You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by Xavier M <xa...@hotmail.com> on 2019/07/04 12:18:07 UTC
Log-in and security
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Re: new USB-camera Logitech Brio 4K
Posted by Maxim Solodovnik <so...@gmail.com>.
I only have very old cameras to test :(
You can check Kurento forum: https://groups.google.com/forum/#!forum/kurento
On Fri, 5 Jul 2019 at 13:49, René Scholz <re...@abakus-edv-systems.de>
wrote:
> Hello Maxim,
>
> with local installed applications it works on USB2 and USB3.
>
> For the moment it's OK to use USB2 - it's really not necessary to use a
> 4k-videostream.
>
> Have anyone a USB3-Cam in use?
>
> Best regards,
>
> René
>
>
> Am 05.07.2019 um 04:23 schrieb Maxim Solodovnik:
>
> Is this camera works in other applications while connected to usb2?
>
> On Fri, 5 Jul 2019 at 01:35, R. Scholz <re...@abakus-edv-systems.de>
> wrote:
>
>> Addendum:
>> coincidentally I use with the 4k-camera a "wrong" port - it was a USB2.
>> Anr: All is functionally.
>>
>> Hmmmm, does anybody know if Kurento have a problem with USB3?
>> Or is the resolution too high?
>>
>> Best regards,
>>
>> René
>>
>>
>>
>> Am 04.07.2019 um 15:03 schrieb René Scholz:
>>
>> Hello,
>>
>> today my new 4K-camera "Logitech Brio" arrives.
>>
>> (Very nice to play. It feels al little bit like christmas.)
>>
>> When I try to select it in my OM5 I get the access-question in my
>> Firefox, thats OK.
>> Then the red bubble (bottom&right( appears with: *NotReadableError:
>> Failed to allocate videosource.*
>>
>> When I use the internal Notebook-cam its functionally. The notebook cam
>> and microphone works.
>>
>> Have anybody an idea?
>>
>> With best regards,
>>
>> René
>>
>>
>>
>
> --
> WBR
> Maxim aka solomax
>
>
>
--
WBR
Maxim aka solomax
Re: new USB-camera Logitech Brio 4K
Posted by René Scholz <re...@abakus-edv-systems.de>.
Hello Maxim,
with local installed applications it works on USB2 and USB3.
For the moment it's OK to use USB2 - it's really not necessary to use a
4k-videostream.
Have anyone a USB3-Cam in use?
Best regards,
René
Am 05.07.2019 um 04:23 schrieb Maxim Solodovnik:
> Is this camera works in other applications while connected to usb2?
>
> On Fri, 5 Jul 2019 at 01:35, R. Scholz
> <rene.scholz@abakus-edv-systems.de
> <ma...@abakus-edv-systems.de>> wrote:
>
> Addendum:
> coincidentally I use with the 4k-camera a "wrong" port - it was a
> USB2.
> Anr: All is functionally.
>
> Hmmmm, does anybody know if Kurento have a problem with USB3?
> Or is the resolution too high?
>
> Best regards,
>
> René
>
>
>
> Am 04.07.2019 um 15:03 schrieb René Scholz:
>> Hello,
>>
>> today my new 4K-camera "Logitech Brio" arrives.
>>
>> (Very nice to play. It feels al little bit like christmas.)
>>
>> When I try to select it in my OM5 I get the access-question in my
>> Firefox, thats OK.
>> Then the red bubble (bottom&right( appears with:
>> /NotReadableError: Failed to allocate videosource./
>>
>> When I use the internal Notebook-cam its functionally. The
>> notebook cam and microphone works.
>>
>> Have anybody an idea?
>>
>> With best regards,
>>
>> René
>>
>
>
>
> --
> WBR
> Maxim aka solomax
Re: new USB-camera Logitech Brio 4K
Posted by Maxim Solodovnik <so...@gmail.com>.
Is this camera works in other applications while connected to usb2?
On Fri, 5 Jul 2019 at 01:35, R. Scholz <re...@abakus-edv-systems.de>
wrote:
> Addendum:
> coincidentally I use with the 4k-camera a "wrong" port - it was a USB2.
> Anr: All is functionally.
>
> Hmmmm, does anybody know if Kurento have a problem with USB3?
> Or is the resolution too high?
>
> Best regards,
>
> René
>
>
>
> Am 04.07.2019 um 15:03 schrieb René Scholz:
>
> Hello,
>
> today my new 4K-camera "Logitech Brio" arrives.
>
> (Very nice to play. It feels al little bit like christmas.)
>
> When I try to select it in my OM5 I get the access-question in my Firefox,
> thats OK.
> Then the red bubble (bottom&right( appears with: *NotReadableError:
> Failed to allocate videosource.*
>
> When I use the internal Notebook-cam its functionally. The notebook cam
> and microphone works.
>
> Have anybody an idea?
>
> With best regards,
>
> René
>
>
>
--
WBR
Maxim aka solomax
Re: new USB-camera Logitech Brio 4K
Posted by "R. Scholz" <re...@abakus-edv-systems.de>.
Addendum:
coincidentally I use with the 4k-camera a "wrong" port - it was a USB2.
Anr: All is functionally.
Hmmmm, does anybody know if Kurento have a problem with USB3?
Or is the resolution too high?
Best regards,
René
Am 04.07.2019 um 15:03 schrieb René Scholz:
> Hello,
>
> today my new 4K-camera "Logitech Brio" arrives.
>
> (Very nice to play. It feels al little bit like christmas.)
>
> When I try to select it in my OM5 I get the access-question in my
> Firefox, thats OK.
> Then the red bubble (bottom&right( appears with: /NotReadableError:
> Failed to allocate videosource./
>
> When I use the internal Notebook-cam its functionally. The notebook
> cam and microphone works.
>
> Have anybody an idea?
>
> With best regards,
>
> René
>
new USB-camera Logitech Brio 4K
Posted by René Scholz <re...@abakus-edv-systems.de>.
Hello,
today my new 4K-camera "Logitech Brio" arrives.
(Very nice to play. It feels al little bit like christmas.)
When I try to select it in my OM5 I get the access-question in my
Firefox, thats OK.
Then the red bubble (bottom&right( appears with: /NotReadableError:
Failed to allocate videosource./
When I use the internal Notebook-cam its functionally. The notebook cam
and microphone works.
Have anybody an idea?
With best regards,
René
Re: Kurento Port range
Posted by Maxim Solodovnik <so...@gmail.com>.
On demo server we have turn server configured
and only ports 443 and `Turnserver` are added to firewall exceptions
`Turnserver` are rules bundled with coturn
can be allowed via `ufw allow Turnserver`
you can check it using `ufw app info Turnserver`
On Fri, 5 Jul 2019 at 15:47, René Scholz <re...@abakus-edv-systems.de>
wrote:
> Hello,
>
> I try to use OM5 behind a firewall.
>
> I open Port 5443 and 8888.
> The access to the web-interface is functionally and as moderator I can
> open my camera and microphone. Both is working, I see the
> video and the green line is hopping funny when I sing a song...
>
> After I send a invitation to my 2nd-email-address I open it, but I see
> no camera-picture.
>
> What is wrong? Need Kurento himself a port-range too I have to open?
>
> BTW: I cant send a email to the same email-account I logged in. I get an
> "internal error" when I do something like that.
>
> Best regards,
>
> René
>
--
WBR
Maxim aka solomax
Kurento Port range
Posted by René Scholz <re...@abakus-edv-systems.de>.
Hello,
I try to use OM5 behind a firewall.
I open Port 5443 and 8888.
The access to the web-interface is functionally and as moderator I can
open my camera and microphone. Both is working, I see the
video and the green line is hopping funny when I sing a song...
After I send a invitation to my 2nd-email-address I open it, but I see
no camera-picture.
What is wrong? Need Kurento himself a port-range too I have to open?
BTW: I cant send a email to the same email-account I logged in. I get an
"internal error" when I do something like that.
Best regards,
René
Re: Log-in and security
Posted by Maxim Solodovnik <so...@gmail.com>.
I would recommend you to check OM logs to ensure there were no errors ..
On Sat, Jul 6, 2019, 20:03 Xavier M <xa...@hotmail.com> wrote:
> Hi!
>
>
> As you can probably already presume, these command lines are quite magic
> for me. No idea of how they work, neither what their utility is... But I
> trust in the fact that most of you understand!
>
>
> xavier@sd-118950:~$ ps -ef|grep java
> root 1060 1 0 juil.05 ? 00:09:28 /usr/bin/java
> -Djava.util.logging.config.file=/opt/open500/conf/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Djdk.tls.ephemeralDHKeySize=2048
> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
> -Dignore.endorsed.dirs= -classpath
> /opt/open500/bin/bootstrap.jar:/opt/open500/bin/tomcat-juli.jar
> -Dcatalina.base=/opt/open500 -Dcatalina.home=/opt/open500
> -Djava.io.tmpdir=/opt/open500/temp org.apache.catalina.startup.Bootstrap -u
> nobody -Dcatalina.base start
> xavier 11265 11246 0 14:54 pts/0 00:00:00 grep --color=auto java
> xavier@sd-118950:~$ netstat -an|grep 5443
> xavier@sd-118950:~$
>
> Please note that the second command does not give any result (that's the
> same with "sudo"). At the time being, I commented the "LISTEN" command in
> ports.conf, since Maxim thought that they made no sense here.
>
>
> Xavier
>
>
> Le 06/07/2019 à 04:06, Maxim Solodovnik a écrit :
>
> Please check OM is running: `ps -ef|grep java` and necessary ports are
> being LISTEN `netstat -an|grep 5443`
>
> The result of the last command should be something like
>
> tcp6 0 0 :::5443 :::* LISTEN
>
>
>
> On Fri, 5 Jul 2019 at 22:21, Xavier M <xa...@hotmail.com> wrote:
>
>> Atomic steps sounds fine... Except if it is a nuclear bomb!
>>
>> In my case, I'd like as first step to understand why I can not connect
>> anymore to "https://domain.eu:5443/openmeetings" (while I could connect
>> to "https://domain.eu <https://domain.eu:5443/openmeetings>") - domain.eu
>> was a generic name in my explanation - since I followed the steps given
>> yesterday. Nota Bene: it works again when I modify /etc/apache2/ports.conf
>> to add "Listen 5443" and "Listen 8888", but I got the error
>> SSL_ERROR_RX_RECORD_TOO_LONG.
>>
>> Assume that I go back to the previous problem, that is I can connect, but
>> with a warning "self made certificate", or whatever the correct name...
>> Then I have to understand what Aaron means by "Proxy through Apache, or
>> configure your OM instance to be able to read where the keys are" and
>> what are pros and cons. Aaron suggested me to "proxy", but actually I do
>> not know how one does this.
>>
>> Thanks all of you for your help,
>> Xavier
>>
>>
Re: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Hi!
As you can probably already presume, these command lines are quite magic for me. No idea of how they work, neither what their utility is... But I trust in the fact that most of you understand!
xavier@sd-118950:~$ ps -ef|grep java
root 1060 1 0 juil.05 ? 00:09:28 /usr/bin/java -Djava.util.logging.config.file=/opt/open500/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /opt/open500/bin/bootstrap.jar:/opt/open500/bin/tomcat-juli.jar -Dcatalina.base=/opt/open500 -Dcatalina.home=/opt/open500 -Djava.io.tmpdir=/opt/open500/temp org.apache.catalina.startup.Bootstrap -u nobody -Dcatalina.base start
xavier 11265 11246 0 14:54 pts/0 00:00:00 grep --color=auto java
xavier@sd-118950:~$ netstat -an|grep 5443
xavier@sd-118950:~$
Please note that the second command does not give any result (that's the same with "sudo"). At the time being, I commented the "LISTEN" command in ports.conf, since Maxim thought that they made no sense here.
Xavier
Le 06/07/2019 à 04:06, Maxim Solodovnik a écrit :
Please check OM is running: `ps -ef|grep java` and necessary ports are being LISTEN `netstat -an|grep 5443`
The result of the last command should be something like
tcp6 0 0 :::5443 :::* LISTEN
On Fri, 5 Jul 2019 at 22:21, Xavier M <xa...@hotmail.com>> wrote:
Atomic steps sounds fine... Except if it is a nuclear bomb!
In my case, I'd like as first step to understand why I can not connect anymore to "https://domain.eu:5443/openmeetings" (while I could connect to "https://domain.eu<https://domain.eu:5443/openmeetings>") - domain.eu<http://domain.eu> was a generic name in my explanation - since I followed the steps given yesterday. Nota Bene: it works again when I modify /etc/apache2/ports.conf to add "Listen 5443" and "Listen 8888", but I got the error SSL_ERROR_RX_RECORD_TOO_LONG.
Assume that I go back to the previous problem, that is I can connect, but with a warning "self made certificate", or whatever the correct name... Then I have to understand what Aaron means by "Proxy through Apache, or configure your OM instance to be able to read where the keys are" and what are pros and cons. Aaron suggested me to "proxy", but actually I do not know how one does this.
Thanks all of you for your help,
Xavier
Re: Log-in and security
Posted by Maxim Solodovnik <so...@gmail.com>.
Please check OM is running: `ps -ef|grep java` and necessary ports are
being LISTEN `netstat -an|grep 5443`
The result of the last command should be something like
tcp6 0 0 :::5443 :::* LISTEN
On Fri, 5 Jul 2019 at 22:21, Xavier M <xa...@hotmail.com> wrote:
> Atomic steps sounds fine... Except if it is a nuclear bomb!
>
> In my case, I'd like as first step to understand why I can not connect
> anymore to "https://domain.eu:5443/openmeetings" (while I could connect
> to "https://domain.eu <https://domain.eu:5443/openmeetings>") - domain.eu
> was a generic name in my explanation - since I followed the steps given
> yesterday. Nota Bene: it works again when I modify /etc/apache2/ports.conf
> to add "Listen 5443" and "Listen 8888", but I got the error
> SSL_ERROR_RX_RECORD_TOO_LONG.
>
> Assume that I go back to the previous problem, that is I can connect, but
> with a warning "self made certificate", or whatever the correct name...
> Then I have to understand what Aaron means by "Proxy through Apache, or
> configure your OM instance to be able to read where the keys are" and
> what are pros and cons. Aaron suggested me to "proxy", but actually I do
> not know how one does this.
>
> Thanks all of you for your help,
> Xavier
>
> ------------------------------
> *De :* Maxim Solodovnik <so...@gmail.com>
> *Envoyé :* vendredi 5 juillet 2019 16:28
> *À :* Openmeetings user-list
> *Objet :* Re: Log-in and security
>
> The best way to make everything working is to perform atomic steps
> And ensure everything still works after each step
>
> In your case
> 0) you need to understand what is your goal
> 1) then achieve it :)
>
> As I understand you would like to have OM at port 443
>
> You can do it by ether change OM https port to be 443
> Or
> By set up frontend proxy
>
> Each option has pros and cons
> You have to choose one option before any other step :)
>
> On Fri, Jul 5, 2019, 20:34 Xavier M <xa...@hotmail.com> wrote:
>
> This is possible! But:
>
> - What does Alvaro mean by "To be able to connect from the Internet or
> LAN with this server, remember to open the following
> ports: 5443 8888" ?
> - I could not connect anymore to "https://domain.eu:5443/openmeetings"
> (while I could connect to "https://domain.eu
> <https://domain.eu:5443/openmeetings>") until I did that: and now it
> "works" again, with the error SSL_ERROR_RX_RECORD_TOO_LONG...
> - ... and I have no idea why!
>
> If you have any idea/explanation, I really don't know neither what happens
> nor what to do! I will comment the lines in ports.conf and restart, to
> check whether it works like before or not.
>
> Thank you!
> Xavier
>
> ------------------------------
> *De :* Maxim Solodovnik <so...@gmail.com>
> *Envoyé :* vendredi 5 juillet 2019 15:14
> *À :* Openmeetings user-list
> *Objet :* Re: Log-in and security
>
> I'm afraid this
> I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf
> make no sense :(
>
> Apache HTTPD will listen these ports and both OM and Kurento will be
> unable to start since the port are already busy ....
>
> On Fri, 5 Jul 2019 at 17:37, Xavier M <xa...@hotmail.com> wrote:
>
> Hi all,
>
> I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf
> (and nothing into /etc/apache2/sites-enabled/000-default.conf)
>
> I can now access to "https://domain.eu:5443/openmeetings", but with the
> error SSL_ERROR_RX_RECORD_TOO_LONG
> How can I solve it? Could it be due to the changes I made yesterday thanks
> to Stefan's help?
>
> *sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
> <http://domain.eu/cert.pem> -inkey
> /etc/letsencrypt/live/domain.eu/privkey.pem <http://domain.eu/privkey.pem>
> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile
> /etc/letsencrypt/live/domain.eu/chain.pem <http://domain.eu/chain.pem>*
>
>
> * sudo keytool -importkeystore -srcstorepass password -srckeystore
> /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
> -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5*
>
> *sudo keytool -import -alias root -keystore
> /opt/OM_Folder/conf/keystore.jks -trustcacerts -file
> /etc/letsencrypt/live/domain.eu/chain.pem <http://domain.eu/chain.pem>*
>
>
> * sudo cp -f /opt/OM_Folder/conf/keystore.jks
> /opt/OM_Folder/conf/trustscore.jks*
>
>
> * sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore
> (<- only if you have version 5.*)*
>
> Bis demnächst,
> Xavier
>
>
>
>
> ------------------------------
> *De :* Xavier M <xa...@hotmail.com>
> *Envoyé :* vendredi 5 juillet 2019 10:36
> *À :* user@openmeetings.apache.org
> *Objet :* RE: Log-in and security
>
> Hello Maxim,
>
> That's a good idea... I had already heard of it, but I still have to look
> how I do it. But it seems that I forgot something, since I can not access
> to Open Meetings since I "shutdown -r now" the server. Any idea of which
> command it is?
>
> Xavier
>
> ------------------------------
> *De :* Maxim Solodovnik <so...@gmail.com>
> *Envoyé :* vendredi 5 juillet 2019 09:38
> *À :* Openmeetings user-list
> *Objet :* Re: Log-in and security
>
> You need to set-up autostart for these services
>
> On Fri, Jul 5, 2019, 14:04 Xavier M <xa...@hotmail.com> wrote:
>
> Hmm... It sounds a bit complicated for me, I have to make it "slowly". But
> I'm pretty sure I'll do it.
