Ok, at the time being, I won't switch to root...
I "sudo shutdown -r now" and waited. The server has gone on again (website
"https://domain.eu<https://domain.eu:5443/openmeetings>" reachable). I
connected through SSH and typed:
sudo /etc/init.d/mysql start
sudo /etc/init.d/tomcat3 start
Now I'm waiting... But I can't connect at all to OpenMeetings with the URL that
previously worked ("https://domain.eu:5443/openmeetings";): Firefox can not
establish a connection with this address...
Thank you all and have a good night,
Xavier
Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
Ok, please restart the server and it should work.
If you use open500 as folder open500/conf is correct.
Just restart it.
Greetz
Stefan
PS: if you want to access to "permission denied" folders you need to switch to
root, sudo won't work in this case. But be careful, keep in mind that you
change the ownership if you change files as root.
Bonne soiree
Am 04.07.2019 21:57, schrieb Xavier M:
Thank you!
Each command line worked... But it did not change anything when I want to log
in. Maybe shall I restart "a service"?
NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory with
a "keystore" file. But I have an "openmeetings" subdirectory too... to which I
can not access (Permission denied).
Greetings,
Xavier
Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
Yes, I'm sorry. Did this so many times and forgot an important point. First:
the password is: password
;-)
Let's go through the lines:
"sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
-inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out
/opt/OM_Folder/conf/red5.p12 -name red5 -certfile
/etc/letsencrypt/live/domain.eu/chain.pem"
Here you use the openssl library to export the the key from the letsencrypt
certificate into the red5.p12 file and store it in youtr OM Folder (red5 is
just an name - you could also use any other name)
"sudo keytool -importkeystore -srcstorepass password -srckeystore
/opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
-destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks
-trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem"
by using keytool you import the certificate key by setting the password
(-srcstorepass password -> deststorepass password) into the file keystore.jks
and confirming the trust by the chain.pem
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks"
now creating the trustscore.jks by copying the keystore.jks
at least and only if you have OM 5.* installed:
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
this is neccesary because OM5-'looks only for keystore and not for
keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you could
update the config file to look for keystore.jks"
So if you will be asked for
Enter Export Password:
Verifying - Enter Export Password:
and again
Enter Import Password:
Verifying - Enter Import Password:
you need to enter password
Just to keep it simple, you can choose your own password, but keep in mind top
change it within the command too;-)
Greetz
Stefan
Am 04.07.2019 21:18, schrieb Xavier M:
So...
After having changed the folder names, I entered the first command line to get:
Enter Export Password:
Verifying - Enter Export Password:
I wrote down a password - I guess I defined it at this step?
Then the second command line delivered:
Importing keystore /opt/open500/conf/red5.p12 to
/opt/open500/conf/keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
Any idea of what happens and what I should do? I did not try the third command
line.
By the way, can you explain me in a few words what I'm doing with these command
lines ?
Have a good evening,
Xavier
Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
Maybe to make a quick check (every command in one line):
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey
/etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12
-name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem
sudo keytool -importkeystore -srcstorepass password -srckeystore
/opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
-destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks
-trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<-
only if you have version 5.*)
Please remeber: If you leave it like this, you need to repaet this lines after
every renew of your certificate. Be aware of the folders -> domain.eu: your
domain an OM_Folder: your OM installation folder.
Greetz
Stefan
Am 04.07.2019 18:00, schrieb Xavier M:
Then let's go with Proxy through Apache.
I'm not running as root, but my account has the whole rights so that I thought
I could do exactly the same things. "sudo" is my friend... even sudo chmod.
The server works with Ubuntu - my account was created at the installation. When
I refer to a "LAMP-server", I executed the command
sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
... among other prior to install OM.
Xavier
________________________________
De : Aaron Hepp <[email protected]><mailto:[email protected]>
Envoyé : jeudi 4 juillet 2019 17:53
À : [email protected]<mailto:[email protected]>
Objet : Re: Log-in and security
Proxy through Apache would be the easier solution for upgrading
when you say Admin of the sever you are running as root or that you can log
into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
On 7/4/19 11:48 AM, Xavier M wrote:
Thank you Aaron.
Even if I have admin rights, I can access only to /etc/letsencrypt/. The
permission is denied when I want to open the subdirectory "live".
How do both solution work? I know neither how to "Proxy through Apache", nor
how to "configure my OM instance to be able to read where the keys are". Sorry
for all that...
Xavier
________________________________
De : Aaron Hepp <[email protected]><mailto:[email protected]>
Envoyé : jeudi 4 juillet 2019 17:40
À : [email protected]<mailto:[email protected]>
Objet : Re: Log-in and security
That is your issue. Apache has the cert installed via LetEncrypt. Tomcat
which is running on 5443 needs to have the configuration set to know where the
cert is located as well as the keystore created.
You can do two things. Proxy through Apache, or configure your OM instance to
be able to read where the keys are.
LetEncrypt places the cert at:
/etc/letsencrypt/live/<domain>
On 7/4/19 11:34 AM, Xavier M wrote:
Hem... No... Do you mean I have to copy and paste the certificate in each
folder? Actually, I even don't know where the certificate is to be found on the
server... But I guess I find it somewhere if needed.
Xavier
________________________________
De : Stefan Kühl <[email protected]><mailto:[email protected]>
Envoyé : jeudi 4 juillet 2019 17:06
À : [email protected]<mailto:[email protected]>
Cc : R. Scholz
Objet : Re: Log-in and security
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https
works as expected.
Did you export they certificate keys (like keystore and trustscore) to your
%OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
Thank you for answering... I'm sorry, but I don't know enough about
certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm
discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin
<[email protected]><mailto:[email protected]>
Envoyé : jeudi 4 juillet 2019 15:43
À : [email protected]<mailto:[email protected]>
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate?
Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:[email protected]]
Sent: 04 July 2019 14:16
To: [email protected]<mailto:[email protected]>
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for
domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>.
You should check this. Sometimes webhoster only use the www adresses for
certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the
log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it
works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if
domain.eu<http://domain.eu> works with https, since the common certificates
will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port
5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail
ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation
Authority and regulated by the Financial Conduct Authority and Prudential
Regulation Authority. We arrange life assurance and critical illness cover only
with Legal & General Assurance Society Limited and general insurance only with
Aviva Insurance Limited.
To find out more about us, visit
www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential, may be legally privileged and are intended for the addressee(s)
only. If you are not the intended recipient you may not disclose, copy,
distribute, or retain all or part of this e-mail without our authority. Please
notify the sender immediately by replying to this e-mail and then permanently
delete it.
Any views or opinions expressed are solely those of the author and do not
necessarily represent those of Cumberland Building Society or any of its
subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are
free from virus contamination, please rely on your own virus checking
procedures as no guarantee is implied or given. We will not be liable for any
loss or damage arising from alteration of the contents of this e-mail by a
third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
