted CA's of FF? >>>>> >>>>> >>>>> >>>>> On Tue, Aug 22, 2017 at 3:40 PM, Maxim Solodovnik < >>>>> [email protected]> wrote: >>>>> >>>>> This is the issue of "self-signed" certificate. >>>>> >>>>> "Real" certificate provides the way to ensure it wasn't revoked. >>>>> >>>>> >>>>> >>>>> I would recommend to set up one of the free real certificates to prod >>>>> system >>>>> >>>>> >>>>> >>>>> On Tue, Aug 22, 2017 at 2:45 PM, Yakovlev N. <[email protected]> >>>>> wrote: >>>>> >>>>> Hi Maxim, >>>>> >>>>> you was right when suggested to add a ca certificate into client >>>>> machine with screensharing. I added the root certificate not correctly via >>>>> "java control panel->security->manage certificates". It's wrong and not >>>>> ne >>>>> сessary. The certificate must be inserted into java/keystore with >>>>> keytool utility. >>>>> >>>>> Now screen sharing works as expected. >>>>> >>>>> But... >>>>> >>>>> I tried to connect from another machines to the machine with >>>>> screensharing and all worked fine with remote desktop if IE used but not >>>>> Firefox. >>>>> >>>>> The error screenshots are attached and the errors take place when >>>>> entering into any rooms. >>>>> >>>>> Do you know how to resolve it? And why only FF ? >>>>> >>>>> The latest version of FF and Adobe Flash Player for FF is used. >>>>> >>>>> >>>>> >>>>> Nik >>>>> >>>>> >>>>> >>>>> *From:* Maxim Solodovnik [mailto:[email protected]] >>>>> *Sent:* Monday, August 21, 2017 11:46 AM >>>>> *To:* Openmeetings user-list >>>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>>> >>>>> >>>>> >>>>> I guess first thing to do is to ensure >>>>> >>>>> jre is used by javaws >>>>> >>>>> and >>>>> >>>>> jre containing cacert >>>>> >>>>> >>>>> >>>>> is the same jre >>>>> >>>>> >>>>> >>>>> can be checked using by inspecting PATH >>>>> >>>>> and checking which binaries are actually started using system task >>>>> manager >>>>> >>>>> >>>>> >>>>> On Mon, Aug 21, 2017 at 3:00 PM, Yakovlev N. <[email protected]> >>>>> wrote: >>>>> >>>>> First i tried to add only one CA certificate to java on a client >>>>> machine. >>>>> >>>>> Than the site certificate was added for additional checking. >>>>> >>>>> Both cases are unsuccessful. >>>>> >>>>> What I should make the next? >>>>> >>>>> >>>>> >>>>> *From:* Maxim Solodovnik [mailto:[email protected]] >>>>> *Sent:* Monday, August 21, 2017 9:51 AM >>>>> *To:* Openmeetings user-list >>>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>>> >>>>> >>>>> >>>>> Works for me >>>>> >>>>> >>>>> >>>>> What were your steps? >>>>> >>>>> >>>>> >>>>> BTW no need to add site certificate to trusted certs in case you are >>>>> having Root CA. Verified Root CA will successfully validate site cert >>>>> >>>>> >>>>> >>>>> On Mon, Aug 21, 2017 at 1:44 PM, Yakovlev N. <[email protected]> >>>>> wrote: >>>>> >>>>> No, >>>>> >>>>> It did not help. >>>>> >>>>> The client machine is Windows, the CA root certificate (crt) and the >>>>> client self-signed certificate (p12) have been added into java via java >>>>> control panel->security->manage certificates. >>>>> >>>>> >>>>> >>>>> The full error log is : >>>>> >>>>> >>>>> >>>>> ERROR 08-21 09:39:23.861 63 o.a.o.s.RTMPTSScreenShare [Thread-23] - {} >>>>> >>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>> find valid certification path to requested target >>>>> >>>>> at sun.security.validator.PKIXValidator.doBuild(Unknown >>>>> Source) >>>>> >>>>> at >>>>> sun.security.validator.PKIXValidator.engineValidate(Unknown >>>>> Source) >>>>> >>>>> at sun.security.validator.Validator.validate(Unknown >>>>> Source) >>>>> >>>>> at sun.security.ssl.X509TrustManagerImpl.validate(Unknown >>>>> Source) >>>>> >>>>> at >>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown >>>>> Source) >>>>> >>>>> at sun.security.ssl.X509TrustMana >>>>> gerImpl.checkServerTrusted(Unknown Source) >>>>> >>>>> at >>>>> sun.security.ssl.ClientHandshaker.serverCertificate(Unknown >>>>> Source) >>>>> >>>>> at >>>>> sun.security.ssl.ClientHandshaker.processMessage(Unknown >>>>> Source) >>>>> >>>>> at sun.security.ssl.Handshaker.processLoop(Unknown >>>>> Source) >>>>> >>>>> at sun.security.ssl.Handshaker.process_record(Unknown >>>>> Source) >>>>> >>>>> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown >>>>> Source) >>>>> >>>>> at sun.security.ssl.SSLSocketImpl >>>>> .performInitialHandshake(Unknown Source) >>>>> >>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown >>>>> Source) >>>>> >>>>> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown >>>>> Source) >>>>> >>>>> at org.apache.http.conn.ssl.SSLCo >>>>> nnectionSocketFactory.createLayeredSocket(SSLConnectionSocke >>>>> tFactory.java:396) >>>>> >>>>> at org.apache.http.conn.ssl.SSLCo >>>>> nnectionSocketFactory.connectSocket(SSLConnectionSocketFacto >>>>> ry.java:355) >>>>> >>>>> at org.apache.http.impl.conn.Defa >>>>> ultHttpClientConnectionOperator.connect(DefaultHttpClientCon >>>>> nectionOperator.java:142) >>>>> >>>>> at org.apache.http.impl.conn.Pool >>>>> ingHttpClientConnectionManager.connect(PoolingHttpClientConn >>>>> ectionManager.java:359) >>>>> >>>>> at org.apache.http.impl.execchain >>>>> .MainClientExec.establishRoute(MainClientExec.java:381) >>>>> >>>>> at org.apache.http.impl.execchain >>>>> .MainClientExec.execute(MainClientExec.java:237) >>>>> >>>>> at org.apache.http.impl.execchain >>>>> .ProtocolExec.execute(ProtocolExec.java:185) >>>>> >>>>> at org.apache.http.impl.execchain >>>>> .RetryExec.execute(RetryExec.java:89) >>>>> >>>>> at org.apache.http.impl.client.In >>>>> ternalHttpClient.doExecute(InternalHttpClient.java:185) >>>>> >>>>> at org.apache.http.impl.client.Cl >>>>> oseableHttpClient.execute(CloseableHttpClient.java:118) >>>>> >>>>> at org.apache.http.impl.client.Cl >>>>> oseableHttpClient.execute(CloseableHttpClient.java:56) >>>>> >>>>> at org.red5.client.net.rtmps.RTMP >>>>> TSClientConnector.openConnection(RTMPTSClientConnector.java:139) >>>>> >>>>> at org.red5.client.net.rtmps.RTMP >>>>> TSClientConnector.run(RTMPTSClientConnector.java:64) >>>>> >>>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>>>> unable to find valid certification path to requested target >>>>> >>>>> at sun.security.provider.certpath >>>>> .SunCertPathBuilder.build(Unknown Source) >>>>> >>>>> at sun.security.provider.certpath >>>>> .SunCertPathBuilder.engineBuild(Unknown Source) >>>>> >>>>> at java.security.cert.CertPathBuilder.build(Unknown >>>>> Source) >>>>> >>>>> ... 