>
> For the moment, I do not understand why I can not connect anymore to "
> https://domain.eu:5443/openmeetings" (while I can connect to "
> https://domain.eu <https://domain.eu:5443/openmeetings>") after I
> "shutdown -r now" the web server? It has been a full night since I typed
> after the "reboot":
> sudo /etc/init.d/mysql start
> sudo /etc/init.d/kurento-media-server start
> sudo /etc/init.d/tomcat3 start
>
> Did I forget something? Is there anywhere a log which could help?
>
> Have a good day!
> Xavier
>
> ------------------------------
> *De :* Maxim Solodovnik <so...@gmail.com>
> *Envoyé :* vendredi 5 juillet 2019 04:18
> *À :* Openmeetings user-list
> *Objet :* Re: Log-in and security
>
> Demo server uses Apache as frontend proxy
> The config is here:
> https://stackoverflow.com/questions/51721771/apache-openmeetings-4-0-4-csrf-attack-when-using-apache2-as-proxypass
>
> On Fri, 5 Jul 2019 at 03:51, Xavier M <xa...@hotmail.com> wrote:
>
> Ok, at the time being, I won't switch to root...
>
> I "sudo shutdown -r now" and waited. The server has gone on again (website
> "https://domain.eu <https://domain.eu:5443/openmeetings>" reachable). I
> connected through SSH and typed:
>
> sudo /etc/init.d/mysql start
> sudo /etc/init.d/tomcat3 start
>
>
> Now I'm waiting... But I can't connect at all to OpenMeetings with the URL
> that previously worked ("https://domain.eu:5443/openmeetings"): Firefox
> can not establish a connection with this address...
>
>
> Thank you all and have a good night,
>
> Xavier
>
>
> Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
>
> Ok, please restart the server and it should work.
> If you use open500 as folder open500/conf is correct.
>
> Just restart it.
>
> Greetz
>
> Stefan
>
> PS: if you want to access to "permission denied" folders you need to
> switch to root, sudo won't work in this case. But be careful, keep in mind
> that you change the ownership if you change files as root.
>
>
> Bonne soiree
>
> Am 04.07.2019 21:57, schrieb Xavier M:
>
> Thank you!
>
>
> Each command line worked... But it did not change anything when I want to
> log in. Maybe shall I restart "a service"?
>
> NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory
> with a "keystore" file. But I have an "openmeetings" subdirectory too... to
> which I can not access (Permission denied).
>
>
> Greetings,
>
> Xavier
>
>
> Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
>
> Yes, I'm sorry. Did this so many times and forgot an important point.
> First: the password is: password
>
> ;-)
>
>
> Let's go through the lines:
>
> "sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out
> /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/
> domain.eu/chain.pem"
>
> Here you use the openssl library to export the the key from the
> letsencrypt certificate into the red5.p12 file and store it in youtr OM
> Folder (red5 is just an name - you could also use any other name)
>
> "sudo keytool -importkeystore -srcstorepass password -srckeystore
> /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
> -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore
> /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/
> domain.eu/chain.pem"
>
> by using keytool you import the certificate key by setting the password
> (-srcstorepass password -> deststorepass password) into the file
> keystore.jks and confirming the trust by the chain.pem
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks
> /opt/OM_Folder/conf/trustscore.jks"
>
> now creating the trustscore.jks by copying the keystore.jks
>
> at least and only if you have OM 5.* installed:
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
> this is neccesary because OM5-'looks only for keystore and not for
> keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you
> could update the config file to look for keystore.jks"
>
> So if you will be asked for
>
> *Enter Export Password:*
> *Verifying - Enter Export Password:*
>
> *and again*
>
>
> *Enter Import Password: Verifying - Enter Import Password:*
>
> *you need to enter password *
>
> *Just to keep it simple, you can choose your own password, but keep in
> mind top change it within the command too;-)*
>
> *Greetz*
>
> *Stefan*
>
> Am 04.07.2019 21:18, schrieb Xavier M:
>
> So...
>
> After having changed the folder names, I entered the first command line to
> get:
>
> *Enter Export Password:*
> *Verifying - Enter Export Password:*
>
> I wrote down a password - I guess I defined it at this step?
>
>
> Then the second command line delivered:
>
> *Importing keystore /opt/open500/conf/red5.p12 to
> /opt/open500/conf/keystore.jks...*
> *keytool error: java.io.IOException: keystore password was incorrect*
>
> Any idea of what happens and what I should do? I did not try the third
> command line.
>
> By the way, can you explain me in a few words what I'm doing with these
> command lines ?
>
>
> Have a good evening,
>
> Xavier
>
>
> Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
>
> Maybe to make a quick check (every command in one line):
>
> sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out
> /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/
> domain.eu/chain.pem
>
>
> sudo keytool -importkeystore -srcstorepass password -srckeystore
> /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
> -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore
> /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/
> domain.eu/chain.pem
>
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks
> /opt/OM_Folder/conf/trustscore.jks
>
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore
> (<- only if you have version 5.*)
>
>
>
> Please remeber: If you leave it like this, you need to repaet this lines
> after every renew of your certificate. Be aware of the folders ->
> domain.eu: your domain an OM_Folder: your OM installation folder.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 18:00, schrieb Xavier M:
>
> Then let's go with Proxy through Apache.
>
> I'm not running as root, but my account has the whole rights so that I
> thought I could do exactly the same things. "sudo" is my friend... even
> sudo chmod.
>
> The server works with Ubuntu - my account was created at the installation.
> When I refer to a "LAMP-server", I executed the command
>
> sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
>
>
> ... among other prior to install OM.
>
>
> Xavier
>
> ------------------------------
> *De :* Aaron Hepp <aa...@gmail.com> <aa...@gmail.com>
> *Envoyé :* jeudi 4 juillet 2019 17:53
> *À :* user@openmeetings.apache.org
> *Objet :* Re: Log-in and security
>
> Proxy through Apache would be the easier solution for upgrading
>
> when you say Admin of the sever you are running as root or that you can
> log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu,
> etc.)
>
> On 7/4/19 11:48 AM, Xavier M wrote:
>
> Thank you Aaron.
>
> Even if I have admin rights, I can access only to /etc/letsencrypt/. The
> permission is denied when I want to open the subdirectory "live".
>
> How do both solution work? I know neither how to "Proxy through Apache",
> nor how to "configure my OM instance to be able to read where the keys
> are". Sorry for all that...
>
> Xavier
>
> ------------------------------
> *De :* Aaron Hepp <aa...@gmail.com> <aa...@gmail.com>
> *Envoyé :* jeudi 4 juillet 2019 17:40
> *À :* user@openmeetings.apache.org
> *Objet :* Re: Log-in and security
>
> That is your issue. Apache has the cert installed via LetEncrypt. Tomcat
> which is running on 5443 needs to have the configuration set to know where
> the cert is located as well as the keystore created.
>
> You can do two things. Proxy through Apache, or configure your OM
> instance to be able to read where the keys are.
>
> LetEncrypt places the cert at:
> /etc/letsencrypt/live/<domain>
>
>
>
> On 7/4/19 11:34 AM, Xavier M wrote:
>
> Hem... No... Do you mean I have to copy and paste the certificate in each
> folder? Actually, I even don't know where the certificate is to be found on
> the server... But I guess I find it somewhere if needed.
>
> Xavier
>
> ------------------------------
> *De :* Stefan Kühl <st...@quatrekuehl.eu> <st...@quatrekuehl.eu>
> *Envoyé :* jeudi 4 juillet 2019 17:06
> *À :* user@openmeetings.apache.org
> *Cc :* R. Scholz
> *Objet :* Re: Log-in and security
>
>
> Hi @all,
>
> port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too.
> https works as expected.
> Did you export they certificate keys (like keystore and trustscore) to
> your %OM%/conf folder?
>
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 16:57, schrieb R. Scholz:
>
> Hello Xavier,
>
> Hm, you using on Port 80 Tomcat or Apache?
>
> Best regards,
>
> René
>
>
> Am 04.07.2019 um 16:24 schrieb Xavier M:
>
> Thank you for answering... I'm sorry, but I don't know enough about
> certificates to give you a relevant answer. I think that :
> * The common name is "rusa.fr"
> * There is no subject alternative name (even www.rusa.fr)
> * It is not a wildcard
>
> ... But I'm not 100% sure, it is the first time I administrate a server,
> I'm discovering many things at the same time!
>
> Xavier
>
> ------------------------------
> *De :* Clayton, Robin <Ro...@cumberland.co.uk>
> <Ro...@cumberland.co.uk>
> *Envoyé :* jeudi 4 juillet 2019 15:43
> *À :* user@openmeetings.apache.org
> *Objet :* RE: Log-in and security
>
>
> What is the CN of the certificate, is there any SAN entries on the
> certificate? Or is it a wildcard?
>
>
>
> The TCP port should be irrelevant.
>
>
>
> Rob
>
>
>
>
>
>
>
>
>
> *From:* Stefan Kühl [mailto:stefan@quatrekuehl.eu <st...@quatrekuehl.eu>]
>
> *Sent:* 04 July 2019 14:16
> *To:* user@openmeetings.apache.org
> *Cc:* Xavier M
> *Subject:* Re: Log-in and security
>
>
>
> Hi,
>
> are you sure that you request your certificate also for domain.eu or only
> for www.domain.eu. You should check this. Sometimes webhoster only use
> the www adresses for certificates.
>
> Greetz
>
> Stefan
>
>
>
>
>
> Am 04.07.2019 14:18, schrieb Xavier M:
>
> Hi everybody,
>
>
>
> I'm quite sure that the answer is already somewhere, but I couldn't find
> it...
>
>
>
> After having installed OM on a web-server, the "written" way to access to
> the log-in is following, according to Alvaro's tuto:
>
> https://localhost:5443/openmeetings
>
>
>
> If OM is installed on a web server, let's say "domain.eu", it works
> correctly with:
>
> https://domain.eu:5443/openmeetings
>
>
>
> But the user will get a warning for security reason, even if domain.eu
> works with https, since the common certificates will not work with this
> port.
>
>
>
> I stated that following URL worked for the "demo version":
>
> https://om.alteametasoft.com/openmeetings
>
>
>
> Does anyone know how this was done? I would like to avoid the use of the
> port 5443 with the warning.
>
>
>
> Have a good day!
>
> Xavier
>
>
>
> *Disclaimer*
>
> This email has been scanned by the Mimecast security service.
>
>
> *Disclaimer*
>
>
>
> Please, consider your environmental responsibility. Before printing this
> e-mail ask yourself: Do I need a hard copy?
>
> Cumberland Building Society
> Cumberland House
> Cooper Way
> Parkhouse
> CARLISLE CA3 0JF
> To help us monitor and improve customer service telephone calls may be
> recorded.
> Cumberland Building Society is authorised by the Prudential Regulation
> Authority and regulated by the Financial Conduct Authority and Prudential
> Regulation Authority. We arrange life assurance and critical illness cover
> only with Legal & General Assurance Society Limited and general insurance
> only with Aviva Insurance Limited.
> To find out more about us, visit *www.cumberland.co.uk*
> <http://www.cumberland.co.uk/>
>
> CONFIDENTIALITY: This e-mail and any files transmitted with it are
> confidential, may be legally privileged and are intended for the
> addressee(s) only. If you are not the intended recipient you may not
> disclose, copy, distribute, or retain all or part of this e-mail without
> our authority. Please notify the sender immediately by replying to this
> e-mail and then permanently delete it.
>
> Any views or opinions expressed are solely those of the author and do not
> necessarily represent those of Cumberland Building Society or any of its
> subsidiaries.
>
> Although we have taken steps to ensure that this e-mail and any
> attachments are free from virus contamination, please rely on your own
> virus checking procedures as no guarantee is implied or given. We will not
> be liable for any loss or damage arising from alteration of the contents of
> this e-mail by a third party or as a result of any virus.
>
>
> This email has been scanned by the Mimecast security service.
>
>
>
>
>
> --
> WBR
> Maxim aka solomax
>
>
>
> --
> WBR
> Maxim aka solomax
>
>
--
WBR
Maxim aka solomax
RE: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Atomic steps sounds fine... Except if it is a nuclear bomb!
In my case, I'd like as first step to understand why I can not connect anymore to "https://domain.eu:5443/openmeetings" (while I could connect to "https://domain.eu<https://domain.eu:5443/openmeetings>") - domain.eu was a generic name in my explanation - since I followed the steps given yesterday. Nota Bene: it works again when I modify /etc/apache2/ports.conf to add "Listen 5443" and "Listen 8888", but I got the error SSL_ERROR_RX_RECORD_TOO_LONG.
Assume that I go back to the previous problem, that is I can connect, but with a warning "self made certificate", or whatever the correct name... Then I have to understand what Aaron means by "Proxy through Apache, or configure your OM instance to be able to read where the keys are" and what are pros and cons. Aaron suggested me to "proxy", but actually I do not know how one does this.
Thanks all of you for your help,
Xavier
________________________________
De : Maxim Solodovnik <so...@gmail.com>
Envoyé : vendredi 5 juillet 2019 16:28
À : Openmeetings user-list
Objet : Re: Log-in and security
The best way to make everything working is to perform atomic steps
And ensure everything still works after each step
In your case
0) you need to understand what is your goal
1) then achieve it :)
As I understand you would like to have OM at port 443
You can do it by ether change OM https port to be 443
Or
By set up frontend proxy
Each option has pros and cons
You have to choose one option before any other step :)
On Fri, Jul 5, 2019, 20:34 Xavier M <xa...@hotmail.com>> wrote:
This is possible! But:
- What does Alvaro mean by "To be able to connect from the Internet or LAN with this server, remember to open the following
ports: 5443 8888" ?
- I could not connect anymore to "https://domain.eu:5443/openmeetings" (while I could connect to "https://domain.eu<https://domain.eu:5443/openmeetings>") until I did that: and now it "works" again, with the error SSL_ERROR_RX_RECORD_TOO_LONG...
- ... and I have no idea why!
If you have any idea/explanation, I really don't know neither what happens nor what to do! I will comment the lines in ports.conf and restart, to check whether it works like before or not.
Thank you!
Xavier
________________________________
De : Maxim Solodovnik <so...@gmail.com>>
Envoyé : vendredi 5 juillet 2019 15:14
À : Openmeetings user-list
Objet : Re: Log-in and security
I'm afraid this
I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf
make no sense :(
Apache HTTPD will listen these ports and both OM and Kurento will be unable to start since the port are already busy ....
On Fri, 5 Jul 2019 at 17:37, Xavier M <xa...@hotmail.com>> wrote:
Hi all,
I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf (and nothing into /etc/apache2/sites-enabled/000-default.conf)
I can now access to "https://domain.eu:5443/openmeetings", but with the error SSL_ERROR_RX_RECORD_TOO_LONG
How can I solve it? Could it be due to the changes I made yesterday thanks to Stefan's help?
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem<http://domain.eu/cert.pem> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem<http://domain.eu/privkey.pem> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
Bis demnächst,
Xavier
________________________________
De : Xavier M <xa...@hotmail.com>>
Envoyé : vendredi 5 juillet 2019 10:36
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
Hello Maxim,
That's a good idea... I had already heard of it, but I still have to look how I do it. But it seems that I forgot something, since I can not access to Open Meetings since I "shutdown -r now" the server. Any idea of which command it is?
Xavier
________________________________
De : Maxim Solodovnik <so...@gmail.com>>
Envoyé : vendredi 5 juillet 2019 09:38
À : Openmeetings user-list
Objet : Re: Log-in and security
You need to set-up autostart for these services
On Fri, Jul 5, 2019, 14:04 Xavier M <xa...@hotmail.com>> wrote:
Hmm... It sounds a bit complicated for me, I have to make it "slowly". But I'm pretty sure I'll do it.
For the moment, I do not understand why I can not connect anymore to "https://domain.eu:5443/openmeetings" (while I can connect to "https://domain.eu<https://domain.eu:5443/openmeetings>") after I "shutdown -r now" the web server? It has been a full night since I typed after the "reboot":
sudo /etc/init.d/mysql start
sudo /etc/init.d/kurento-media-server start
sudo /etc/init.d/tomcat3 start
Did I forget something? Is there anywhere a log which could help?
Have a good day!
Xavier
________________________________
De : Maxim Solodovnik <so...@gmail.com>>
Envoyé : vendredi 5 juillet 2019 04:18
À : Openmeetings user-list
Objet : Re: Log-in and security
Demo server uses Apache as frontend proxy
The config is here: https://stackoverflow.com/questions/51721771/apache-openmeetings-4-0-4-csrf-attack-when-using-apache2-as-proxypass
On Fri, 5 Jul 2019 at 03:51, Xavier M <xa...@hotmail.com>> wrote:
Ok, at the time being, I won't switch to root...
I "sudo shutdown -r now" and waited. The server has gone on again (website "https://domain.eu<https://domain.eu:5443/openmeetings>" reachable). I connected through SSH and typed:
sudo /etc/init.d/mysql start
sudo /etc/init.d/tomcat3 start
Now I'm waiting... But I can't connect at all to OpenMeetings with the URL that previously worked ("https://domain.eu:5443/openmeetings"): Firefox can not establish a connection with this address...
Thank you all and have a good night,
Xavier
Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
Ok, please restart the server and it should work.
If you use open500 as folder open500/conf is correct.
Just restart it.
Greetz
Stefan
PS: if you want to access to "permission denied" folders you need to switch to root, sudo won't work in this case. But be careful, keep in mind that you change the ownership if you change files as root.
Bonne soiree
Am 04.07.2019 21:57, schrieb Xavier M:
Thank you!
Each command line worked... But it did not change anything when I want to log in. Maybe shall I restart "a service"?
NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory with a "keystore" file. But I have an "openmeetings" subdirectory too... to which I can not access (Permission denied).
Greetings,
Xavier
Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
Yes, I'm sorry. Did this so many times and forgot an important point. First: the password is: password
;-)
Let's go through the lines:
"sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem<http://domain.eu/cert.pem> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem<http://domain.eu/privkey.pem> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>"
Here you use the openssl library to export the the key from the letsencrypt certificate into the red5.p12 file and store it in youtr OM Folder (red5 is just an name - you could also use any other name)
"sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>"
by using keytool you import the certificate key by setting the password (-srcstorepass password -> deststorepass password) into the file keystore.jks and confirming the trust by the chain.pem
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks"
now creating the trustscore.jks by copying the keystore.jks
at least and only if you have OM 5.* installed:
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
this is neccesary because OM5-'looks only for keystore and not for keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you could update the config file to look for keystore.jks"
So if you will be asked for
Enter Export Password:
Verifying - Enter Export Password:
and again
Enter Import Password:
Verifying - Enter Import Password:
you need to enter password
Just to keep it simple, you can choose your own password, but keep in mind top change it within the command too;-)
Greetz
Stefan
Am 04.07.2019 21:18, schrieb Xavier M:
So...
