Works now. For everyone, who wants to know how (feel free to use in tutorials, if useable):
1. Create certificate ----------------------------------------------------------------- Call https://mydomainca/certsrv/ Request a certificate Advanced certificate request Create and submit a request to this CA Name: URL (e.g. if the URL is https://myserver.intern:5443, name should be myserver.intern) Template: has to be a template, which allows private keys to be exported Send in request and install certificate 2. Export certificate ----------------------------------------------------------------- Open certificate-store of the browser (e.g. Internet Explorer: Internet Options, Content, Certificates, Personal) Export certificate WITH private key as PFX-file (with option: if possible, contain all certificates...), here myserver.pfx Export certificate WITHOUT private key as CRT-file (base-64-encoded x.509), here myserver.crt 3. Change format ----------------------------------------------------------------- Get OpenSSL, copy PFX- and CER-file into directory of the openssl-exe-file (yeah, working with windows in this step) openssl pkcs12 -in myserver.pfx -out myserverfull.pem -nodes openssl pkey -in myserverfull.pem -out key.pem openssl crl2pkcs7 -nocrl -certfile myserverfull.pem | openssl pkcs7 -print_certs -out chain.pem openssl x509 -in myserver.cer -out myserver.pem -outform PEM --> creates key.pem, chain.pem, myserver.pem, myserverfull.pem, copy them onto a netshare, which is accessable from your the openmeetings-server 4. Configure HTTPS ----------------------------------------------------------------- I created a folder for my PEM-files. I mounted a netshare and copied the PEM-files into this folder: sudo mkdir /etc/mycertificates sudo cp /media/netshare/*.pem /etc/mycertificates cd /opt/open504/conf sudo vi server.xml --> delete the following lines (using "dd") <Connector port="5443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/localhost.jks" certificateKeystorePassword="openmeetings" certificateKeystoreType="JKS" certificateVerification="false" sslProtocol="TLS" type="RSA" /> </SSLHostConfig> </Connector> --> add the following lines (using "i") <Connector port="5443" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateFile="/etc/mycertificates/myserver.pem" certificateKeyFile="/etc/mycertificates/key.pem" certificateChainFile="/etc/mycertificates/chain.pem" sslProtocol="TLS"/> </SSLHostConfig> </Connector> --> save and exit (using "ESC", then ":w!", then ":q!") sudo reboot sudo /etc/init.d/mysql start sudo /etc/init.d/kurento-media-server start sudo /etc/init.d/tomcat3 start Best Regards, Alex PS: this line was essential: sslProtocol="TLS" -----Ursprüngliche Nachricht----- Von: Ninnig, Alexander <[email protected]> Gesendet: Dienstag, 5. Mai 2020 08:36 An: [email protected] Betreff: AW: Domain certificate not working Hi, THAT'S exactly the kind of information, I was looking for. I figured, it could be something like this. Just one last question: I do this INSTEAD of all this other keystore-stuff? Or AFTER? Best Regards, Alex -----Ursprüngliche Nachricht----- Von: ratatouille <[email protected]> Gesendet: Montag, 4. Mai 2020 17:15 An: [email protected] Betreff: Re: Domain certificate not working Hello! I made https available just by editing server.xml like this: <Connector port="5443" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateFile="/etc/letsencrypt/live/domain.de/cert.pem" certificateKeyFile="/etc/letsencrypt/live/domain.de/privkey.pem" certificateChainFile="/etc/letsencrypt/live/domain.de/fullchain.pem" /> </SSLHostConfig> </Connector> and it worked, nothing else I did. Andreas "Ninnig, Alexander" <[email protected]> schrieb am 04.05.20 um 13:55:43 Uhr: > Hi, > > I installed Openmeetings 504 on a virtual Ubuntu 18.04 Server, following the > instructions of the newest tutorial. As far as I can tell, everything works > fine. > > Now, I am trying to replace the selfsigned certificate and use a > domain-certificate instead, following the information from: > https://openmeetings.apache.org/HTTPS.html#real-certificate. But after this > and after a reboot - the https-site is not avaiable anymore (site cannot be > found). I am a bit at loss here about what to do now. > > Here is what I did: > > First Attempt > ---------------------------------------------------------------------- > ---------- > > cd /opt/open504/conf > sudo mv localhost.jks localhost.org > sudo keytool -keysize 4096 -genkey -alias