27 common frames omitted >>>>> >>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>> find valid certification path to requested target >>>>> >>>>> No context named default was found!! >>>>> >>>>> >>>>> >>>>> *From:* Maxim Solodovnik [mailto:[email protected]] >>>>> *Sent:* Monday, August 21, 2017 8:45 AM >>>>> *To:* Openmeetings user-list >>>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>>> >>>>> >>>>> >>>>> You can fix it by adding self-signed CA to the java/cacerts at the >>>>> "client" machine (The machine Screen-sharing web-app is started) >>>>> >>>>> >>>>> >>>>> On Mon, Aug 21, 2017 at 11:51 AM, Yakovlev N. <[email protected]> >>>>> wrote: >>>>> >>>>> Tunneling RTMPS >>>>> >>>>> >>>>> >>>>> *From:* Maxim Solodovnik [mailto:[email protected]] >>>>> *Sent:* Monday, August 21, 2017 5:56 AM >>>>> >>>>> >>>>> *To:* Openmeetings user-list >>>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>>> >>>>> >>>>> >>>>> What type of SSL are you checking? "native" of "tunneled" ? >>>>> >>>>> >>>>> >>>>> On Sun, Aug 20, 2017 at 10:45 AM, Yakovlev N. <[email protected]> >>>>> wrote: >>>>> >>>>> Hi Maxim, >>>>> >>>>> Screensharing with SSL does not work. >>>>> >>>>> >>>>> >>>>> Java outputs the next errors: >>>>> >>>>> ERROR 08-20 06:00:11.429 63 o.a.o.s.RTMPTSScreenShare [Thread-22] - {} >>>>> >>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>> find valid certification path to requested target >>>>> >>>>> >>>>> >>>>> Where can be place the datastore for screensharing and what its file >>>>> name? >>>>> >>>>> /opt/red5/conf/keystore.screen.jks or /opt/red5/conf/keystore.screen ? >>>>> >>>>> Where should be assigned the password for this keystore? >>>>> >>>>> >>>>> >>>>> The /opt/red5/conf/jee-container.xml and >>>>> /opt/red5/conf/red5.properties files contain the following parameters: >>>>> >>>>> >>>>> >>>>> key="keystoreFile" value=...... >>>>> >>>>> key="keystorePass" value=...... >>>>> >>>>> key="truststoreFile" value=...... >>>>> >>>>> key="truststorePass" value=...... >>>>> >>>>> >>>>> >>>>> rtmps.keystorepass=xxxxx >>>>> >>>>> rtmps.keystorefile=conf/keystore.jks >>>>> >>>>> rtmps.truststorepass=xxxxx >>>>> >>>>> rtmps.truststorefile=conf/truststore.jks >>>>> >>>>> >>>>> >>>>> But for screensharing I could not find relevant information. >>>>> >>>>> >>>>> >>>>> Best regards, >>>>> >>>>> Nik >>>>> >>>>> >>>>> >>>>> *From:* Yakovlev N. [mailto:[email protected]] >>>>> *Sent:* Saturday, August 19, 2017 8:23 AM >>>>> *To:* [email protected] >>>>> *Subject:* RE: [ANNOUNCE] HTTPS is now required >>>>> >>>>> >>>>> >>>>> Hi Maxim, >>>>> >>>>> SSL is working fine. >>>>> >>>>> I found a mistake in http://openmeetings.apache.or >>>>> g/RTMPSAndHTTPS.html manual: >>>>> >>>>> All keytool commands must have the filename keystore.jks but >>>>> none keystore without extension. J >>>>> >>>>> This also applies to the filename truststore: it should be >>>>> truststore.jks. >>>>> >>>>> >>>>> >>>>> Otherwise the names of kestore and truststore should be changed in >>>>> /opt/red5/conf/red5.properties. >>>>> >>>>> >>>>> >>>>> Nik >>>>> >>>>> >>>>> >>>>> *From:* Maxim Solodovnik [mailto:[email protected] >>>>> <[email protected]>] >>>>> *Sent:* Saturday, August 19, 2017 7:23 AM >>>>> *To:* Openmeetings user-list >>>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>>> >>>>> >>>>> >>>>> I'll try to check steps with self-signed cert and will report back >>>>> >>>>> >>>>> >>>>> On Sat, Aug 19, 2017 at 11:21 AM, Yakovlev N. <[email protected]> >>>>> wrote: >>>>> >>>>> Hello Ramon, >>>>> >>>>> All the hope of Maxim….:) >>>>> >>>>> >>>>> >>>>> Nik >>>>> >>>>> >>>>> >>>>> *From:* Ramón Zárate Moedano [mailto:[email protected]] >>>>> *Sent:* Saturday, August 19, 2017 2:22 AM >>>>> >>>>> >>>>> *To:* [email protected] >>>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>>> >>>>> >>>>> >>>>> Hello everyone ... >>>>> >>>>> >>>>> >>>>> i just cannot install SSL (from namecheap) ... this is beyond my >>>>> skills. >>>>> >>>>> >>>>> >>>>> Is there someone who can help me with the installation in exchange for >>>>> some money???? >>>>> >>>>> >>>>> >>>>> Thanks in advance. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> 2017-08-18 1:23 GMT-05:00 Yakovlev N. <[email protected]>: >>>>> >>>>> Hi Maxim, >>>>> >>>>> Thanks for reply. >>>>> >>>>> I've reinstalled two times certificates but ssl does not work. >>>>> >>>>> 1. Both certificates root-CA and client one were added into >>>>> /etc/pki/ca-trust/extracted/java/cacerts (this place is for Centos) >>>>> with commands: >>>>> >>>>> keytool -import -keystore cacerts -file red5.crt -alias red5 >>>>> >>>>> keytool -import -keystore cacerts -trustcacerts -file ca.crt -alias >>>>> root >>>>> >>>>> 2. As you recommend OM was started with red5-debug + option >>>>> "-Djavax.net.debug=all" >>>>> >>>>> Logs have nothing while a ssl session was established. >>>>> >>>>> To exclude the impact of browsers, I tried to start up a session using >>>>> telnet. >>>>> >>>>> Session to port 5080 (none ssl) were fixed in loggs but sessions to >>>>> 5443 did not. >>>>> >>>>> In this case, the netstat command shows ESTABLISHED status to port >>>>> 5443. >>>>> >>>>> Firewall is off. >>>>> >>>>> According to http://openmeetings.apache.org/RTMPSAndHTTPS.html two >>>>> config files have to be changed: >>>>> >>>>> 1. Edit red5/conf/jee-container.xml file: >>>>> >>>>> Comment Tomcat without SSL enabled section >>>>> >>>>> UNComment Tomcat with SSL enabled section >>>>> >>>>> 2. Edit red5/webapps/openmeetings/public/config.xml and set >>>>> >>>>> <protocol>https</protocol> >>>>> >>>>> <red5httpport>5443</red5httpport> >>>>> >>>>> Are these changes enough or need more? >>>>> >>>>> >>>>> >>>>> Best regards, >>>>> >>>>> Nik >>>>> >>>>> >>>>> >>>>> *From:* Maxim Solodovnik [mailto:[email protected]] >>>>> *Sent:* Thursday, August 17, 2017 10:28 AM >>>>> *To:* Openmeetings user-list >>>>> >>>>> >>>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>>> >>>>> >>>>> >>>>> Here is useful link >>>>> >>>>> I'm using these scripts (with some modifications) Chrome shows green >>>>> icon :) >>>>> >>>>> https://stackoverflow.com/questions/7580508/getting-chrome-t >>>>> o-accept-self-signed-localhost-certificate/43666288#43666288 >>>>> >>>>> >>>>> >>>>> On Thu, Aug 17, 2017 at 2:25 PM, Maxim Solodovnik < >>>>> [email protected]> wrote: >>>>> >>>>> The steps on the site are for the "real" certificates ... >>>>> >>>>> 1) add certificate to trusted certs of Java >>>>> >>>>> >>>>> >>>>> means Java need to know about your certificate I'm using self-signed >>>>> CA for testing and I'm adding it to >>>>> >>>>> /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts >>>>> >>>>> >>>>> >>>>> Additionally I would recommend to run red5 using red5-debug and modify >>>>> it by adding "*-Djavax.net.debug=all*" to see all SSL messages >>>>> >>>>> >>>>> >>>>> On Thu, Aug 17, 2017 at 1:23 PM, Yakovlev N. <[email protected]> >>>>> wrote: >>>>> >>>>> Hello Maxim, >>>>> Don't worry that my question was missed because we all understand how >>>>> much work you do. >>>>> Your message made me return to the question