After having changed the folder names, I entered the first command line to get:
Enter Export Password:
Verifying - Enter Export Password:
I wrote down a password - I guess I defined it at this step?
Then the second command line delivered:
Importing keystore /opt/open500/conf/red5.p12 to /opt/open500/conf/keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
Any idea of what happens and what I should do? I did not try the third command line.
By the way, can you explain me in a few words what I'm doing with these command lines ?
Have a good evening,
Xavier
Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
Maybe to make a quick check (every command in one line):
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem<http://domain.eu/cert.pem> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem<http://domain.eu/privkey.pem> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu<http://domain.eu>: your domain an OM_Folder: your OM installation folder.
Greetz
Stefan
Am 04.07.2019 18:00, schrieb Xavier M:
Then let's go with Proxy through Apache.
I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
... among other prior to install OM.
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:53
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
Proxy through Apache would be the easier solution for upgrading
when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
On 7/4/19 11:48 AM, Xavier M wrote:
Thank you Aaron.
Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:40
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
LetEncrypt places the cert at:
/etc/letsencrypt/live/<domain>
On 7/4/19 11:34 AM, Xavier M wrote:
Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
Xavier
________________________________
De : Stefan Kühl <st...@quatrekuehl.eu>
Envoyé : jeudi 4 juillet 2019 17:06
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc : R. Scholz
Objet : Re: Log-in and security
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr<http://rusa.fr>"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin <Ro...@cumberland.co.uk>
Envoyé : jeudi 4 juillet 2019 15:43
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
Re: Log-in and security
Posted by Maxim Solodovnik <so...@gmail.com>.
The best way to make everything working is to perform atomic steps
And ensure everything still works after each step
In your case
0) you need to understand what is your goal
1) then achieve it :)
As I understand you would like to have OM at port 443
You can do it by ether change OM https port to be 443
Or
By set up frontend proxy
Each option has pros and cons
You have to choose one option before any other step :)
On Fri, Jul 5, 2019, 20:34 Xavier M <xa...@hotmail.com> wrote:
> This is possible! But:
>
> - What does Alvaro mean by "To be able to connect from the Internet or
> LAN with this server, remember to open the following
> ports: 5443 8888" ?
> - I could not connect anymore to "https://domain.eu:5443/openmeetings"
> (while I could connect to "https://domain.eu
> <https://domain.eu:5443/openmeetings>") until I did that: and now it
> "works" again, with the error SSL_ERROR_RX_RECORD_TOO_LONG...
> - ... and I have no idea why!
>
> If you have any idea/explanation, I really don't know neither what happens
> nor what to do! I will comment the lines in ports.conf and restart, to
> check whether it works like before or not.
>
> Thank you!
> Xavier
>
> ------------------------------
> *De :* Maxim Solodovnik <so...@gmail.com>
> *Envoyé :* vendredi 5 juillet 2019 15:14
> *À :* Openmeetings user-list
> *Objet :* Re: Log-in and security
>
> I'm afraid this
> I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf
> make no sense :(
>
> Apache HTTPD will listen these ports and both OM and Kurento will be
> unable to start since the port are already busy ....
>
> On Fri, 5 Jul 2019 at 17:37, Xavier M <xa...@hotmail.com> wrote:
>
> Hi all,
>
> I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf
> (and nothing into /etc/apache2/sites-enabled/000-default.conf)
>
> I can now access to "https://domain.eu:5443/openmeetings", but with the
> error SSL_ERROR_RX_RECORD_TOO_LONG
> How can I solve it? Could it be due to the changes I made yesterday thanks
> to Stefan's help?
>
> *sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
> <http://domain.eu/cert.pem> -inkey
> /etc/letsencrypt/live/domain.eu/privkey.pem <http://domain.eu/privkey.pem>
> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile
> /etc/letsencrypt/live/domain.eu/chain.pem <http://domain.eu/chain.pem>*
>
>
> * sudo keytool -importkeystore -srcstorepass password -srckeystore
> /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
> -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5*
>
> *sudo keytool -import -alias root -keystore
> /opt/OM_Folder/conf/keystore.jks -trustcacerts -file
> /etc/letsencrypt/live/domain.eu/chain.pem <http://domain.eu/chain.pem>*
>
>
> * sudo cp -f /opt/OM_Folder/conf/keystore.jks
> /opt/OM_Folder/conf/trustscore.jks*
>
>
> * sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore
> (<- only if you have version 5.*)*
>
> Bis demnächst,
> Xavier
>
>
>
>
> ------------------------------
> *De :* Xavier M <xa...@hotmail.com>
> *Envoyé :* vendredi 5 juillet 2019 10:36
> *À :* user@openmeetings.apache.org
> *Objet :* RE: Log-in and security
>
> Hello Maxim,
>
> That's a good idea... I had already heard of it, but I still have to look
> how I do it. But it seems that I forgot something, since I can not access
> to Open Meetings since I "shutdown -r now" the server. Any idea of which
> command it is?
>
> Xavier
>
> ------------------------------
> *De :* Maxim Solodovnik <so...@gmail.com>
> *Envoyé :* vendredi 5 juillet 2019 09:38
> *À :* Openmeetings user-list
> *Objet :* Re: Log-in and security
>
> You need to set-up autostart for these services
>
> On Fri, Jul 5, 2019, 14:04 Xavier M <xa...@hotmail.com> wrote:
>
> Hmm... It sounds a bit complicated for me, I have to make it "slowly". But
> I'm pretty sure I'll do it.
>
> For the moment, I do not understand why I can not connect anymore to "
> https://domain.eu:5443/openmeetings" (while I can connect to "
> https://domain.eu <https://domain.eu:5443/openmeetings>") after I
> "shutdown -r now" the web server? It has been a full night since I typed
> after the "reboot":
> sudo /etc/init.d/mysql start
> sudo /etc/init.d/kurento-media-server start
> sudo /etc/init.d/tomcat3 start
>
> Did I forget something? Is there anywhere a log which could help?
>
> Have a good day!
> Xavier
>
> ------------------------------
> *De :* Maxim Solodovnik <so...@gmail.com>
> *Envoyé :* vendredi 5 juillet 2019 04:18
> *À :* Openmeetings user-list
> *Objet :* Re: Log-in and security
>
> Demo server uses Apache as frontend proxy
> The config is here:
> https://stackoverflow.com/questions/51721771/apache-openmeetings-4-0-4-csrf-attack-when-using-apache2-as-proxypass
>
> On Fri, 5 Jul 2019 at 03:51, Xavier M <xa...@hotmail.com> wrote:
>
> Ok, at the time being, I won't switch to root...
>
> I "sudo shutdown -r now" and waited. The server has gone on again (website
> "https://domain.eu <https://domain.eu:5443/openmeetings>" reachable). I
> connected through SSH and typed:
>
> sudo /etc/init.d/mysql start
> sudo /etc/init.d/tomcat3 start
>
>
> Now I'm waiting... But I can't connect at all to OpenMeetings with the URL
> that previously worked ("https://domain.eu:5443/openmeetings"): Firefox
> can not establish a connection with this address...
>
>
> Thank you all and have a good night,
>
> Xavier
>
>
> Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
>
> Ok, please restart the server and it should work.
> If you use open500 as folder open500/conf is correct.
>
> Just restart it.
>
> Greetz
>
> Stefan
>
> PS: if you want to access to "permission denied" folders you need to
> switch to root, sudo won't work in this case. But be careful, keep in mind
> that you change the ownership if you change files as root.
>
>
> Bonne soiree
>
> Am 04.07.2019 21:57, schrieb Xavier M:
>
> Thank you!
>
>
> Each command line worked... But it did not change anything when I want to
> log in. Maybe shall I restart "a service"?
>
> NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory
> with a "keystore" file. But I have an "openmeetings" subdirectory too... to
> which I can not access (Permission denied).
>
>
> Greetings,
>
> Xavier
>
>
> Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
>
> Yes, I'm sorry. Did this so many times and forgot an important point.
> First: the password is: password
>
> ;-)
>
>
> Let's go through the lines:
>
> "sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out
> /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/
> domain.eu/chain.pem"
>
> Here you use the openssl library to export the the key from the
> letsencrypt certificate into the red5.p12 file and store it in youtr OM
> Folder (red5 is just an name - you could also use any other name)
>
> "sudo keytool -importkeystore -srcstorepass password -srckeystore
> /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
> -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore
> /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/
> domain.eu/chain.pem"
>
> by using keytool you import the certificate key by setting the password
> (-srcstorepass password -> deststorepass password) into the file
> keystore.jks and confirming the trust by the chain.pem
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks
> /opt/OM_Folder/conf/trustscore.jks"
>
> now creating the trustscore.jks by copying the keystore.jks
>
> at least and only if you have OM 5.* installed:
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
> this is neccesary because OM5-'looks only for keystore and not for
> keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you
> could update the config file to look for keystore.jks"
>
> So if you will be asked for
>
> *Enter Export Password:*
> *Verifying - Enter Export Password:*
>
> *and again*
>
>
> *Enter Import Password: Verifying - Enter Import Password:*
>
> *you need to enter password *
>
> *Just to keep it simple, you can choose your own password, but keep in
> mind top change it within the command too;-)*
>
> *Greetz*
>
> *Stefan*
>
> Am 04.07.2019 21:18, schrieb Xavier M:
>
> So...
>
> After having changed the folder names, I entered the first command line to
> get:
>
> *Enter Export Password:*
> *Verifying - Enter Export Password:*
>
> I wrote down a password - I guess I defined it at this step?
>
>
> Then the second command line delivered:
>
> *Importing keystore /opt/open500/conf/red5.p12 to
> /opt/open500/conf/keystore.jks...*
> *keytool error: java.io.IOException: keystore password was incorrect*
>
> Any idea of what happens and what I should do? I did not try the third
> command line.
>
> By the way, can you explain me in a few words what I'm doing with these
> command lines ?
>
>
> Have a good evening,
>
> Xavier
>
>
> Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
>
> Maybe to make a quick check (every command in one line):
>
> sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out
> /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/
> domain.eu/chain.pem
>
>
> sudo keytool -importkeystore -srcstorepass password -srckeystore
> /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
> -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore
> /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/
> domain.eu/chain.pem
>
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks
> /opt/OM_Folder/conf/trustscore.jks
>
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore
> (<- only if you have version 5.*)
>
>
>
> Please remeber: If you leave it like this, you need to repaet this lines
> after every renew of your certificate. Be aware of the folders ->
> domain.eu: your domain an OM_Folder: your OM installation folder.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 18:00, schrieb Xavier M:
>
> Then let's go with Proxy through Apache.
>
> I'm not running as root, but my account has the whole rights so that I
> thought I could do exactly the same things. "sudo" is my friend... even
> sudo chmod.
>
> The server works with Ubuntu - my account was created at the installation.
> When I refer to a "LAMP-server", I executed the command
>
> sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
>
>
> ... among other prior to install OM.
>
>
> Xavier
>
> ------------------------------
> *De :* Aaron Hepp <aa...@gmail.com> <aa...@gmail.com>
> *Envoyé :* jeudi 4 juillet 2019 17:53
> *À :* user@openmeetings.apache.org
> *Objet :* Re: Log-in and security
>
> Proxy through Apache would be the easier solution for upgrading
>
> when you say Admin of the sever you are running as root or that you can
> log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu,
> etc.)
>
> On 7/4/19 11:48 AM, Xavier M wrote:
>
> Thank you Aaron.
>
> Even if I have admin rights, I can access only to /etc/letsencrypt/. The
> permission is denied when I want to open the subdirectory "live".
>
> How do both solution work? I know neither how to "Proxy through Apache",
> nor how to "configure my OM instance to be able to read where the keys
> are". Sorry for all that...
>
> Xavier
>
> ------------------------------
> *De :* Aaron Hepp <aa...@gmail.com> <aa...@gmail.com>
> *Envoyé :* jeudi 4 juillet 2019 17:40
> *À :* user@openmeetings.apache.org
> *Objet :* Re: Log-in and security
>
> That is your issue. Apache has the cert installed via LetEncrypt. Tomcat
> which is running on 5443 needs to have the configuration set to know where
> the cert is located as well as the keystore created.
>
> You can do two things. Proxy through Apache, or configure your OM
> instance to be able to read where the keys are.
>
> LetEncrypt places the cert at:
> /etc/letsencrypt/live/<domain>
>
>
>
> On 7/4/19 11:34 AM, Xavier M wrote:
>
> Hem... No... Do you mean I have to copy and paste the certificate in each
> folder? Actually, I even don't know where the certificate is to be found on
> the server... But I guess I find it somewhere if needed.
>
> Xavier
>
> ------------------------------
> *De :* Stefan Kühl <st...@quatrekuehl.eu> <st...@quatrekuehl.eu>
> *Envoyé :* jeudi 4 juillet 2019 17:06
> *À :* user@openmeetings.apache.org
> *Cc :* R. Scholz
> *Objet :* Re: Log-in and security
>
>
> Hi @all,
>
> port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too.
> https works as expected.
> Did you export they certificate keys (like keystore and trustscore) to
> your %OM%/conf folder?
>
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 16:57, schrieb R. Scholz:
>
> Hello Xavier,
>
> Hm, you using on Port 80 Tomcat or Apache?
>
> Best regards,
>
> René
>
>
> Am 04.07.2019 um 16:24 schrieb Xavier M:
>
> Thank you for answering... I'm sorry, but I don't know enough about
> certificates to give you a relevant answer. I think that :
> * The common name is "rusa.fr"
> * There is no subject alternative name (even www.rusa.fr)
> * It is not a wildcard
>
> ... But I'm not 100% sure, it is the first time I administrate a server,
> I'm discovering many things at the same time!
>
> Xavier
>
> ------------------------------
> *De :* Clayton, Robin <Ro...@cumberland.co.uk>
> <Ro...@cumberland.co.uk>
> *Envoyé :* jeudi 4 juillet 2019 15:43
> *À :* user@openmeetings.apache.org
> *Objet :* RE: Log-in and security
>
>
> What is the CN of the certificate, is there any SAN entries on the
> certificate? Or is it a wildcard?
>
>
>
> The TCP port should be irrelevant.
>
>
>
> Rob
>
>
>
>
>
>
>
>
>
> *From:* Stefan Kühl [mailto:stefan@quatrekuehl.eu <st...@quatrekuehl.eu>]
>
> *Sent:* 04 July 2019 14:16
> *To:* user@openmeetings.apache.org
> *Cc:* Xavier M
> *Subject:* Re: Log-in and security
>
>
>
> Hi,
>
> are you sure that you request your certificate also for domain.eu or only
> for www.domain.eu. You should check this. Sometimes webhoster only use
> the www adresses for certificates.
>
> Greetz
>
> Stefan
>
>
>
>
>
> Am 04.07.2019 14:18, schrieb Xavier M:
>
> Hi everybody,
>
>
>
> I'm quite sure that the answer is already somewhere, but I couldn't find
> it...
>
>
>
> After having installed OM on a web-server, the "written" way to access to
> the log-in is following, according to Alvaro's tuto:
>
> https://localhost:5443/openmeetings
>
>
>
> If OM is installed on a web server, let's say "domain.eu", it works
> correctly with:
>
> https://domain.eu:5443/openmeetings
>
>
>
> But the user will get a warning for security reason, even if domain.eu
> works with https, since the common certificates will not work with this
> port.
>
>
>
> I stated that following URL worked for the "demo version":
>
> https://om.alteametasoft.com/openmeetings
>
>
>
> Does anyone know how this was done? I would like to avoid the use of the
> port 5443 with the warning.
>
>
>
> Have a good day!
>
> Xavier
>
>
>
> *Disclaimer*
>
> This email has been scanned by the Mimecast security service.
>
>
> *Disclaimer*
>
>
>
> Please, consider your environmental responsibility. Before printing this
> e-mail ask yourself: Do I need a hard copy?
>
> Cumberland Building Society
> Cumberland House
> Cooper Way
> Parkhouse
> CARLISLE CA3 0JF
> To help us monitor and improve customer service telephone calls may be
> recorded.
> Cumberland Building Society is authorised by the Prudential Regulation
> Authority and regulated by the Financial Conduct Authority and Prudential
> Regulation Authority. We arrange life assurance and critical illness cover
> only with Legal & General Assurance Society Limited and general insurance
> only with Aviva Insurance Limited.
> To find out more about us, visit *www.cumberland.co.uk*
> <http://www.cumberland.co.uk/>
>
> CONFIDENTIALITY: This e-mail and any files transmitted with it are
> confidential, may be legally privileged and are intended for the
> addressee(s) only. If you are not the intended recipient you may not
> disclose, copy, distribute, or retain all or part of this e-mail without
> our authority. Please notify the sender immediately by replying to this
> e-mail and then permanently delete it.
>
> Any views or opinions expressed are solely those of the author and do not
> necessarily represent those of Cumberland Building Society or any of its
> subsidiaries.
>
> Although we have taken steps to ensure that this e-mail and any
> attachments are free from virus contamination, please rely on your own
> virus checking procedures as no guarantee is implied or given. We will not
> be liable for any loss or damage arising from alteration of the contents of
> this e-mail by a third party or as a result of any virus.
>
>
> This email has been scanned by the Mimecast security service.
>
>
>
>
>
> --
> WBR
> Maxim aka solomax
>
>
>
> --
> WBR
> Maxim aka solomax
>
RE: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
This is possible! But:
- What does Alvaro mean by "To be able to connect from the Internet or LAN with this server, remember to open the following
ports: 5443 8888" ?
- I could not connect anymore to "https://domain.eu:5443/openmeetings" (while I could connect to "https://domain.eu<https://domain.eu:5443/openmeetings>") until I did that: and now it "works" again, with the error SSL_ERROR_RX_RECORD_TOO_LONG...
- ... and I have no idea why!
If you have any idea/explanation, I really don't know neither what happens nor what to do! I will comment the lines in ports.conf and restart, to check whether it works like before or not.