openmeetings -keyalg RSA -storetype > PKCS12 -keystore /opt/open504/conf/localhost.jks > Old password: PassW0rd > New password: PassW0rd > Name (Websitename): myserver > (...) > > sudo keytool -certreq -keyalg RSA -alias openmeetings -file > openmeetings.csr -keystore /opt/open504/conf/localhost.jks sudo cp > openmeetings.csr /media/netshare > > Here, I opened the website of my domain-CA, which is a Server 2012 R2 > Windows Server (https://issuingca/certsrv/) I chose: request a certificate. > I chose: advanced certificate request. > I chose: submit a certificate request by using a base-64-encoded (...). > I opened the request-file (openmeetings.csr) in a texteditor and used copy & > paste to hand in my request. > I chose "Web Server" as certificate-template and start the request. > I download the certificate as Base-64-Certificate (cer-filetype) - the > certificate is valid. > I copy this certificate and the certificate of my root and my issuing CA onto > my netshare, so I can access it from my OpenMeetings-Linux-Server. > > cd /opt/open504/conf > sudo cp /media/netshare/root.crt root.crt sudo cp > /media/netshare/issuing.cer issuing.cer sudo cp > /media/netshare/myserver.cer myserver.cer sudo keytool -import -alias > root -keystore /opt/open504/conf/localhost.jks -trustcacerts -file > root.crt sudo keytool -import -alias intermed -keystore > /opt/open504/conf/localhost.jks -trustcacerts -file issuing.cer sudo > keytool -import -alias openmeetings -keystore > /opt/open504/conf/localhost.jks -trustcacerts -file myserver.cer > > ==> No errors so far. > > sudo reboot now > sudo /etc/init.d/mysql start > sudo /etc/init.d/kurento-media-server start sudo /etc/init.d/tomcat3 > start > > ==> HTTPS-Website is not available. > > Second Attempt > ---------------------------------------------------------------------- > ---------- > > I found out, that the certificate-template "Web Server" may not be right. It > says, the maximum is 2048. > So I created a new template ("Web Server 4096") and changed the length to > 4096. > I also checked the option, that the private key is exportable. > I started from the beginning - same result. > > Third Attempt > ---------------------------------------------------------------------- > ---------- > > After that, I started again, but this time I tried to request a > 2048-certificate and to use the original certificate-template: > sudo keytool -keysize 2048 -genkey -alias openmeetings -keyalg RSA > -storetype PKCS12 -keystore /opt/open504/conf/localhost.jks Same result. > > Fourth Attempt > ---------------------------------------------------------------------- > ---------- > > I also tried to use this manual: > https://openmeetings.apache.org/HTTPS.html#create-keystore-using-exist > ing-key-pair > But I do not have a server-key. > I can create a valid certificate on my CA-website > (https://issuingca/certsrv/) and I can use openssl in order to create > p12/pfx- and key-files, but I don't know how to import them, since I don't > have a matching request on my Ubuntu-/OpenMeetings-Server. > > Fifth Attempt > ---------------------------------------------------------------------- > ---------- > > I also tried to create a key-file from the certificate I imported using the > first manual (https://openmeetings.apache.org/HTTPS.html#real-certificate) > and then use this key-file with the second manual > (https://openmeetings.apache.org/HTTPS.html#create-keystore-using-existing-key-pair). > sudo keytool -v -importkeystore -srckeystore keystore -srcalias > openmeetings -destkeystore myserver.p12 -deststoretype PKCS12 [from > here in a Windows-commandline) openssl pkcs12 -in myserver.p12 > -nocerts -out myserver_enc.key openssl pkcs12 -in myserver.p12 > -clcerts -nokeys -out myserver.crt openssl rsa -in myserver_enc.key > -out myserver.key > > sudo keytool -importkeystore -srcstorepass PassW0rd -srckeystore myserver.p12 > -srcstoretype PKCS12 -deststorepass PassW0rd -destkeystore > /opt/open504/conf/localhost.jks -alias openmeetings -deststoretype PKCS12 > ==> Alias openmeetings not found > sudo keytool -importkeystore -srcstorepassPassW0rd -srckeystore myserver.p12 > -srcstoretype PKCS12 -deststorepass PassW0rd -destkeystore > /opt/open504/conf/localhost.jks -deststoretype PKCS12 > ==> Alias openmeetings already existing (???), overwrite? Yes. > Anyhow, after the reboot --> same result, no https-website. > > > > > > At this point, I am a bit lost. > Can you give me a hint? > > > > Best regards, > Alex >
