Hello again, as I said before: if that was a way, I would prefer to use PEM-files and configure the path to these pem-files in a config-file. That works in OpenMeetings 5, where I can just edit the server.xml (section: <Connector port="5443">)
In case that DOESN’T work in OpenMeetings 4: I repeated all the steps from the official instructions (shipped with my OM, docs/RTMPSAndHTTPS.html). Just to be sure, I did all these steps on a fresh and INTERNAL OpenMeetings4-server, so there is no way, our central firewall would be the problem. I also used the default-password (changeit) and the url „red5“ (I created an entry in my Windows-hosts-file). I was really thorough, I can find no error. Here is what I did: cd /opt/red54010/conf sudo mv keystore.jmx keystore.bak sudo mv truststore.jmx truststore.bak sudo keytool -keysize 2048 -genkey -alias red5 -keyalg RSA -keystore /opt/red54010/conf/keystore.jks # changeit # changeit # red5 # IT # Organization # City # State # DE # yes sudo keytool -certreq -keyalg RSA -alias red5 -file red5.csr -keystore /opt/red54010/conf/keystore.jks # changeit sudo cp red5.csr /media/netshare/ # https://myissuingca/certsrv - This is a Microsoft Windows Server 2012 R2 Server with an intermediate CA # "Request a certificate" # "Submit an advanced certificate request" # "Submit a certificate request that uses a Base64-encoded CMD or PKCS10 file, or a renewal request that uses a Base64-encoded PKCS7 file" # I open the CSR-File I copied on my Windows-Server-Netshare with notepad.exe, I copy & paste the whole text into the input-field of my CA-website # "Choose certificate-template": I choose "Webserver" which is a default-template (I normally would use a template I created ("webserveradvanced"), which allows me to export the private key) # Field "Additional Attributes" stays empty - send in request # Certificate is created, I have 4 download-options: DER-certificate [cer], DER-certificate with complete chain [p7b], BASE64-certificate [cer], BASE64-certificate with complete chain [p7b]. I download them all: # red5_DER.cer, red5_DER.p7b, red5_Base64.cer, red5_Base64.p7b # I copy the files in my netshare-folder sudo cp /media/netshare/red5*.cer /opt/red54010/conf/ sudo cp /media/netshare/red5*.p7b /opt/red54010/conf/ # I copy the certificates of my root-CA and my issuing-CA (intermediate CA) onto my Windows-Server-Netshare. I double-check the files, so I can be sure, those are the right ones sudo cp /media/netshare/root.crt /opt/red54010/conf/ sudo cp /media/netshare/intermediate.crt /opt/red54010/conf/ # I check with: ls. Yes, everything is there. cd /opt/red54010/conf sudo keytool -import -alias root -keystore /opt/red54010/conf/keystore.jks -trustcacerts -file root.crt # changeit # Trust this certificate: yes [I checked: yes, it is the certificate of my root-CA] # certificate was added to keystore sudo keytool -import -alias intermed -keystore /opt/red54010/conf/keystore.jks -trustcacerts -file intermediate.crt # changeit # certificate was added to keystore sudo keytool -import -alias red5 -keystore /opt/red54010/conf/keystore.jks -trustcacerts -file red5_Base64.cer # I chose the Base64-certificate without chain # changeit # Certificate reply was installed in keystore sudo cp keystore.jks truststore.jks sudo cp keystore.jks keystore.screen sudo cp jee-container.xml jee-container.bak sudo vi jee-container.xml # search for <!-- Tomcat without SSL enabled --> # and comment-out the whole section, so: # <!-- <bean id="tomcat.server" (...) # </bean> --> # search for <! Tomcat with SSL enabled --> # and remove the comment for the whole section, so # remove <!-- before <bean id="tomcat.server" (...) # and remove --> right after </bean> but before </beans> # save file with :w! and quit with :q # Open my openmeetings-website: http://red5:5080/openmeetings, login as admin # Go to administration / configuration an set flash.secure="true" and flash.secure.proxy="none" (already set). Save configuration sudo /etc/init.d/red5-ubdeb2 restart # Open: https://red5:5443/openmeetings # --> result: No access to page/site # I double-checked the connection: # I can ping the server, so I can resolve the name/url # I checked my proxy-settings: don't use a proxy for this site # I also created a special rule in my central firewall: allow 5443 TCP from my network to the openmeetings-server # http://red5:5080/openmeetings still works Best wishes, Alex Von: Ninnig, Alexander <[email protected]> Gesendet: Freitag, 12. Juni 2020 11:08 An: [email protected] Betreff: AW: HTTPS with OpenMeetings 4 (4.0.10) Hi Maxim, thanks for your quick response. Yes, I tried those. Didn’t work. So before I tell you everything I tried so far: can I use a config-file instead of the keystore? Just like in OM5, where I can alter the server.xml and edit the path to the certificates? Best wishes, Alex Von: Maxim Solodovnik <[email protected]> Gesendet: Freitag, 12. Juni 2020 10:41 An: Openmeetings user-list <[email protected]> Betreff: Re: HTTPS with OpenMeetings 4 (4.0.10) The instructions are shipped with every OM release And can be found for ex. here https://om.alteametasoft.com/openmeetings/docs/RTMPSAndHTTPS.html On Fri, 12 Jun 2020 at 15:31, Ninnig, Alexander <[email protected]<mailto:[email protected]>> wrote: Hello, I’m really sorry to bother, but I can’t get HTTPS working with OpenMeetings 4. The site (https/5443) cannot be displayed. I had the same problem with OpenMeetings 5, until someone told me not to use the keystore, but to alter the server.xml instead and change the lines into something like that: <Connector port="5443" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateFile="/etc/mycertfolder/server.pem" certificateKeyFile="/etc/mycertfolder/key.pem" certificateChainFile="/etc/mycertfolder/chain.pem" sslProtocol="TLS"/> </SSLHostConfig> </Connector> As I said, that worked with OpenMeetings 5. Unfortunately, OM5 is not production-ready yet, but I need a solution now. And unfortunately, there is no server.xml in OM4. I also searched the whole filesystem for strings like „Connector“, but I got no match. Before I tell you everything I tried in ordner to make the keystore work: Can you tell me, If there is a similar solution as the one, mentioned above, in OpenMeetings 4? Meaning: can I simply edit a config-file and provide this config with the paths to my certificates? Or do I have to use the keystore? If I have to use the keystore, I will describe to you what I tried so far. Best wishes, Alex -- Best regards, Maxim