Thank you!
Xavier
________________________________
De : Maxim Solodovnik <so...@gmail.com>
Envoyé : vendredi 5 juillet 2019 15:14
À : Openmeetings user-list
Objet : Re: Log-in and security
I'm afraid this
I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf
make no sense :(
Apache HTTPD will listen these ports and both OM and Kurento will be unable to start since the port are already busy ....
On Fri, 5 Jul 2019 at 17:37, Xavier M <xa...@hotmail.com>> wrote:
Hi all,
I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf (and nothing into /etc/apache2/sites-enabled/000-default.conf)
I can now access to "https://domain.eu:5443/openmeetings", but with the error SSL_ERROR_RX_RECORD_TOO_LONG
How can I solve it? Could it be due to the changes I made yesterday thanks to Stefan's help?
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem<http://domain.eu/cert.pem> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem<http://domain.eu/privkey.pem> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
Bis demnächst,
Xavier
________________________________
De : Xavier M <xa...@hotmail.com>>
Envoyé : vendredi 5 juillet 2019 10:36
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
Hello Maxim,
That's a good idea... I had already heard of it, but I still have to look how I do it. But it seems that I forgot something, since I can not access to Open Meetings since I "shutdown -r now" the server. Any idea of which command it is?
Xavier
________________________________
De : Maxim Solodovnik <so...@gmail.com>>
Envoyé : vendredi 5 juillet 2019 09:38
À : Openmeetings user-list
Objet : Re: Log-in and security
You need to set-up autostart for these services
On Fri, Jul 5, 2019, 14:04 Xavier M <xa...@hotmail.com>> wrote:
Hmm... It sounds a bit complicated for me, I have to make it "slowly". But I'm pretty sure I'll do it.
For the moment, I do not understand why I can not connect anymore to "https://domain.eu:5443/openmeetings" (while I can connect to "https://domain.eu<https://domain.eu:5443/openmeetings>") after I "shutdown -r now" the web server? It has been a full night since I typed after the "reboot":
sudo /etc/init.d/mysql start
sudo /etc/init.d/kurento-media-server start
sudo /etc/init.d/tomcat3 start
Did I forget something? Is there anywhere a log which could help?
Have a good day!
Xavier
________________________________
De : Maxim Solodovnik <so...@gmail.com>>
Envoyé : vendredi 5 juillet 2019 04:18
À : Openmeetings user-list
Objet : Re: Log-in and security
Demo server uses Apache as frontend proxy
The config is here: https://stackoverflow.com/questions/51721771/apache-openmeetings-4-0-4-csrf-attack-when-using-apache2-as-proxypass
On Fri, 5 Jul 2019 at 03:51, Xavier M <xa...@hotmail.com>> wrote:
Ok, at the time being, I won't switch to root...
I "sudo shutdown -r now" and waited. The server has gone on again (website "https://domain.eu<https://domain.eu:5443/openmeetings>" reachable). I connected through SSH and typed:
sudo /etc/init.d/mysql start
sudo /etc/init.d/tomcat3 start
Now I'm waiting... But I can't connect at all to OpenMeetings with the URL that previously worked ("https://domain.eu:5443/openmeetings"): Firefox can not establish a connection with this address...
Thank you all and have a good night,
Xavier
Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
Ok, please restart the server and it should work.
If you use open500 as folder open500/conf is correct.
Just restart it.
Greetz
Stefan
PS: if you want to access to "permission denied" folders you need to switch to root, sudo won't work in this case. But be careful, keep in mind that you change the ownership if you change files as root.
Bonne soiree
Am 04.07.2019 21:57, schrieb Xavier M:
Thank you!
Each command line worked... But it did not change anything when I want to log in. Maybe shall I restart "a service"?
NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory with a "keystore" file. But I have an "openmeetings" subdirectory too... to which I can not access (Permission denied).
Greetings,
Xavier
Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
Yes, I'm sorry. Did this so many times and forgot an important point. First: the password is: password
;-)
Let's go through the lines:
"sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem<http://domain.eu/cert.pem> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem<http://domain.eu/privkey.pem> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>"
Here you use the openssl library to export the the key from the letsencrypt certificate into the red5.p12 file and store it in youtr OM Folder (red5 is just an name - you could also use any other name)
"sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>"
by using keytool you import the certificate key by setting the password (-srcstorepass password -> deststorepass password) into the file keystore.jks and confirming the trust by the chain.pem
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks"
now creating the trustscore.jks by copying the keystore.jks
at least and only if you have OM 5.* installed:
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
this is neccesary because OM5-'looks only for keystore and not for keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you could update the config file to look for keystore.jks"
So if you will be asked for
Enter Export Password:
Verifying - Enter Export Password:
and again
Enter Import Password:
Verifying - Enter Import Password:
you need to enter password
Just to keep it simple, you can choose your own password, but keep in mind top change it within the command too;-)
Greetz
Stefan
Am 04.07.2019 21:18, schrieb Xavier M:
So...
After having changed the folder names, I entered the first command line to get:
Enter Export Password:
Verifying - Enter Export Password:
I wrote down a password - I guess I defined it at this step?
Then the second command line delivered:
Importing keystore /opt/open500/conf/red5.p12 to /opt/open500/conf/keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
Any idea of what happens and what I should do? I did not try the third command line.
By the way, can you explain me in a few words what I'm doing with these command lines ?
Have a good evening,
Xavier
Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
Maybe to make a quick check (every command in one line):
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem<http://domain.eu/cert.pem> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem<http://domain.eu/privkey.pem> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu<http://domain.eu>: your domain an OM_Folder: your OM installation folder.
Greetz
Stefan
Am 04.07.2019 18:00, schrieb Xavier M:
Then let's go with Proxy through Apache.
I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
... among other prior to install OM.
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:53
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
Proxy through Apache would be the easier solution for upgrading
when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
On 7/4/19 11:48 AM, Xavier M wrote:
Thank you Aaron.
Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:40
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
LetEncrypt places the cert at:
/etc/letsencrypt/live/<domain>
On 7/4/19 11:34 AM, Xavier M wrote:
Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
Xavier
________________________________
De : Stefan Kühl <st...@quatrekuehl.eu>
Envoyé : jeudi 4 juillet 2019 17:06
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc : R. Scholz
Objet : Re: Log-in and security
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr<http://rusa.fr>"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin <Ro...@cumberland.co.uk>
Envoyé : jeudi 4 juillet 2019 15:43
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
Re: Log-in and security
Posted by Maxim Solodovnik <so...@gmail.com>.
I'm afraid this
I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf
make no sense :(
Apache HTTPD will listen these ports and both OM and Kurento will be unable
to start since the port are already busy ....
On Fri, 5 Jul 2019 at 17:37, Xavier M <xa...@hotmail.com> wrote:
> Hi all,
>
> I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf
> (and nothing into /etc/apache2/sites-enabled/000-default.conf)
>
> I can now access to "https://domain.eu:5443/openmeetings", but with the
> error SSL_ERROR_RX_RECORD_TOO_LONG
> How can I solve it? Could it be due to the changes I made yesterday thanks
> to Stefan's help?
>
> *sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
> <http://domain.eu/cert.pem> -inkey
> /etc/letsencrypt/live/domain.eu/privkey.pem <http://domain.eu/privkey.pem>
> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile
> /etc/letsencrypt/live/domain.eu/chain.pem <http://domain.eu/chain.pem>*
>
>
> * sudo keytool -importkeystore -srcstorepass password -srckeystore
> /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
> -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5*
>
> *sudo keytool -import -alias root -keystore
> /opt/OM_Folder/conf/keystore.jks -trustcacerts -file
> /etc/letsencrypt/live/domain.eu/chain.pem <http://domain.eu/chain.pem>*
>
>
> * sudo cp -f /opt/OM_Folder/conf/keystore.jks
> /opt/OM_Folder/conf/trustscore.jks*
>
>
> * sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore
> (<- only if you have version 5.*)*
>
> Bis demnächst,
> Xavier
>
>
>
>
> ------------------------------
> *De :* Xavier M <xa...@hotmail.com>
> *Envoyé :* vendredi 5 juillet 2019 10:36
> *À :* user@openmeetings.apache.org
> *Objet :* RE: Log-in and security
>
> Hello Maxim,
>
> That's a good idea... I had already heard of it, but I still have to look
> how I do it. But it seems that I forgot something, since I can not access
> to Open Meetings since I "shutdown -r now" the server. Any idea of which
> command it is?
>
> Xavier
>
> ------------------------------
> *De :* Maxim Solodovnik <so...@gmail.com>
> *Envoyé :* vendredi 5 juillet 2019 09:38
> *À :* Openmeetings user-list
> *Objet :* Re: Log-in and security
>
> You need to set-up autostart for these services
>
> On Fri, Jul 5, 2019, 14:04 Xavier M <xa...@hotmail.com> wrote:
>
> Hmm... It sounds a bit complicated for me, I have to make it "slowly". But
> I'm pretty sure I'll do it.
>
> For the moment, I do not understand why I can not connect anymore to "
> https://domain.eu:5443/openmeetings" (while I can connect to "
> https://domain.eu <https://domain.eu:5443/openmeetings>") after I
> "shutdown -r now" the web server? It has been a full night since I typed
> after the "reboot":
> sudo /etc/init.d/mysql start
> sudo /etc/init.d/kurento-media-server start
> sudo /etc/init.d/tomcat3 start
>
> Did I forget something? Is there anywhere a log which could help?
>
> Have a good day!
> Xavier
>
> ------------------------------
> *De :* Maxim Solodovnik <so...@gmail.com>
> *Envoyé :* vendredi 5 juillet 2019 04:18
> *À :* Openmeetings user-list
> *Objet :* Re: Log-in and security
>
> Demo server uses Apache as frontend proxy
> The config is here:
> https://stackoverflow.com/questions/51721771/apache-openmeetings-4-0-4-csrf-attack-when-using-apache2-as-proxypass
>
> On Fri, 5 Jul 2019 at 03:51, Xavier M <xa...@hotmail.com> wrote:
>
> Ok, at the time being, I won't switch to root...
>
> I "sudo shutdown -r now" and waited. The server has gone on again (website
> "https://domain.eu <https://domain.eu:5443/openmeetings>" reachable). I
> connected through SSH and typed:
>
> sudo /etc/init.d/mysql start
> sudo /etc/init.d/tomcat3 start
>
>
> Now I'm waiting... But I can't connect at all to OpenMeetings with the URL
> that previously worked ("https://domain.eu:5443/openmeetings"): Firefox
> can not establish a connection with this address...
>
>
> Thank you all and have a good night,
>
> Xavier
>
>
> Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
>
> Ok, please restart the server and it should work.
> If you use open500 as folder open500/conf is correct.
>
> Just restart it.
>
> Greetz
>
> Stefan
>
> PS: if you want to access to "permission denied" folders you need to
> switch to root, sudo won't work in this case. But be careful, keep in mind
> that you change the ownership if you change files as root.
>
>
> Bonne soiree
>
> Am 04.07.2019 21:57, schrieb Xavier M:
>
> Thank you!
>
>
> Each command line worked... But it did not change anything when I want to
> log in. Maybe shall I restart "a service"?
>
> NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory
> with a "keystore" file. But I have an "openmeetings" subdirectory too... to
> which I can not access (Permission denied).
>
>
> Greetings,
>
> Xavier
>
>
> Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
>
> Yes, I'm sorry. Did this so many times and forgot an important point.
> First: the password is: password
>
> ;-)
>
>
> Let's go through the lines:
>
> "sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out
> /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/
> domain.eu/chain.pem"
>
> Here you use the openssl library to export the the key from the
> letsencrypt certificate into the red5.p12 file and store it in youtr OM
> Folder (red5 is just an name - you could also use any other name)
>
> "sudo keytool -importkeystore -srcstorepass password -srckeystore
> /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
> -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore
> /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/
> domain.eu/chain.pem"
>
> by using keytool you import the certificate key by setting the password
> (-srcstorepass password -> deststorepass password) into the file
> keystore.jks and confirming the trust by the chain.pem
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks
> /opt/OM_Folder/conf/trustscore.jks"
>
> now creating the trustscore.jks by copying the keystore.jks
>
> at least and only if you have OM 5.* installed:
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
> this is neccesary because OM5-'looks only for keystore and not for
> keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you
> could update the config file to look for keystore.jks"
>
> So if you will be asked for
>
> *Enter Export Password:*
> *Verifying - Enter Export Password:*
>
> *and again*
>
>
> *Enter Import Password: Verifying - Enter Import Password:*
>
> *you need to enter password *
>
> *Just to keep it simple, you can choose your own password, but keep in
> mind top change it within the command too;-)*
>
> *Greetz*
>
> *Stefan*
>
> Am 04.07.2019 21:18, schrieb Xavier M:
>
> So...
>
> After having changed the folder names, I entered the first command line to
> get:
>
> *Enter Export Password:*
> *Verifying - Enter Export Password:*
>
> I wrote down a password - I guess I defined it at this step?
>
>
> Then the second command line delivered:
>
> *Importing keystore /opt/open500/conf/red5.p12 to
> /opt/open500/conf/keystore.jks...*
> *keytool error: java.io.IOException: keystore password was incorrect*
>
> Any idea of what happens and what I should do? I did not try the third
> command line.
>
> By the way, can you explain me in a few words what I'm doing with these
> command lines ?
>
>
> Have a good evening,
>
> Xavier
>
>
> Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
>
> Maybe to make a quick check (every command in one line):
>
> sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out
> /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/
> domain.eu/chain.pem
>
>
> sudo keytool -importkeystore -srcstorepass password -srckeystore
> /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
> -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore
> /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/
> domain.eu/chain.pem
>
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks
> /opt/OM_Folder/conf/trustscore.jks
>
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore
> (<- only if you have version 5.*)
>
>
>
> Please remeber: If you leave it like this, you need to repaet this lines
> after every renew of your certificate. Be aware of the folders ->
> domain.eu: your domain an OM_Folder: your OM installation folder.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 18:00, schrieb Xavier M:
>
> Then let's go with Proxy through Apache.
>
> I'm not running as root, but my account has the whole rights so that I
> thought I could do exactly the same things. "sudo" is my friend... even
> sudo chmod.
>
> The server works with Ubuntu - my account was created at the installation.
> When I refer to a "LAMP-server", I executed the command
>
> sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
>
>
> ... among other prior to install OM.
>
>
> Xavier
>
> ------------------------------
> *De :* Aaron Hepp <aa...@gmail.com> <aa...@gmail.com>
> *Envoyé :* jeudi 4 juillet 2019 17:53
> *À :* user@openmeetings.apache.org
> *Objet :* Re: Log-in and security
>
> Proxy through Apache would be the easier solution for upgrading
>
> when you say Admin of the sever you are running as root or that you can
> log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu,
> etc.)
>
> On 7/4/19 11:48 AM, Xavier M wrote:
>
> Thank you Aaron.
>
> Even if I have admin rights, I can access only to /etc/letsencrypt/. The
> permission is denied when I want to open the subdirectory "live".
>
> How do both solution work? I know neither how to "Proxy through Apache",
> nor how to "configure my OM instance to be able to read where the keys
> are". Sorry for all that...
>
> Xavier
>
> ------------------------------
> *De :* Aaron Hepp <aa...@gmail.com> <aa...@gmail.com>
> *Envoyé :* jeudi 4 juillet 2019 17:40
> *À :* user@openmeetings.apache.org
> *Objet :* Re: Log-in and security
>
> That is your issue. Apache has the cert installed via LetEncrypt. Tomcat
> which is running on 5443 needs to have the configuration set to know where
> the cert is located as well as the keystore created.
>
> You can do two things. Proxy through Apache, or configure your OM
> instance to be able to read where the keys are.
>
> LetEncrypt places the cert at:
> /etc/letsencrypt/live/<domain>
>
>
>
> On 7/4/19 11:34 AM, Xavier M wrote:
>
> Hem... No... Do you mean I have to copy and paste the certificate in each
> folder? Actually, I even don't know where the certificate is to be found on
> the server... But I guess I find it somewhere if needed.
>
> Xavier
>
> ------------------------------
> *De :* Stefan Kühl <st...@quatrekuehl.eu> <st...@quatrekuehl.eu>
> *Envoyé :* jeudi 4 juillet 2019 17:06
> *À :* user@openmeetings.apache.org
> *Cc :* R. Scholz
> *Objet :* Re: Log-in and security
>
>
> Hi @all,
>
> port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too.
> https works as expected.
> Did you export they certificate keys (like keystore and trustscore) to
> your %OM%/conf folder?
>
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 16:57, schrieb R. Scholz:
>
> Hello Xavier,
>
> Hm, you using on Port 80 Tomcat or Apache?
>
> Best regards,
>
> René
>
>
> Am 04.07.2019 um 16:24 schrieb Xavier M:
>
> Thank you for answering... I'm sorry, but I don't know enough about
> certificates to give you a relevant answer. I think that :
> * The common name is "rusa.fr"
> * There is no subject alternative name (even www.rusa.fr)
> * It is not a wildcard
>
> ... But I'm not 100% sure, it is the first time I administrate a server,
> I'm discovering many things at the same time!
>
> Xavier
>
> ------------------------------
> *De :* Clayton, Robin <Ro...@cumberland.co.uk>
> <Ro...@cumberland.co.uk>
> *Envoyé :* jeudi 4 juillet 2019 15:43
> *À :* user@openmeetings.apache.org
> *Objet :* RE: Log-in and security
>
>
> What is the CN of the certificate, is there any SAN entries on the
> certificate? Or is it a wildcard?
>
>
>
> The TCP port should be irrelevant.
>
>
>
> Rob
>
>
>
>
>
>
>
>
>
> *From:* Stefan Kühl [mailto:stefan@quatrekuehl.eu <st...@quatrekuehl.eu>]
>
> *Sent:* 04 July 2019 14:16
> *To:* user@openmeetings.apache.org
> *Cc:* Xavier M
> *Subject:* Re: Log-in and security
>
>
>
> Hi,
>
> are you sure that you request your certificate also for domain.eu or only
> for www.domain.eu. You should check this. Sometimes webhoster only use
> the www adresses for certificates.
>
> Greetz
>
> Stefan
>
>
>
>
>
> Am 04.07.2019 14:18, schrieb Xavier M:
>
> Hi everybody,
>
>
>
> I'm quite sure that the answer is already somewhere, but I couldn't find
> it...