of HTTPS for OM. >>>>> >>>>> So... >>>>> >>>>> 1) add certificate to trusted certs of Java >>>>> >>>>> Lets see an output of command keytool: >>>>> >>>>> cd /opt/red5/conf >>>>> keytool -list -keystore keystore >>>>> Enter keystore password: >>>>> xxxxx >>>>> Keystore type: JKS >>>>> Keystore provider: SUN >>>>> >>>>> Your keystore contains 2 entries >>>>> >>>>> vkc.krvostok.ru, Aug 16, 2017, PrivateKeyEntry, >>>>> Certificate fingerprint (SHA1): 7D:39:11:AA:76:5F:BF:D1:E5:57: >>>>> 99:67:D5:1C:B8:25:1A:D9:88:0F >>>>> root, Aug 16, 2017, trustedCertEntry, >>>>> Certificate fingerprint (SHA1): FF:2B:E0:44:3C:0F:83:36:6F:F0: >>>>> 6E:2F:1F:9A:83:F9:B0:1F:E1:45 >>>>> >>>>> Is it OK? >>>>> >>>>> 2) add certificate to trusted certs of browser (icon should be green) >>>>> Done >>>>> >>>>> 3) correctly create red5 keystore/truststore >>>>> Done according to the reference http://openmeetings.apache.org >>>>> /RTMPSAndHTTPS.html >>>>> truststore is a copy of keystore >>>>> OK? >>>>> >>>>> Maxim, I would like to draw on one detail. >>>>> A simple way to test of a SSL-connection is to use the next command: >>>>> openssl s_client -connect FQDN:port >>>>> For example, >>>>> openssl s_client -connect www.mail.ru:443, >>>>> openssl s_client -connect www.ya.ru:443 >>>>> and so on. >>>>> This way does not use browsers and allows to test ssl-connections at a >>>>> lower level than using browsers. >>>>> This command does not work and hangs for my OM as I wrote before and I >>>>> think that the question is not in the types of certificates (trusted or >>>>> selfsigned ones). >>>>> But where is the problem? I don't now yet... >>>>> >>>>> Nik >>>>> >>>>> -----Original Message----- >>>>> From: Maxim Solodovnik [mailto:[email protected]] >>>>> >>>>> Sent: Wednesday, August 16, 2017 5:51 PM >>>>> To: Openmeetings user-list >>>>> Subject: Re: [ANNOUNCE] HTTPS is now required >>>>> >>>>> Hello Nik, >>>>> >>>>> I'm trying to answer all emails, sorry if I missed yours :( To make >>>>> self-signed certificate work with red5 you MUST >>>>> 1) add certificate to trusted certs of Java >>>>> 2) add certificate to trusted certs of browser (icon should be green) >>>>> 3) correctly create red5 keystore/truststore >>>>> >>>>> to provide thurther help I need you detailed steps >>>>> >>>>> On Wed, Aug 16, 2017 at 8:30 PM, Yakovlev N. <[email protected]> >>>>> wrote: >>>>> > Hi Andreas, >>>>> > OK, your opinion is your opinion and I respect it. >>>>> > We speak about an internal OM service but not about the world one... >>>>> > I understand the trusted certificates are more preferable but in my >>>>> case unnecessary I think. >>>>> > I'm not sure blacklists are my cases... >>>>> > >>>>> > Nik >>>>> > >>>>> > -----Original Message----- >>>>> > From: [email protected] [mailto:[email protected]] >>>>> > Sent: Wednesday, August 16, 2017 4:18 PM >>>>> > To: [email protected] >>>>> > Subject: Re: [ANNOUNCE] HTTPS is now required >>>>> > >>>>> > Hi Nik, >>>>> > >>>>> > sorry - I cannot agree to your "I cannot agree". Most email client >>>>> programs do check certificates and deny connections if certificate is not >>>>> trusted. May be 5% will work - but 95% will not (and tomorrow percentage >>>>> is >>>>> higher than today). I can not recommend to use any self-signed certificate >>>>> (except for internal tasks). Additionally maybe you are added to >>>>> blacklists >>>>> if