>
>
>
> After having installed OM on a web-server, the "written" way to access to
> the log-in is following, according to Alvaro's tuto:
>
> https://localhost:5443/openmeetings
>
>
>
> If OM is installed on a web server, let's say "domain.eu", it works
> correctly with:
>
> https://domain.eu:5443/openmeetings
>
>
>
> But the user will get a warning for security reason, even if domain.eu
> works with https, since the common certificates will not work with this
> port.
>
>
>
> I stated that following URL worked for the "demo version":
>
> https://om.alteametasoft.com/openmeetings
>
>
>
> Does anyone know how this was done? I would like to avoid the use of the
> port 5443 with the warning.
>
>
>
> Have a good day!
>
> Xavier
>
>
>
> *Disclaimer*
>
> This email has been scanned by the Mimecast security service.
>
>
> *Disclaimer*
>
>
>
> Please, consider your environmental responsibility. Before printing this
> e-mail ask yourself: Do I need a hard copy?
>
> Cumberland Building Society
> Cumberland House
> Cooper Way
> Parkhouse
> CARLISLE CA3 0JF
> To help us monitor and improve customer service telephone calls may be
> recorded.
> Cumberland Building Society is authorised by the Prudential Regulation
> Authority and regulated by the Financial Conduct Authority and Prudential
> Regulation Authority. We arrange life assurance and critical illness cover
> only with Legal & General Assurance Society Limited and general insurance
> only with Aviva Insurance Limited.
> To find out more about us, visit *www.cumberland.co.uk*
> <http://www.cumberland.co.uk/>
>
> CONFIDENTIALITY: This e-mail and any files transmitted with it are
> confidential, may be legally privileged and are intended for the
> addressee(s) only. If you are not the intended recipient you may not
> disclose, copy, distribute, or retain all or part of this e-mail without
> our authority. Please notify the sender immediately by replying to this
> e-mail and then permanently delete it.
>
> Any views or opinions expressed are solely those of the author and do not
> necessarily represent those of Cumberland Building Society or any of its
> subsidiaries.
>
> Although we have taken steps to ensure that this e-mail and any
> attachments are free from virus contamination, please rely on your own
> virus checking procedures as no guarantee is implied or given. We will not
> be liable for any loss or damage arising from alteration of the contents of
> this e-mail by a third party or as a result of any virus.
>
>
> This email has been scanned by the Mimecast security service.
>
>
>
>
>
> --
> WBR
> Maxim aka solomax
>
>
--
WBR
Maxim aka solomax
RE: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Hi all,
I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf (and nothing into /etc/apache2/sites-enabled/000-default.conf)
I can now access to "https://domain.eu:5443/openmeetings", but with the error SSL_ERROR_RX_RECORD_TOO_LONG
How can I solve it? Could it be due to the changes I made yesterday thanks to Stefan's help?
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem<http://domain.eu/cert.pem> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem<http://domain.eu/privkey.pem> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
Bis demnächst,
Xavier
________________________________
De : Xavier M <xa...@hotmail.com>
Envoyé : vendredi 5 juillet 2019 10:36
À : user@openmeetings.apache.org
Objet : RE: Log-in and security
Hello Maxim,
That's a good idea... I had already heard of it, but I still have to look how I do it. But it seems that I forgot something, since I can not access to Open Meetings since I "shutdown -r now" the server. Any idea of which command it is?
Xavier
________________________________
De : Maxim Solodovnik <so...@gmail.com>
Envoyé : vendredi 5 juillet 2019 09:38
À : Openmeetings user-list
Objet : Re: Log-in and security
You need to set-up autostart for these services
On Fri, Jul 5, 2019, 14:04 Xavier M <xa...@hotmail.com>> wrote:
Hmm... It sounds a bit complicated for me, I have to make it "slowly". But I'm pretty sure I'll do it.
For the moment, I do not understand why I can not connect anymore to "https://domain.eu:5443/openmeetings" (while I can connect to "https://domain.eu<https://domain.eu:5443/openmeetings>") after I "shutdown -r now" the web server? It has been a full night since I typed after the "reboot":
sudo /etc/init.d/mysql start
sudo /etc/init.d/kurento-media-server start
sudo /etc/init.d/tomcat3 start
Did I forget something? Is there anywhere a log which could help?
Have a good day!
Xavier
________________________________
De : Maxim Solodovnik <so...@gmail.com>>
Envoyé : vendredi 5 juillet 2019 04:18
À : Openmeetings user-list
Objet : Re: Log-in and security
Demo server uses Apache as frontend proxy
The config is here: https://stackoverflow.com/questions/51721771/apache-openmeetings-4-0-4-csrf-attack-when-using-apache2-as-proxypass
On Fri, 5 Jul 2019 at 03:51, Xavier M <xa...@hotmail.com>> wrote:
Ok, at the time being, I won't switch to root...
I "sudo shutdown -r now" and waited. The server has gone on again (website "https://domain.eu<https://domain.eu:5443/openmeetings>" reachable). I connected through SSH and typed:
sudo /etc/init.d/mysql start
sudo /etc/init.d/tomcat3 start
Now I'm waiting... But I can't connect at all to OpenMeetings with the URL that previously worked ("https://domain.eu:5443/openmeetings"): Firefox can not establish a connection with this address...
Thank you all and have a good night,
Xavier
Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
Ok, please restart the server and it should work.
If you use open500 as folder open500/conf is correct.
Just restart it.
Greetz
Stefan
PS: if you want to access to "permission denied" folders you need to switch to root, sudo won't work in this case. But be careful, keep in mind that you change the ownership if you change files as root.
Bonne soiree
Am 04.07.2019 21:57, schrieb Xavier M:
Thank you!
Each command line worked... But it did not change anything when I want to log in. Maybe shall I restart "a service"?
NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory with a "keystore" file. But I have an "openmeetings" subdirectory too... to which I can not access (Permission denied).
Greetings,
Xavier
Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
Yes, I'm sorry. Did this so many times and forgot an important point. First: the password is: password
;-)
Let's go through the lines:
"sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem<http://domain.eu/cert.pem> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem<http://domain.eu/privkey.pem> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>"
Here you use the openssl library to export the the key from the letsencrypt certificate into the red5.p12 file and store it in youtr OM Folder (red5 is just an name - you could also use any other name)
"sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>"
by using keytool you import the certificate key by setting the password (-srcstorepass password -> deststorepass password) into the file keystore.jks and confirming the trust by the chain.pem
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks"
now creating the trustscore.jks by copying the keystore.jks
at least and only if you have OM 5.* installed:
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
this is neccesary because OM5-'looks only for keystore and not for keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you could update the config file to look for keystore.jks"
So if you will be asked for
Enter Export Password:
Verifying - Enter Export Password:
and again
Enter Import Password:
Verifying - Enter Import Password:
you need to enter password
Just to keep it simple, you can choose your own password, but keep in mind top change it within the command too;-)
Greetz
Stefan
Am 04.07.2019 21:18, schrieb Xavier M:
So...
After having changed the folder names, I entered the first command line to get:
Enter Export Password:
Verifying - Enter Export Password:
I wrote down a password - I guess I defined it at this step?
Then the second command line delivered:
Importing keystore /opt/open500/conf/red5.p12 to /opt/open500/conf/keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
Any idea of what happens and what I should do? I did not try the third command line.
By the way, can you explain me in a few words what I'm doing with these command lines ?
Have a good evening,
Xavier
Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
Maybe to make a quick check (every command in one line):
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem<http://domain.eu/cert.pem> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem<http://domain.eu/privkey.pem> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu<http://domain.eu>: your domain an OM_Folder: your OM installation folder.
Greetz
Stefan
Am 04.07.2019 18:00, schrieb Xavier M:
Then let's go with Proxy through Apache.
I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
... among other prior to install OM.
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:53
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
Proxy through Apache would be the easier solution for upgrading
when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
On 7/4/19 11:48 AM, Xavier M wrote:
Thank you Aaron.
Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:40
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
LetEncrypt places the cert at:
/etc/letsencrypt/live/<domain>
On 7/4/19 11:34 AM, Xavier M wrote:
Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
Xavier
________________________________
De : Stefan Kühl <st...@quatrekuehl.eu>
Envoyé : jeudi 4 juillet 2019 17:06
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc : R. Scholz
Objet : Re: Log-in and security
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr<http://rusa.fr>"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin <Ro...@cumberland.co.uk>
Envoyé : jeudi 4 juillet 2019 15:43
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
--
WBR
Maxim aka solomax
RE: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Hello Maxim,
That's a good idea... I had already heard of it, but I still have to look how I do it. But it seems that I forgot something, since I can not access to Open Meetings since I "shutdown -r now" the server. Any idea of which command it is?
Xavier
________________________________
De : Maxim Solodovnik <so...@gmail.com>
Envoyé : vendredi 5 juillet 2019 09:38
À : Openmeetings user-list
Objet : Re: Log-in and security
You need to set-up autostart for these services
On Fri, Jul 5, 2019, 14:04 Xavier M <xa...@hotmail.com>> wrote:
Hmm... It sounds a bit complicated for me, I have to make it "slowly". But I'm pretty sure I'll do it.
For the moment, I do not understand why I can not connect anymore to "https://domain.eu:5443/openmeetings" (while I can connect to "https://domain.eu<https://domain.eu:5443/openmeetings>") after I "shutdown -r now" the web server? It has been a full night since I typed after the "reboot":
sudo /etc/init.d/mysql start
sudo /etc/init.d/kurento-media-server start
sudo /etc/init.d/tomcat3 start
Did I forget something? Is there anywhere a log which could help?
Have a good day!
Xavier
________________________________
De : Maxim Solodovnik <so...@gmail.com>>
Envoyé : vendredi 5 juillet 2019 04:18
À : Openmeetings user-list
Objet : Re: Log-in and security
Demo server uses Apache as frontend proxy
The config is here: https://stackoverflow.com/questions/51721771/apache-openmeetings-4-0-4-csrf-attack-when-using-apache2-as-proxypass
On Fri, 5 Jul 2019 at 03:51, Xavier M <xa...@hotmail.com>> wrote:
Ok, at the time being, I won't switch to root...
I "sudo shutdown -r now" and waited. The server has gone on again (website "https://domain.eu<https://domain.eu:5443/openmeetings>" reachable). I connected through SSH and typed:
sudo /etc/init.d/mysql start
sudo /etc/init.d/tomcat3 start
Now I'm waiting... But I can't connect at all to OpenMeetings with the URL that previously worked ("https://domain.eu:5443/openmeetings"): Firefox can not establish a connection with this address...
Thank you all and have a good night,
Xavier
Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
Ok, please restart the server and it should work.
If you use open500 as folder open500/conf is correct.
Just restart it.
Greetz
Stefan
PS: if you want to access to "permission denied" folders you need to switch to root, sudo won't work in this case. But be careful, keep in mind that you change the ownership if you change files as root.
Bonne soiree
Am 04.07.2019 21:57, schrieb Xavier M:
Thank you!
Each command line worked... But it did not change anything when I want to log in. Maybe shall I restart "a service"?
NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory with a "keystore" file. But I have an "openmeetings" subdirectory too... to which I can not access (Permission denied).
Greetings,
Xavier
Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
Yes, I'm sorry. Did this so many times and forgot an important point. First: the password is: password
;-)
Let's go through the lines:
"sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem<http://domain.eu/cert.pem> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem<http://domain.eu/privkey.pem> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>"
Here you use the openssl library to export the the key from the letsencrypt certificate into the red5.p12 file and store it in youtr OM Folder (red5 is just an name - you could also use any other name)
"sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>"
by using keytool you import the certificate key by setting the password (-srcstorepass password -> deststorepass password) into the file keystore.jks and confirming the trust by the chain.pem
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks"
now creating the trustscore.jks by copying the keystore.jks
at least and only if you have OM 5.* installed:
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
this is neccesary because OM5-'looks only for keystore and not for keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you could update the config file to look for keystore.jks"
So if you will be asked for
Enter Export Password:
Verifying - Enter Export Password:
and again
Enter Import Password:
Verifying - Enter Import Password:
you need to enter password
Just to keep it simple, you can choose your own password, but keep in mind top change it within the command too;-)
Greetz
Stefan
Am 04.07.2019 21:18, schrieb Xavier M:
So...
After having changed the folder names, I entered the first command line to get:
Enter Export Password:
Verifying - Enter Export Password:
I wrote down a password - I guess I defined it at this step?
Then the second command line delivered:
Importing keystore /opt/open500/conf/red5.p12 to /opt/open500/conf/keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
Any idea of what happens and what I should do? I did not try the third command line.
By the way, can you explain me in a few words what I'm doing with these command lines ?
Have a good evening,
Xavier
Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
Maybe to make a quick check (every command in one line):
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem<http://domain.eu/cert.pem> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem<http://domain.eu/privkey.pem> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu<http://domain.eu>: your domain an OM_Folder: your OM installation folder.
Greetz
Stefan
Am 04.07.2019 18:00, schrieb Xavier M:
Then let's go with Proxy through Apache.
I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
... among other prior to install OM.
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:53
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
Proxy through Apache would be the easier solution for upgrading
when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
On 7/4/19 11:48 AM, Xavier M wrote:
Thank you Aaron.
Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:40
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
LetEncrypt places the cert at:
/etc/letsencrypt/live/<domain>
On 7/4/19 11:34 AM, Xavier M wrote:
Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
Xavier
________________________________
De : Stefan Kühl <st...@quatrekuehl.eu>
Envoyé : jeudi 4 juillet 2019 17:06
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc : R. Scholz
Objet : Re: Log-in and security
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr<http://rusa.fr>"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin <Ro...@cumberland.co.uk>
Envoyé : jeudi 4 juillet 2019 15:43
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
--
WBR
Maxim aka solomax
Re: Log-in and security
Posted by Maxim Solodovnik <so...@gmail.com>.
You need to set-up autostart for these services
On Fri, Jul 5, 2019, 14:04 Xavier M <xa...@hotmail.com> wrote:
> Hmm... It sounds a bit complicated for me, I have to make it "slowly". But
> I'm pretty sure I'll do it.
>
> For the moment, I do not understand why I can not connect anymore to "
> https://domain.eu:5443/openmeetings" (while I can connect to "
> https://domain.eu <https://domain.eu:5443/openmeetings>") after I
> "shutdown -r now" the web server? It has been a full night since I typed
> after the "reboot":
> sudo /etc/init.d/mysql start
> sudo /etc/init.d/kurento-media-server start
> sudo /etc/init.d/tomcat3 start
>
> Did I forget something? Is there anywhere a log which could help?
>
> Have a good day!
> Xavier
>
> ------------------------------
> *De :* Maxim Solodovnik <so...@gmail.com>
> *Envoyé :* vendredi 5 juillet 2019 04:18
> *À :* Openmeetings user-list
> *Objet :* Re: Log-in and security
>
> Demo server uses Apache as frontend proxy
> The config is here:
> https://stackoverflow.com/questions/51721771/apache-openmeetings-4-0-4-csrf-attack-when-using-apache2-as-proxypass
>
> On Fri, 5 Jul 2019 at 03:51, Xavier M <xa...@hotmail.com> wrote:
>
> Ok, at the time being, I won't switch to root...
>
> I "sudo shutdown -r now" and waited. The server has gone on again (website
> "https://domain.eu <https://domain.eu:5443/openmeetings>" reachable). I
> connected through SSH and typed:
>
> sudo /etc/init.d/mysql start
> sudo /etc/init.d/tomcat3 start
>
>
> Now I'm waiting... But I can't connect at all to OpenMeetings with the URL
> that previously worked ("https://domain.eu:5443/openmeetings"): Firefox
> can not establish a connection with this address...
>
>
> Thank you all and have a good night,
>
> Xavier
>
>
> Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
>
> Ok, please restart the server and it should work.
> If you use open500 as folder open500/conf is correct.
>
> Just restart it.
>
> Greetz
>
> Stefan
>
> PS: if you want to access to "permission denied" folders you need to
> switch to root, sudo won't work in this case. But be careful, keep in mind
> that you change the ownership if you change files as root.
>
>
> Bonne soiree
>
> Am 04.07.2019 21:57, schrieb Xavier M:
>
> Thank you!
>
>
> Each command line worked... But it did not change anything when I want to
> log in. Maybe shall I restart "a service"?
>
> NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory
> with a "keystore" file. But I have an "openmeetings" subdirectory too... to
> which I can not access (Permission denied).
>
>
> Greetings,
>
> Xavier
>
>
> Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
>
> Yes, I'm sorry. Did this so many times and forgot an important point.
> First: the password is: password
>
> ;-)
>
>
> Let's go through the lines:
>
> "sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out
> /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/
> domain.eu/chain.pem"
>
> Here you use the openssl library to export the the key from the
> letsencrypt certificate into the red5.p12 file and store it in youtr OM
> Folder (red5 is just an name - you could also use any other name)
>
> "sudo keytool -importkeystore -srcstorepass password -srckeystore
> /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
> -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore
> /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/
> domain.eu/chain.pem"
>
> by using keytool you import the certificate key by setting the password
> (-srcstorepass password -> deststorepass password) into the file
> keystore.jks and confirming the trust by the chain.pem
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks
> /opt/OM_Folder/conf/trustscore.jks"
>
> now creating the trustscore.jks by copying the keystore.jks
>
> at least and only if you have OM 5.* installed:
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
> this is neccesary because OM5-'looks only for keystore and not for
> keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you
> could update the config file to look for keystore.jks"
>
> So if you will be asked for
>
> *Enter Export Password:*
> *Verifying - Enter Export Password:*
>
> *and again*
>
>
> *Enter Import Password: Verifying - Enter Import Password:*
>
> *you need to enter password *
>
> *Just to keep it simple, you can choose your own password, but keep in
> mind top change it within the command too;-)*
>
> *Greetz*
>
> *Stefan*
>
> Am 04.07.2019 21:18, schrieb Xavier M:
>
> So...
>
> After having changed the folder names, I entered the first command line to
> get:
>
> *Enter Export Password:*
> *Verifying - Enter Export Password:*
>
> I wrote down a password - I guess I defined it at this step?
>
>
> Then the second command line delivered:
>
> *Importing keystore /opt/open500/conf/red5.p12 to
> /opt/open500/conf/keystore.jks...*
> *keytool error: java.io.IOException: keystore password was incorrect*
>
> Any idea of what happens and what I should do? I did not try the third
> command line.
>
> By the way, can you explain me in a few words what I'm doing with these
> command lines ?
>
>
> Have a good evening,
>
> Xavier
>
>
> Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
>
> Maybe to make a quick check (every command in one line):
>
> sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out
> /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/
> domain.eu/chain.pem
>
>
> sudo keytool -importkeystore -srcstorepass password -srckeystore
> /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
> -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore
> /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/
> domain.eu/chain.pem
>
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks
> /opt/OM_Folder/conf/trustscore.jks
>
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore
> (<- only if you have version 5.*)
>
>
>
> Please remeber: If you leave it like this, you need to repaet this lines
> after every renew of your certificate. Be aware of the folders ->
> domain.eu: your domain an OM_Folder: your OM installation folder.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 18:00, schrieb Xavier M:
>
> Then let's go with Proxy through Apache.
>
> I'm not running as root, but my account has the whole rights so that I
> thought I could do exactly the same things. "sudo" is my friend... even
> sudo chmod.
>
> The server works with Ubuntu - my account was created at the installation.
> When I refer to a "LAMP-server", I executed the command
>
> sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
>
>
> ... among other prior to install OM.
>
>
> Xavier
>
> ------------------------------
> *De :* Aaron Hepp <aa...@gmail.com> <aa...@gmail.com>
> *Envoyé :* jeudi 4 juillet 2019 17:53
> *À :* user@openmeetings.apache.org
> *Objet :* Re: Log-in and security
>
> Proxy through Apache would be the easier solution for upgrading
>
> when you say Admin of the sever you are running as root or that you can
> log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu,
> etc.)
>
> On 7/4/19 11:48 AM, Xavier M wrote:
>
> Thank you Aaron.
>
> Even if I have admin rights, I can access only to /etc/letsencrypt/. The
> permission is denied when I want to open the subdirectory "live".
>
> How do both solution work? I know neither how to "Proxy through Apache",
> nor how to "configure my OM instance to be able to read where the keys
> are". Sorry for all that...
>
> Xavier
>
> ------------------------------
> *De :* Aaron Hepp <aa...@gmail.com> <aa...@gmail.com>
> *Envoyé :* jeudi 4 juillet 2019 17:40
> *À :* user@openmeetings.apache.org
> *Objet :* Re: Log-in and security
>
> That is your issue. Apache has the cert installed via LetEncrypt. Tomcat
> which is running on 5443 needs to have the configuration set to know where
> the cert is located as well as the keystore created.
>
> You can do two things. Proxy through Apache, or configure your OM
> instance to be able to read where the keys are.
>
> LetEncrypt places the cert at:
> /etc/letsencrypt/live/<domain>
>
>
>
> On 7/4/19 11:34 AM, Xavier M wrote:
>
> Hem... No... Do you mean I have to copy and paste the certificate in each
> folder? Actually, I even don't know where the certificate is to be found on
> the server... But I guess I find it somewhere if needed.
>
> Xavier
>
> ------------------------------
> *De :* Stefan Kühl <st...@quatrekuehl.eu> <st...@quatrekuehl.eu>
> *Envoyé :* jeudi 4 juillet 2019 17:06
> *À :* user@openmeetings.apache.org
> *Cc :* R. Scholz
> *Objet :* Re: Log-in and security
>
>
> Hi @all,
>
> port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too.
> https works as expected.
> Did you export they certificate keys (like keystore and trustscore) to
> your %OM%/conf folder?
>
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 16:57, schrieb R. Scholz:
>
> Hello Xavier,
>
> Hm, you using on Port 80 Tomcat or Apache?
>
> Best regards,
>
> René
>
>
> Am 04.07.2019 um 16:24 schrieb Xavier M:
>
> Thank you for answering... I'm sorry, but I don't know enough about
> certificates to give you a relevant answer. I think that :
> * The common name is "rusa.fr"
> * There is no subject alternative name (even www.rusa.fr)
> * It is not a wildcard
>
> ... But I'm not 100% sure, it is the first time I administrate a server,
> I'm discovering many things at the same time!
>
> Xavier
>
> ------------------------------
> *De :* Clayton, Robin <Ro...@cumberland.co.uk>
> <Ro...@cumberland.co.uk>
> *Envoyé :* jeudi 4 juillet 2019 15:43
> *À :* user@openmeetings.apache.org
> *Objet :* RE: Log-in and security
>
>
> What is the CN of the certificate, is there any SAN entries on the
> certificate? Or is it a wildcard?
>
>
>
> The TCP port should be irrelevant.
>
>
>
> Rob
>
>
>
>
>
>
>
>
>
> *From:* Stefan Kühl [mailto:stefan@quatrekuehl.eu <st...@quatrekuehl.eu>]
>
> *Sent:* 04 July 2019 14:16
> *To:* user@openmeetings.apache.org
> *Cc:* Xavier M
> *Subject:* Re: Log-in and security
>
>
>
> Hi,
>
> are you sure that you request your certificate also for domain.eu or only
> for www.domain.eu. You should check this. Sometimes webhoster only use
> the www adresses for certificates.
>
> Greetz
>
> Stefan
>
>
>
>
>
> Am 04.07.2019 14:18, schrieb Xavier M:
>
> Hi everybody,
>
>
>
> I'm quite sure that the answer is already somewhere, but I couldn't find
> it...
>
>
>
> After having installed OM on a web-server, the "written" way to access to
> the log-in is following, according to Alvaro's tuto:
>
> https://localhost:5443/openmeetings
>
>
>
> If OM is installed on a web server, let's say "domain.eu", it works
> correctly with:
>
> https://domain.eu:5443/openmeetings
>
>
>
> But the user will get a warning for security reason, even if domain.eu
> works with https, since the common certificates will not work with this
> port.
>
>
>
> I stated that following URL worked for the "demo version":
>
> https://om.alteametasoft.com/openmeetings
>
>
>
> Does anyone know how this was done? I would like to avoid the use of the
> port 5443 with the warning.
>
>
>
> Have a good day!
>
> Xavier
>
>
>
> *Disclaimer*
>
> This email has been scanned by the Mimecast security service.
>
>
> *Disclaimer*
>
>
>
> Please, consider your environmental responsibility. Before printing this
> e-mail ask yourself: Do I need a hard copy?
>
> Cumberland Building Society
> Cumberland House
> Cooper Way
> Parkhouse
> CARLISLE CA3 0JF
> To help us monitor and improve customer service telephone calls may be
> recorded.
> Cumberland Building Society is authorised by the Prudential Regulation
> Authority and regulated by the Financial Conduct Authority and Prudential
> Regulation Authority. We arrange life assurance and critical illness cover
> only with Legal & General Assurance Society Limited and general insurance
> only with Aviva Insurance Limited.
> To find out more about us, visit *www.cumberland.co.uk*
> <http://www.cumberland.co.uk/>
>
> CONFIDENTIALITY: This e-mail and any files transmitted with it are
> confidential, may be legally privileged and are intended for the
> addressee(s) only. If you are not the intended recipient you may not
> disclose, copy, distribute, or retain all or part of this e-mail without
> our authority. Please notify the sender immediately by replying to this
> e-mail and then permanently delete it.
>
> Any views or opinions expressed are solely those of the author and do not
> necessarily represent those of Cumberland Building Society or any of its
> subsidiaries.
>
> Although we have taken steps to ensure that this e-mail and any
> attachments are free from virus contamination, please rely on your own
> virus checking procedures as no guarantee is implied or given. We will not
> be liable for any loss or damage arising from alteration of the contents of
> this e-mail by a third party or as a result of any virus.
>
>
> This email has been scanned by the Mimecast security service.
>
>
>
>
>
> --
> WBR
> Maxim aka solomax
>
RE: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Hmm... It sounds a bit complicated for me, I have to make it "slowly". But I'm pretty sure I'll do it.
For the moment, I do not understand why I can not connect anymore to "https://domain.eu:5443/openmeetings" (while I can connect to "https://domain.eu<https://domain.eu:5443/openmeetings>") after I "shutdown -r now" the web server? It has been a full night since I typed after the "reboot":
sudo /etc/init.d/mysql start
sudo /etc/init.d/kurento-media-server start
sudo /etc/init.d/tomcat3 start
Did I forget something? Is there anywhere a log which could help?
Have a good day!
Xavier
________________________________
De : Maxim Solodovnik <so...@gmail.com>
Envoyé : vendredi 5 juillet 2019 04:18
À : Openmeetings user-list
Objet : Re: Log-in and security
Demo server uses Apache as frontend proxy
The config is here: https://stackoverflow.com/questions/51721771/apache-openmeetings-4-0-4-csrf-attack-when-using-apache2-as-proxypass
On Fri, 5 Jul 2019 at 03:51, Xavier M <xa...@hotmail.com>> wrote:
Ok, at the time being, I won't switch to root...
I "sudo shutdown -r now" and waited. The server has gone on again (website "https://domain.eu<https://domain.eu:5443/openmeetings>" reachable). I connected through SSH and typed:
sudo /etc/init.d/mysql start
sudo /etc/init.d/tomcat3 start
Now I'm waiting... But I can't connect at all to OpenMeetings with the URL that previously worked ("https://domain.eu:5443/openmeetings"): Firefox can not establish a connection with this address...
Thank you all and have a good night,
Xavier
Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
Ok, please restart the server and it should work.
If you use open500 as folder open500/conf is correct.
Just restart it.
Greetz
Stefan
PS: if you want to access to "permission denied" folders you need to switch to root, sudo won't work in this case. But be careful, keep in mind that you change the ownership if you change files as root.
Bonne soiree
Am 04.07.2019 21:57, schrieb Xavier M:
Thank you!
Each command line worked... But it did not change anything when I want to log in. Maybe shall I restart "a service"?
NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory with a "keystore" file. But I have an "openmeetings" subdirectory too... to which I can not access (Permission denied).
Greetings,
Xavier
Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
Yes, I'm sorry. Did this so many times and forgot an important point. First: the password is: password
;-)
Let's go through the lines:
"sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem<http://domain.eu/cert.pem> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem<http://domain.eu/privkey.pem> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>"
Here you use the openssl library to export the the key from the letsencrypt certificate into the red5.p12 file and store it in youtr OM Folder (red5 is just an name - you could also use any other name)
"sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>"
by using keytool you import the certificate key by setting the password (-srcstorepass password -> deststorepass password) into the file keystore.jks and confirming the trust by the chain.pem
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks"
now creating the trustscore.jks by copying the keystore.jks
at least and only if you have OM 5.* installed:
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
this is neccesary because OM5-'looks only for keystore and not for keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you could update the config file to look for keystore.jks"
So if you will be asked for
Enter Export Password:
Verifying - Enter Export Password:
and again
Enter Import Password:
Verifying - Enter Import Password:
you need to enter password
Just to keep it simple, you can choose your own password, but keep in mind top change it within the command too;-)
Greetz
Stefan
Am 04.07.2019 21:18, schrieb Xavier M:
So...
After having changed the folder names, I entered the first command line to get:
Enter Export Password:
Verifying - Enter Export Password:
I wrote down a password - I guess I defined it at this step?
Then the second command line delivered:
Importing keystore /opt/open500/conf/red5.p12 to /opt/open500/conf/keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
Any idea of what happens and what I should do? I did not try the third command line.
By the way, can you explain me in a few words what I'm doing with these command lines ?
Have a good evening,
Xavier
Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
Maybe to make a quick check (every command in one line):
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem<http://domain.eu/cert.pem> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem<http://domain.eu/privkey.pem> -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem<http://domain.eu/chain.pem>
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu<http://domain.eu>: your domain an OM_Folder: your OM installation folder.
Greetz
Stefan
Am 04.07.2019 18:00, schrieb Xavier M:
Then let's go with Proxy through Apache.
I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
... among other prior to install OM.
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:53
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
Proxy through Apache would be the easier solution for upgrading
when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
On 7/4/19 11:48 AM, Xavier M wrote:
Thank you Aaron.
Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:40
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
LetEncrypt places the cert at:
/etc/letsencrypt/live/<domain>
On 7/4/19 11:34 AM, Xavier M wrote:
Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
Xavier
________________________________
De : Stefan Kühl <st...@quatrekuehl.eu>
Envoyé : jeudi 4 juillet 2019 17:06
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc : R. Scholz
Objet : Re: Log-in and security
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr<http://rusa.fr>"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin <Ro...@cumberland.co.uk>
Envoyé : jeudi 4 juillet 2019 15:43
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
--
WBR
Maxim aka solomax
Re: Log-in and security
Posted by Maxim Solodovnik <so...@gmail.com>.
Demo server uses Apache as frontend proxy
The config is here:
https://stackoverflow.com/questions/51721771/apache-openmeetings-4-0-4-csrf-attack-when-using-apache2-as-proxypass
On Fri, 5 Jul 2019 at 03:51, Xavier M <xa...@hotmail.com> wrote:
> Ok, at the time being, I won't switch to root...
>
> I "sudo shutdown -r now" and waited. The server has gone on again (website
> "https://domain.eu <https://domain.eu:5443/openmeetings>" reachable). I
> connected through SSH and typed:
>
> sudo /etc/init.d/mysql start
> sudo /etc/init.d/tomcat3 start
>
>
> Now I'm waiting... But I can't connect at all to OpenMeetings with the URL
> that previously worked ("https://domain.eu:5443/openmeetings"): Firefox
> can not establish a connection with this address...
>
>
> Thank you all and have a good night,
>
> Xavier
>
>
> Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
>
> Ok, please restart the server and it should work.
> If you use open500 as folder open500/conf is correct.
>
> Just restart it.
>
> Greetz
>
> Stefan
>
> PS: if you want to access to "permission denied" folders you need to
> switch to root, sudo won't work in this case. But be careful, keep in mind
> that you change the ownership if you change files as root.
>
>
> Bonne soiree
>
> Am 04.07.2019 21:57, schrieb Xavier M:
>
> Thank you!
>
>
> Each command line worked... But it did not change anything when I want to
> log in. Maybe shall I restart "a service"?
>
> NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory
> with a "keystore" file. But I have an "openmeetings" subdirectory too... to
> which I can not access (Permission denied).
>
>
> Greetings,
>
> Xavier
>
>
> Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
>
> Yes, I'm sorry. Did this so many times and forgot an important point.
> First: the password is: password
>
> ;-)
>
>
> Let's go through the lines:
>
> "sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out
> /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/
> domain.eu/chain.pem"
>
> Here you use the openssl library to export the the key from the
> letsencrypt certificate into the red5.p12 file and store it in youtr OM
> Folder (red5 is just an name - you could also use any other name)
>
> "sudo keytool -importkeystore -srcstorepass password -srckeystore
> /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
> -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore
> /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/
> domain.eu/chain.pem"
>
> by using keytool you import the certificate key by setting the password
> (-srcstorepass password -> deststorepass password) into the file
> keystore.jks and confirming the trust by the chain.pem
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks
> /opt/OM_Folder/conf/trustscore.jks"
>
> now creating the trustscore.jks by copying the keystore.jks
>
> at least and only if you have OM 5.* installed:
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
> this is neccesary because OM5-'looks only for keystore and not for
> keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you
> could update the config file to look for keystore.jks"
>
> So if you will be asked for
>
> *Enter Export Password:*
> *Verifying - Enter Export Password:*
>
> *and again*
>
>
> *Enter Import Password: Verifying - Enter Import Password:*
>
> *you need to enter password *
>
> *Just to keep it simple, you can choose your own password, but keep in
> mind top change it within the command too;-)*
>
> *Greetz*
>
> *Stefan*
>
> Am 04.07.2019 21:18, schrieb Xavier M:
>
> So...
>
> After having changed the folder names, I entered the first command line to
> get:
>
> *Enter Export Password:*
> *Verifying - Enter Export Password:*
>
> I wrote down a password - I guess I defined it at this step?
>
>
> Then the second command line delivered:
>
> *Importing keystore /opt/open500/conf/red5.p12 to
> /opt/open500/conf/keystore.jks...*
> *keytool error: java.io.IOException: keystore password was incorrect*
>
> Any idea of what happens and what I should do? I did not try the third
> command line.
>
> By the way, can you explain me in a few words what I'm doing with these
> command lines ?
>
>
> Have a good evening,
>
> Xavier
>
>
> Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
>
> Maybe to make a quick check (every command in one line):
>
> sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
> -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out
> /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/
> domain.eu/chain.pem
>
>
> sudo keytool -importkeystore -srcstorepass password -srckeystore
> /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password
> -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore
> /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/
> domain.eu/chain.pem
>
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks
> /opt/OM_Folder/conf/trustscore.jks
>
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore
> (<- only if you have version 5.*)
>
>
>
> Please remeber: If you leave it like this, you need to repaet this lines
> after every renew of your certificate. Be aware of the folders ->
> domain.eu: your domain an OM_Folder: your OM installation folder.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 18:00, schrieb Xavier M:
>
> Then let's go with Proxy through Apache.
>
> I'm not running as root, but my account has the whole rights so that I
> thought I could do exactly the same things. "sudo" is my friend... even
> sudo chmod.
>
> The server works with Ubuntu - my account was created at the installation.
> When I refer to a "LAMP-server", I executed the command
>
> sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
>
>
> ... among other prior to install OM.
>
>
> Xavier
>
> ------------------------------
> *De :* Aaron Hepp <aa...@gmail.com> <aa...@gmail.com>
> *Envoyé :* jeudi 4 juillet 2019 17:53
> *À :* user@openmeetings.apache.org
> *Objet :* Re: Log-in and security
>
> Proxy through Apache would be the easier solution for upgrading
>
> when you say Admin of the sever you are running as root or that you can
> log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu,
> etc.)
>
> On 7/4/19 11:48 AM, Xavier M wrote:
>
> Thank you Aaron.
>
> Even if I have admin rights, I can access only to /etc/letsencrypt/. The
> permission is denied when I want to open the subdirectory "live".
>
> How do both solution work? I know neither how to "Proxy through Apache",
> nor how to "configure my OM instance to be able to read where the keys
> are". Sorry for all that...
>
> Xavier
>
> ------------------------------
> *De :* Aaron Hepp <aa...@gmail.com> <aa...@gmail.com>
> *Envoyé :* jeudi 4 juillet 2019 17:40
> *À :* user@openmeetings.apache.org
> *Objet :* Re: Log-in and security
>
> That is your issue. Apache has the cert installed via LetEncrypt. Tomcat
> which is running on 5443 needs to have the configuration set to know where
> the cert is located as well as the keystore created.