you are "on the air" using a self-signed certificate. >>>>> > >>>>> > Best regards >>>>> > Andreas >>>>> > >>>>> > Am Mittwoch, 16. August 2017, 16:01:52 CEST schrieb Yakovlev N.: >>>>> >> I don't agree. >>>>> >> I use selfsigned certiticates on other corporate services >>>>> successfully (mail, cloud and so on). >>>>> >> Yes, browsers ask questions but this is no problem. In this case >>>>> such certificates must be added as trusted ones. >>>>> >> >>>>> >> Nik >>>>> >> >>>>> >> -----Original Message----- >>>>> >> From: [email protected] [mailto:[email protected]] >>>>> >> Sent: Wednesday, August 16, 2017 3:44 PM >>>>> >> To: [email protected] >>>>> >> Subject: Re: [ANNOUNCE] HTTPS is now required >>>>> >> >>>>> >> Self-signed will not be accepted by most browsers and will not >>>>> work. The goal of SSL *IS THE POSSIBILITY OF VERIFICATION OF THE PAGE >>>>> OWNER*... >>>>> >> >>>>> >> Try certificates from lets encrypt - they are free ;) >>>>> >> >>>>> >> Best regards >>>>> >> Andreas >>>>> >> >>>>> >> Am Mittwoch, 16. August 2017, 15:25:17 CEST schrieb Yakovlev N.: >>>>> >> > Hi, Maxim! >>>>> >> > I have some problems with SSL and no ideas to solve them. >>>>> >> > Five months ago I asked community how to install SSL on OM but >>>>> nobody answered. >>>>> >> > (http://mail-archives.apache.org/mod_mbox/openmeetings-user/ >>>>> 201703.mbox/browser Subject: SSL with OM Date Mon, 20 Mar 2017 >>>>> 08:30:40 GMT ) >>>>> >> > The manual listed on page http://openmeetings.apache.org >>>>> /RTMPSAndHTTPS.html did not help me. >>>>> >> > No any errors in logs, browser hangs and shows an empty page. >>>>> >> > Firefox outputs "Executing TLS-handshaking with vkc.krvostok.ru" >>>>> on the left bottom side. >>>>> >> > The "openssl s_client -connect vkc.krvostok.ru:5443" >>>>> command hangs also and outputs only one line: CONNECTED(00000003). >>>>> >> > Firewall is off, tcp-5443 port is listening on the OM host. >>>>> >> > >>>>> >> > Is there any roadmap of using selfsigned serfificates for OM? >>>>> >> > >>>>> >> > Best regards >>>>> >> > Nik >>>>> >> > >>>>> >> > -----Original Message----- >>>>> >> > From: Maxim Solodovnik [mailto:[email protected]] >>>>> >> > Sent: Wednesday, August 16, 2017 7:23 AM >>>>> >> > To: Openmeetings user-list >>>>> >> > Subject: [ANNOUNCE] HTTPS is now required >>>>> >> > >>>>> >> > Hello All, >>>>> >> > >>>>> >> > Google developers are trying to move WWW to HTTPS To force this >>>>> transition they restrict features available to HTTP sites in >>>>> Chrome/Chromium Latest restriction is: Camera and microphone will not be >>>>> available to JS/Flash code for HTTP sites: proof: >>>>> >> > >>>>> >> > "Microphone and Camera access no longer works on insecure >>>>> origins. To use this feature, you should consider switching your >>>>> application to a secure origin, such as HTTPS. See >>>>> https://goo.gl/rStTGz for more details." >>>>> >> > >>>>> >> > So please set up HTTPS for your OM site to prevent >>>>> camera/microphone issues. >>>>> >> > >>>>> >> > -- >>>>> >> > WBR >>>>> >> > Maxim aka solomax >>>>> >> > >>>>> >> > >>>>> >> >>>>> >> >>>>> >> >>>>> > >>>>> > >>>>> >>>>> >>>>> >>>>> -- >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> WBR >>>>> Maxim aka solomax >>>>> >>>> >>>> >>>> >>>> -- >>>> WBR >>>> Maxim aka solomax >>>> >>> >>> >> >> >> -- >> WBR >> Maxim aka solomax >> > > -- WBR Maxim aka solomax