>
> You can do two things. Proxy through Apache, or configure your OM
> instance to be able to read where the keys are.
>
> LetEncrypt places the cert at:
> /etc/letsencrypt/live/<domain>
>
>
>
> On 7/4/19 11:34 AM, Xavier M wrote:
>
> Hem... No... Do you mean I have to copy and paste the certificate in each
> folder? Actually, I even don't know where the certificate is to be found on
> the server... But I guess I find it somewhere if needed.
>
> Xavier
>
> ------------------------------
> *De :* Stefan Kühl <st...@quatrekuehl.eu> <st...@quatrekuehl.eu>
> *Envoyé :* jeudi 4 juillet 2019 17:06
> *À :* user@openmeetings.apache.org
> *Cc :* R. Scholz
> *Objet :* Re: Log-in and security
>
>
> Hi @all,
>
> port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too.
> https works as expected.
> Did you export they certificate keys (like keystore and trustscore) to
> your %OM%/conf folder?
>
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 16:57, schrieb R. Scholz:
>
> Hello Xavier,
>
> Hm, you using on Port 80 Tomcat or Apache?
>
> Best regards,
>
> René
>
>
> Am 04.07.2019 um 16:24 schrieb Xavier M:
>
> Thank you for answering... I'm sorry, but I don't know enough about
> certificates to give you a relevant answer. I think that :
> * The common name is "rusa.fr"
> * There is no subject alternative name (even www.rusa.fr)
> * It is not a wildcard
>
> ... But I'm not 100% sure, it is the first time I administrate a server,
> I'm discovering many things at the same time!
>
> Xavier
>
> ------------------------------
> *De :* Clayton, Robin <Ro...@cumberland.co.uk>
> <Ro...@cumberland.co.uk>
> *Envoyé :* jeudi 4 juillet 2019 15:43
> *À :* user@openmeetings.apache.org
> *Objet :* RE: Log-in and security
>
>
> What is the CN of the certificate, is there any SAN entries on the
> certificate? Or is it a wildcard?
>
>
>
> The TCP port should be irrelevant.
>
>
>
> Rob
>
>
>
>
>
>
>
>
>
> *From:* Stefan Kühl [mailto:stefan@quatrekuehl.eu <st...@quatrekuehl.eu>]
>
> *Sent:* 04 July 2019 14:16
> *To:* user@openmeetings.apache.org
> *Cc:* Xavier M
> *Subject:* Re: Log-in and security
>
>
>
> Hi,
>
> are you sure that you request your certificate also for domain.eu or only
> for www.domain.eu. You should check this. Sometimes webhoster only use
> the www adresses for certificates.
>
> Greetz
>
> Stefan
>
>
>
>
>
> Am 04.07.2019 14:18, schrieb Xavier M:
>
> Hi everybody,
>
>
>
> I'm quite sure that the answer is already somewhere, but I couldn't find
> it...
>
>
>
> After having installed OM on a web-server, the "written" way to access to
> the log-in is following, according to Alvaro's tuto:
>
> https://localhost:5443/openmeetings
>
>
>
> If OM is installed on a web server, let's say "domain.eu", it works
> correctly with:
>
> https://domain.eu:5443/openmeetings
>
>
>
> But the user will get a warning for security reason, even if domain.eu
> works with https, since the common certificates will not work with this
> port.
>
>
>
> I stated that following URL worked for the "demo version":
>
> https://om.alteametasoft.com/openmeetings
>
>
>
> Does anyone know how this was done? I would like to avoid the use of the
> port 5443 with the warning.
>
>
>
> Have a good day!
>
> Xavier
>
>
>
> *Disclaimer*
>
> This email has been scanned by the Mimecast security service.
>
>
> *Disclaimer*
>
>
>
> Please, consider your environmental responsibility. Before printing this
> e-mail ask yourself: Do I need a hard copy?
>
> Cumberland Building Society
> Cumberland House
> Cooper Way
> Parkhouse
> CARLISLE CA3 0JF
> To help us monitor and improve customer service telephone calls may be
> recorded.
> Cumberland Building Society is authorised by the Prudential Regulation
> Authority and regulated by the Financial Conduct Authority and Prudential
> Regulation Authority. We arrange life assurance and critical illness cover
> only with Legal & General Assurance Society Limited and general insurance
> only with Aviva Insurance Limited.
> To find out more about us, visit *www.cumberland.co.uk*
> <http://www.cumberland.co.uk/>
>
> CONFIDENTIALITY: This e-mail and any files transmitted with it are
> confidential, may be legally privileged and are intended for the
> addressee(s) only. If you are not the intended recipient you may not
> disclose, copy, distribute, or retain all or part of this e-mail without
> our authority. Please notify the sender immediately by replying to this
> e-mail and then permanently delete it.
>
> Any views or opinions expressed are solely those of the author and do not
> necessarily represent those of Cumberland Building Society or any of its
> subsidiaries.
>
> Although we have taken steps to ensure that this e-mail and any
> attachments are free from virus contamination, please rely on your own
> virus checking procedures as no guarantee is implied or given. We will not
> be liable for any loss or damage arising from alteration of the contents of
> this e-mail by a third party or as a result of any virus.
>
>
> This email has been scanned by the Mimecast security service.
>
>
>
>
--
WBR
Maxim aka solomax
Re: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Ok, at the time being, I won't switch to root...
I "sudo shutdown -r now" and waited. The server has gone on again (website "https://domain.eu<https://domain.eu:5443/openmeetings>" reachable). I connected through SSH and typed:
sudo /etc/init.d/mysql start
sudo /etc/init.d/tomcat3 start
Now I'm waiting... But I can't connect at all to OpenMeetings with the URL that previously worked ("https://domain.eu:5443/openmeetings"): Firefox can not establish a connection with this address...
Thank you all and have a good night,
Xavier
Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
Ok, please restart the server and it should work.
If you use open500 as folder open500/conf is correct.
Just restart it.
Greetz
Stefan
PS: if you want to access to "permission denied" folders you need to switch to root, sudo won't work in this case. But be careful, keep in mind that you change the ownership if you change files as root.
Bonne soiree
Am 04.07.2019 21:57, schrieb Xavier M:
Thank you!
Each command line worked... But it did not change anything when I want to log in. Maybe shall I restart "a service"?
NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory with a "keystore" file. But I have an "openmeetings" subdirectory too... to which I can not access (Permission denied).
Greetings,
Xavier
Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
Yes, I'm sorry. Did this so many times and forgot an important point. First: the password is: password
;-)
Let's go through the lines:
"sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem"
Here you use the openssl library to export the the key from the letsencrypt certificate into the red5.p12 file and store it in youtr OM Folder (red5 is just an name - you could also use any other name)
"sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem"
by using keytool you import the certificate key by setting the password (-srcstorepass password -> deststorepass password) into the file keystore.jks and confirming the trust by the chain.pem
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks"
now creating the trustscore.jks by copying the keystore.jks
at least and only if you have OM 5.* installed:
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
this is neccesary because OM5-'looks only for keystore and not for keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you could update the config file to look for keystore.jks"
So if you will be asked for
Enter Export Password:
Verifying - Enter Export Password:
and again
Enter Import Password:
Verifying - Enter Import Password:
you need to enter password
Just to keep it simple, you can choose your own password, but keep in mind top change it within the command too;-)
Greetz
Stefan
Am 04.07.2019 21:18, schrieb Xavier M:
So...
After having changed the folder names, I entered the first command line to get:
Enter Export Password:
Verifying - Enter Export Password:
I wrote down a password - I guess I defined it at this step?
Then the second command line delivered:
Importing keystore /opt/open500/conf/red5.p12 to /opt/open500/conf/keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
Any idea of what happens and what I should do? I did not try the third command line.
By the way, can you explain me in a few words what I'm doing with these command lines ?
Have a good evening,
Xavier
Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
Maybe to make a quick check (every command in one line):
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem
sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu: your domain an OM_Folder: your OM installation folder.
Greetz
Stefan
Am 04.07.2019 18:00, schrieb Xavier M:
Then let's go with Proxy through Apache.
I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
... among other prior to install OM.
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:53
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
Proxy through Apache would be the easier solution for upgrading
when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
On 7/4/19 11:48 AM, Xavier M wrote:
Thank you Aaron.
Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:40
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
LetEncrypt places the cert at:
/etc/letsencrypt/live/<domain>
On 7/4/19 11:34 AM, Xavier M wrote:
Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
Xavier
________________________________
De : Stefan Kühl <st...@quatrekuehl.eu>
Envoyé : jeudi 4 juillet 2019 17:06
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc : R. Scholz
Objet : Re: Log-in and security
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin <Ro...@cumberland.co.uk>
Envoyé : jeudi 4 juillet 2019 15:43
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
Re: Log-in and security
Posted by Stefan Kühl <st...@quatrekuehl.eu>.
il n'y a pas de quoi ;-)
Am 07.07.2019 18:36, schrieb Xavier M:
> ... and restart!
>
> It works, I do not have an error message anymore, even for "lack of security". Exactly what I was looking for!
>
> Thank you all, and especially Stefan and Maxim!
>
> Xavier
>
> Le 07/07/2019 à 16:52, Stefan Kühl a écrit :
>
> So, please change the given password into the password you use in the commandlines and the error should be gone. ;-)
>
> Am 07.07.2019 16:08, schrieb Xavier M:
>
> Oops, sorry... No, it is not the password you gave me.
>
> But I state that my file looks *very much* like https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L75 [1] (at least for this "SSL section").
>
> Xavier
>
> Le 07/07/2019 à 15:29, Stefan Kühl a écrit :
>
> Hey Xavier,
>
> but you don't mention the very important answer: Is the keystorePass the the same as we use in the commandlines?
>
> Greetz
>
> Stefan
>
> Am 07.07.2019 15:08, schrieb Xavier M:
>
> Hi Stefan,
>
> Here the result for the SSL part... One can find the _keystorePass_ inside, I just changed the password by "xxx" (bold) since we have a "public" discussion... Even if I'm not sure this is very useful. As you mentioned earlier, the keystoreFile for OM 5.0.0 appears to be "keystore" and not "keystore.jks". Do you conlude anything? If I have to reinstall the old files, I would be glad if you could provide them.
>
> Nota Bene: the second _Connector port="5443"_ lies between _ <!--_ and _-->_. It is probably normal, I just wonder why.
>
> Thank you!
>
> Xavier
>
> _<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443_
> _ This connector uses the NIO implementation. The default_
> _ SSLImplementation will depend on the presence of the APR/native_
> _ library and the useOpenSSL attribute of the_
> _ AprLifecycleListener._
> _ Either JSSE or OpenSSL style configuration may be used regardless of_
> _ the SSLImplementation selected. JSSE style configuration is used below._
> _ -->_
> _ <Connector port="5443" protocol="org.apache.coyote.http11.Http11NioProtocol"_
> _ maxThreads="150" SSLEnabled="true"_
> _ keystoreFile="conf/keystore" keystorePass="__XXX__"_
> _ clientAuth="false" sslProtocol="TLS"/>_
> _ <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2_
> _ This connector uses the APR/native implementation which always uses_
> _ OpenSSL for TLS._
> _ Either JSSE or OpenSSL style configuration may be used. OpenSSL style_
> _ configuration is used below._
> _ -->_
> _ <!--_
> _ <Connector port="5443" protocol="org.apache.coyote.http11.Http11AprProtocol"_
> _ maxThreads="150" SSLEnabled="true" >_
> _ <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />_
> _ <SSLHostConfig>_
> _ <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"_
> _ certificateFile="conf/localhost-rsa-cert.pem"_
> _ certificateChainFile="conf/localhost-rsa-chain.pem"_
> _ type="RSA" />_
> _ </SSLHostConfig>_
> _ </Connector>_
> _ -->_
>
> Le 07/07/2019 à 12:32, Stefan Kühl a écrit : sudo cat OM_Folder/conf/server.xml
Links:
------
[1]
https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L75
Re: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
... and restart!
It works, I do not have an error message anymore, even for "lack of security". Exactly what I was looking for!
Thank you all, and especially Stefan and Maxim!
Xavier
Le 07/07/2019 à 16:52, Stefan Kühl a écrit :
So, please change the given password into the password you use in the commandlines and the error should be gone. ;-)
Am 07.07.2019 16:08, schrieb Xavier M:
Oops, sorry... No, it is not the password you gave me.
But I state that my file looks *very much* like https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L75 (at least for this "SSL section").
Xavier
Le 07/07/2019 à 15:29, Stefan Kühl a écrit :
Hey Xavier,
but you don't mention the very important answer: Is the keystorePass the the same as we use in the commandlines?
Greetz
Stefan
Am 07.07.2019 15:08, schrieb Xavier M:
Hi Stefan,
Here the result for the SSL part... One can find the keystorePass inside, I just changed the password by "xxx" (bold) since we have a "public" discussion... Even if I'm not sure this is very useful. As you mentioned earlier, the keystoreFile for OM 5.0.0 appears to be "keystore" and not "keystore.jks". Do you conlude anything? If I have to reinstall the old files, I would be glad if you could provide them.
Nota Bene: the second Connector port="5443" lies between <!-- and -->. It is probably normal, I just wonder why.
Thank you!
Xavier
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<Connector port="5443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
keystoreFile="conf/keystore" keystorePass="xxx"
clientAuth="false" sslProtocol="TLS"/>
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="5443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
Le 07/07/2019 à 12:32, Stefan Kühl a écrit :
sudo cat OM_Folder/conf/server.xml
Re: Log-in and security
Posted by Stefan Kühl <st...@quatrekuehl.eu>.
So, please change the given password into the password you use in the
commandlines and the error should be gone. ;-)
Am 07.07.2019 16:08, schrieb Xavier M:
> Oops, sorry... No, it is not the password you gave me.
>
> But I state that my file looks *very much* like https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L75 [1] (at least for this "SSL section").
>
> Xavier
>
> Le 07/07/2019 à 15:29, Stefan Kühl a écrit :
>
> Hey Xavier,
>
> but you don't mention the very important answer: Is the keystorePass the the same as we use in the commandlines?
>
> Greetz
>
> Stefan
>
> Am 07.07.2019 15:08, schrieb Xavier M:
>
> Hi Stefan,
>
> Here the result for the SSL part... One can find the _keystorePass_ inside, I just changed the password by "xxx" (bold) since we have a "public" discussion... Even if I'm not sure this is very useful. As you mentioned earlier, the keystoreFile for OM 5.0.0 appears to be "keystore" and not "keystore.jks". Do you conlude anything? If I have to reinstall the old files, I would be glad if you could provide them.
>
> Nota Bene: the second _Connector port="5443"_ lies between _ <!--_ and _-->_. It is probably normal, I just wonder why.
>
> Thank you!
>
> Xavier
>
> _<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443_
> _ This connector uses the NIO implementation. The default_
> _ SSLImplementation will depend on the presence of the APR/native_
> _ library and the useOpenSSL attribute of the_
> _ AprLifecycleListener._
> _ Either JSSE or OpenSSL style configuration may be used regardless of_
> _ the SSLImplementation selected. JSSE style configuration is used below._
> _ -->_
> _ <Connector port="5443" protocol="org.apache.coyote.http11.Http11NioProtocol"_
> _ maxThreads="150" SSLEnabled="true"_
> _ keystoreFile="conf/keystore" keystorePass="__XXX__"_
> _ clientAuth="false" sslProtocol="TLS"/>_
> _ <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2_
> _ This connector uses the APR/native implementation which always uses_
> _ OpenSSL for TLS._
> _ Either JSSE or OpenSSL style configuration may be used. OpenSSL style_
> _ configuration is used below._
> _ -->_
> _ <!--_
> _ <Connector port="5443" protocol="org.apache.coyote.http11.Http11AprProtocol"_
> _ maxThreads="150" SSLEnabled="true" >_
> _ <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />_
> _ <SSLHostConfig>_
> _ <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"_
> _ certificateFile="conf/localhost-rsa-cert.pem"_
> _ certificateChainFile="conf/localhost-rsa-chain.pem"_
> _ type="RSA" />_
> _ </SSLHostConfig>_
> _ </Connector>_
> _ -->_
>
> Le 07/07/2019 à 12:32, Stefan Kühl a écrit : sudo cat OM_Folder/conf/server.xml
Links:
------
[1]
https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L75
Re: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Oops, sorry... No, it is not the password you gave me.
But I state that my file looks *very much* like https://github.com/apache/openmeetings/blob/master/openmeetings-server/src/main/assembly/conf/server.xml#L75 (at least for this "SSL section").
Xavier
Le 07/07/2019 à 15:29, Stefan Kühl a écrit :
Hey Xavier,
but you don't mention the very important answer: Is the keystorePass the the same as we use in the commandlines?
Greetz
Stefan
Am 07.07.2019 15:08, schrieb Xavier M:
Hi Stefan,
Here the result for the SSL part... One can find the keystorePass inside, I just changed the password by "xxx" (bold) since we have a "public" discussion... Even if I'm not sure this is very useful. As you mentioned earlier, the keystoreFile for OM 5.0.0 appears to be "keystore" and not "keystore.jks". Do you conlude anything? If I have to reinstall the old files, I would be glad if you could provide them.
Nota Bene: the second Connector port="5443" lies between <!-- and -->. It is probably normal, I just wonder why.
Thank you!
Xavier
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<Connector port="5443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
keystoreFile="conf/keystore" keystorePass="xxx"
clientAuth="false" sslProtocol="TLS"/>
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="5443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
Le 07/07/2019 à 12:32, Stefan Kühl a écrit :
sudo cat OM_Folder/conf/server.xml
Re: Log-in and security
Posted by Stefan Kühl <st...@quatrekuehl.eu>.
Hey Xavier,
but you don't mention the very important answer: Is the keystorePass the
the same as we use in the commandlines?
Greetz
Stefan
Am 07.07.2019 15:08, schrieb Xavier M:
> Hi Stefan,
>
> Here the result for the SSL part... One can find the _keystorePass_ inside, I just changed the password by "xxx" (bold) since we have a "public" discussion... Even if I'm not sure this is very useful. As you mentioned earlier, the keystoreFile for OM 5.0.0 appears to be "keystore" and not "keystore.jks". Do you conlude anything? If I have to reinstall the old files, I would be glad if you could provide them.
>
> Nota Bene: the second _Connector port="5443"_ lies between _<!--_ and _-->_. It is probably normal, I just wonder why.
>
> Thank you!
>
> Xavier
>
> _<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443_
> _ This connector uses the NIO implementation. The default_
> _ SSLImplementation will depend on the presence of the APR/native_
> _ library and the useOpenSSL attribute of the_
> _ AprLifecycleListener._
> _ Either JSSE or OpenSSL style configuration may be used regardless of_
> _ the SSLImplementation selected. JSSE style configuration is used below._
> _ -->_
> _ <Connector port="5443" protocol="org.apache.coyote.http11.Http11NioProtocol"_
> _ maxThreads="150" SSLEnabled="true"_
> _ keystoreFile="conf/keystore" keystorePass="__XXX__"_
> _ clientAuth="false" sslProtocol="TLS"/>_
> _ <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2_
> _ This connector uses the APR/native implementation which always uses_
> _ OpenSSL for TLS._
> _ Either JSSE or OpenSSL style configuration may be used. OpenSSL style_
> _ configuration is used below._
> _ -->_
> _ <!--_
> _ <Connector port="5443" protocol="org.apache.coyote.http11.Http11AprProtocol"_
> _ maxThreads="150" SSLEnabled="true" >_
> _ <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />_
> _ <SSLHostConfig>_
> _ <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"_
> _ certificateFile="conf/localhost-rsa-cert.pem"_
> _ certificateChainFile="conf/localhost-rsa-chain.pem"_
> _ type="RSA" />_
> _ </SSLHostConfig>_
> _ </Connector>_
> _ -->_
> Le 07/07/2019 à 12:32, Stefan Kühl a écrit :
>
>> sudo cat OM_Folder/conf/server.xml
Re: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Hi Stefan,
Here the result for the SSL part... One can find the keystorePass inside, I just changed the password by "xxx" (bold) since we have a "public" discussion... Even if I'm not sure this is very useful. As you mentioned earlier, the keystoreFile for OM 5.0.0 appears to be "keystore" and not "keystore.jks". Do you conlude anything? If I have to reinstall the old files, I would be glad if you could provide them.
Nota Bene: the second Connector port="5443" lies between <!-- and -->. It is probably normal, I just wonder why.
Thank you!
Xavier
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<Connector port="5443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
keystoreFile="conf/keystore" keystorePass="xxx"
clientAuth="false" sslProtocol="TLS"/>
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="5443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
Le 07/07/2019 à 12:32, Stefan Kühl a écrit :
sudo cat OM_Folder/conf/server.xml
Re: Log-in and security
Posted by Stefan Kühl <st...@quatrekuehl.eu>.
Hey Xavier,
thats fine. Normally the keystore.jks file shoukd have the same data as
the keystore file, but that is ald stuff I think and not longer
necessary.
No let us go to the server.xml file in the conf directory. Just type
"sudo cat OM_Folder/conf/server.xml and have a look to the SSL Part. It
should start with "<Connector port="5443"...". There you will find the
used keystore password and the path for the keystore file.
If the configuration is the same as we did it days before with the
commands I suggest there must be the "keystorePass="password"".
Otherwise checkt for typos etc.
We should check this before reinstall the old files (I can provide them
if necessary).
And yes, this is a folderlisting with -a (all, even hidden directorys
and files) and -l (long).
Greetz
Stefan
Am 07.07.2019 10:58, schrieb Xavier M:
> Hi Stefan,
>
> No matters, we all have another life (or even some other lives?)... That's the advantage of the e-mails, that we can report to later!
>
> First of all: you're right for the usergroup, I didn't take care that I answered to the sender only when I was using Thunderbird (it is not the case when I'm using the webmail).
>
> Then, 2 points:
>
> 1/ Can you please tell me which is the keystore from the original file from the install source - that is in which folder I should find it? I guess I modified the keystore files with the -import option of the command lines?
>
> 1bis/ There is no problem if I have to uninstall / install again OpenMeetings to have it again. Is there any way to uninstall it properly, or do I have to delete /opt/open500/ folder from a shell?
>
> 2/ Here the result you asked me (is it a list of files in the folder, with the right for the access, owner and owner-group, and the date of last modification?):
>
> _xavier@sd-118950:/opt/open500/conf$ ls -al_
> _total 264_
> _drwxr-xr-x 3 nobody nogroup 4096 juil. 5 14:45 ._
> _drwxr-xr-x 9 nobody nogroup 4096 juil. 3 10:27 .._
> _drwxr-x--- 3 root root 4096 juil. 3 10:34 Catalina_
> _-rw-r--r-- 1 nobody nogroup 12873 mars 13 22:58 catalina.policy_
> _-rw-r--r-- 1 nobody nogroup 7243 mars 13 22:58 catalina.properties_
> _-rw-r--r-- 1 nobody nogroup 1400 mars 13 22:58 context.xml_
> _-rw-r--r-- 1 nobody nogroup 1149 mars 13 22:58 jaspic-providers.xml_
> _-rw-r--r-- 1 nobody nogroup 2313 mars 13 22:58 jaspic-providers.xsd_
> _-rw-r--r-- 1 root root 5651 juil. 5 14:45 keystore_
> _-rw-r--r-- 1 root root 5651 juil. 4 21:43 keystore.jks_
> _-rw-r--r-- 1 nobody nogroup 4144 mars 13 22:58 logging.properties_
> _-rw------- 1 root root 4222 juil. 4 21:42 red5.p12_
> _-rw-r--r-- 1 nobody nogroup 6433 mars 28 21:01 server.xml_
> _-rw-r--r-- 1 root root 5651 juil. 5 14:45 trustscore.jks_
> _-rw-r--r-- 1 nobody nogroup 170202 mars 13 22:58 web.xml_
> _xavier@sd-118950:/opt/open500/conf$ _
>
> Bis bald,
>
> Xavier
>
> Le 06/07/2019 à 22:36, Stefan Kühl a écrit :
>
> Hi Xavier,
>
> sorry for being late, I'm a bit busy these days ;-)
>
> First: we should keep the usergroup in loop, that's why I'm take the user@openmeetings.apache.org in place. ;-)
>
> Second: I totally agree with maxim. Setting the ports in listening state for the apache keep them busy and unusable for openmeetings. Of course the address is reachable then, but only via the apache webserver. The error message means that you want to deliver secure conten via an insecure apache port.
>
> Can you please post the result from ls -al of the OM-Folder/conf? It's weird that you get a password error message for the keystore, because we set it to password at the import I think. Any typos in the code-lines?
>
> To cancel this lines, just copy the keystore from the original file fromn the install source into the OM-Folder/conf.
>
> Greetz
>
> Stefan
>
> Am 06.07.2019 21:21, schrieb Xavier M:
>
> Hi Stefan,
>
> I wonder if there is a way to cancel what I did with these command lines? Indeed, I can not connect anymore to OpenMeetings... and I want to check where it comes from. In Catalina log, I can read things like:
>
> * Caused by: java.lang.IllegalArgumentException: keystore password was incorrect
>
> * Caused by: java.io.IOException: keystore password was incorrect
>
> ... so I suppose that something went wrong.
>
> Thanks in advance, have a good week-end!
>
> Xavier
>
> Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
>
> Ok, please restart the server and it should work.
> If you use open500 as folder open500/conf is correct.
>
> Just restart it.
>
> Greetz
>
> Stefan
>
> PS: if you want to access to "permission denied" folders you need to switch to root, sudo won't work in this case. But be careful, keep in mind that you change the ownership if you change files as root.
>
> Bonne soiree
>
> Am 04.07.2019 21:57, schrieb Xavier M:
>
> Thank you!
>
> Each command line worked... But it did not change anything when I want to log in. Maybe shall I restart "a service"?
>
> NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory with a "keystore" file. But I have an "openmeetings" subdirectory too... to which I can not access (Permission denied).
>
> Greetings,
>
> Xavier
>
> Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
>
> Yes, I'm sorry. Did this so many times and forgot an important point. First: the password is: password
>
> ;-)
>
> Let's go through the lines:
>
> "sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem"
>
> Here you use the openssl library to export the the key from the letsencrypt certificate into the red5.p12 file and store it in youtr OM Folder (red5 is just an name - you could also use any other name)
>
> "sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem"
>
> by using keytool you import the certificate key by setting the password (-srcstorepass password -> deststorepass password) into the file keystore.jks and confirming the trust by the chain.pem
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks"
>
> now creating the trustscore.jks by copying the keystore.jks
>
> at least and only if you have OM 5.* installed:
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
> this is neccesary because OM5-'looks only for keystore and not for keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you could update the config file to look for keystore.jks"
>
> So if you will be asked for
>
> _Enter Export Password:_
> _Verifying - Enter Export Password:_
>
> _and again_
>
> Enter Import Password:
> Verifying - Enter Import Password:
>
> _you need to enter password _
>
> _Just to keep it simple, you can choose your own password, but keep in mind top change it within the command too;-)_
>
> _Greetz_
>
> _Stefan_
>
> Am 04.07.2019 21:18, schrieb Xavier M:
>
> So...
>
> After having changed the folder names, I entered the first command line to get:
>
> _Enter Export Password:_
> _Verifying - Enter Export Password:_
>
> I wrote down a password - I guess I defined it at this step?
>
> Then the second command line delivered:
>
> _Importing keystore /opt/open500/conf/red5.p12 to /opt/open500/conf/keystore.jks..._
> _keytool error: java.io.IOException: keystore password was incorrect_
>
> Any idea of what happens and what I should do? I did not try the third command line.
>
> By the way, can you explain me in a few words what I'm doing with these command lines ?
>
> Have a good evening,
>
> Xavier
>
> Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
>
> Maybe to make a quick check (every command in one line):
>
> sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem
>
> sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
>
> Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu: your domain an OM_Folder: your OM installation folder.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 18:00, schrieb Xavier M:
> Then let's go with Proxy through Apache.
>
> I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
>
> The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
>
> sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
>
> ... among other prior to install OM.
>
> Xavier
>
> -------------------------
>
> DE : Aaron Hepp <aa...@gmail.com>
> ENVOYÉ : jeudi 4 juillet 2019 17:53
> À : user@openmeetings.apache.org
> OBJET : Re: Log-in and security
>
> Proxy through Apache would be the easier solution for upgrading
>
> when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
>
> On 7/4/19 11:48 AM, Xavier M wrote:
> Thank you Aaron.
>
> Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
>
> How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
>
> Xavier
>
> -------------------------
>
> DE : Aaron Hepp <aa...@gmail.com>
> ENVOYÉ : jeudi 4 juillet 2019 17:40
> À : user@openmeetings.apache.org
> OBJET : Re: Log-in and security
>
> That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
>
> You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
>
> LetEncrypt places the cert at:
> /etc/letsencrypt/live/<domain>
>
> On 7/4/19 11:34 AM, Xavier M wrote:
> Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
>
> Xavier
>
> -------------------------
>
> DE : Stefan Kühl <st...@quatrekuehl.eu>
> ENVOYÉ : jeudi 4 juillet 2019 17:06
> À : user@openmeetings.apache.org
> CC : R. Scholz
> OBJET : Re: Log-in and security
>
> Hi @all,
>
> port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
> Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 16:57, schrieb R. Scholz: Hello Xavier,
>
> Hm, you using on Port 80 Tomcat or Apache?
>
> Best regards,
>
> René
>
> Am 04.07.2019 um 16:24 schrieb Xavier M:
> Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
> * The common name is "rusa.fr"
> * There is no subject alternative name (even www.rusa.fr [1])
> * It is not a wildcard
>
> ... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
>
> Xavier
>
> -------------------------
>
> DE : Clayton, Robin <Ro...@cumberland.co.uk>
> ENVOYÉ : jeudi 4 juillet 2019 15:43
> À : user@openmeetings.apache.org
> OBJET : RE: Log-in and security
>
> What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
>
> The TCP port should be irrelevant.
>
> Rob
>
> FROM: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
> SENT: 04 July 2019 14:16
> TO: user@openmeetings.apache.org
> CC: Xavier M
> SUBJECT: Re: Log-in and security
>
> Hi,
>
> are you sure that you request your certificate also for domain.eu [2] or only for www.domain.eu [3]. You should check this. Sometimes webhoster only use the www adresses for certificates.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 14:18, schrieb Xavier M:
>
> Hi everybody,
>
> I'm quite sure that the answer is already somewhere, but I couldn't find it...
>
> After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
>
> https://localhost:5443/openmeetings
>
> If OM is installed on a web server, let's say "domain.eu [2]", it works correctly with:
>
> https://domain.eu:5443/openmeetings
>
> But the user will get a warning for security reason, even if domain.eu [2] works with https, since the common certificates will not work with this port.
>
> I stated that following URL worked for the "demo version":
>
> https://om.alteametasoft.com/openmeetings
>
> Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
>
> Have a good day!
>
> Xavier
>
> DISCLAIMER
>
> This email has been scanned by the Mimecast security service.
>
> DISCLAIMER
>
> Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
>
> Cumberland Building Society
> Cumberland House
> Cooper Way
> Parkhouse
> CARLISLE CA3 0JF
> To help us monitor and improve customer service telephone calls may be recorded.
> Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
> To find out more about us, visit www.cumberland.co.uk [4]
>
> CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
>
> Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
>
> Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
>
> This email has been scanned by the Mimecast security service.
Links:
------
[1] http://www.rusa.fr
[2] http://domain.eu
[3] http://www.domain.eu
[4] http://www.cumberland.co.uk/
Re: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Hi Stefan,
No matters, we all have another life (or even some other lives?)... That's the advantage of the e-mails, that we can report to later!
First of all: you're right for the usergroup, I didn't take care that I answered to the sender only when I was using Thunderbird (it is not the case when I'm using the webmail).
Then, 2 points:
1/ Can you please tell me which is the keystore from the original file from the install source - that is in which folder I should find it? I guess I modified the keystore files with the -import option of the command lines?
1bis/ There is no problem if I have to uninstall / install again OpenMeetings to have it again. Is there any way to uninstall it properly, or do I have to delete /opt/open500/ folder from a shell?
2/ Here the result you asked me (is it a list of files in the folder, with the right for the access, owner and owner-group, and the date of last modification?):
xavier@sd-118950:/opt/open500/conf$ ls -al
total 264
drwxr-xr-x 3 nobody nogroup 4096 juil. 5 14:45 .
drwxr-xr-x 9 nobody nogroup 4096 juil. 3 10:27 ..
drwxr-x--- 3 root root 4096 juil. 3 10:34 Catalina
-rw-r--r-- 1 nobody nogroup 12873 mars 13 22:58 catalina.policy
-rw-r--r-- 1 nobody nogroup 7243 mars 13 22:58 catalina.properties
-rw-r--r-- 1 nobody nogroup 1400 mars 13 22:58 context.xml
-rw-r--r-- 1 nobody nogroup 1149 mars 13 22:58 jaspic-providers.xml
-rw-r--r-- 1 nobody nogroup 2313 mars 13 22:58 jaspic-providers.xsd
-rw-r--r-- 1 root root 5651 juil. 5 14:45 keystore
-rw-r--r-- 1 root root 5651 juil. 4 21:43 keystore.jks
-rw-r--r-- 1 nobody nogroup 4144 mars 13 22:58 logging.properties
-rw------- 1 root root 4222 juil. 4 21:42 red5.p12
-rw-r--r-- 1 nobody nogroup 6433 mars 28 21:01 server.xml
-rw-r--r-- 1 root root 5651 juil. 5 14:45 trustscore.jks
-rw-r--r-- 1 nobody nogroup 170202 mars 13 22:58 web.xml
xavier@sd-118950:/opt/open500/conf$
Bis bald,
Xavier
Le 06/07/2019 à 22:36, Stefan Kühl a écrit :
Hi Xavier,
sorry for being late, I'm a bit busy these days ;-)
First: we should keep the usergroup in loop, that's why I'm take the user@openmeetings<ma...@openmeetings>.apache.org in place. ;-)
Second: I totally agree with maxim. Setting the ports in listening state for the apache keep them busy and unusable for openmeetings. Of course the address is reachable then, but only via the apache webserver. The error message means that you want to deliver secure conten via an insecure apache port.
Can you please post the result from ls -al of the OM-Folder/conf? It's weird that you get a password error message for the keystore, because we set it to password at the import I think. Any typos in the code-lines?
To cancel this lines, just copy the keystore from the original file fromn the install source into the OM-Folder/conf.
Greetz
Stefan
Am 06.07.2019 21:21, schrieb Xavier M:
Hi Stefan,
I wonder if there is a way to cancel what I did with these command lines? Indeed, I can not connect anymore to OpenMeetings... and I want to check where it comes from. In Catalina log, I can read things like:
* Caused by: java.lang.IllegalArgumentException: keystore password was incorrect
* Caused by: java.io.IOException: keystore password was incorrect
... so I suppose that something went wrong.
Thanks in advance, have a good week-end!
Xavier
Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
Ok, please restart the server and it should work.
If you use open500 as folder open500/conf is correct.
Just restart it.
Greetz
Stefan
PS: if you want to access to "permission denied" folders you need to switch to root, sudo won't work in this case. But be careful, keep in mind that you change the ownership if you change files as root.
Bonne soiree
Am 04.07.2019 21:57, schrieb Xavier M:
Thank you!
Each command line worked... But it did not change anything when I want to log in. Maybe shall I restart "a service"?
NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory with a "keystore" file. But I have an "openmeetings" subdirectory too... to which I can not access (Permission denied).
Greetings,
Xavier
Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
Yes, I'm sorry. Did this so many times and forgot an important point. First: the password is: password
;-)
Let's go through the lines:
"sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem"
Here you use the openssl library to export the the key from the letsencrypt certificate into the red5.p12 file and store it in youtr OM Folder (red5 is just an name - you could also use any other name)
"sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem"
by using keytool you import the certificate key by setting the password (-srcstorepass password -> deststorepass password) into the file keystore.jks and confirming the trust by the chain.pem
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks"
now creating the trustscore.jks by copying the keystore.jks
at least and only if you have OM 5.* installed:
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
this is neccesary because OM5-'looks only for keystore and not for keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you could update the config file to look for keystore.jks"
So if you will be asked for
Enter Export Password:
Verifying - Enter Export Password:
and again
Enter Import Password:
Verifying - Enter Import Password:
you need to enter password
Just to keep it simple, you can choose your own password, but keep in mind top change it within the command too;-)
Greetz
Stefan
Am 04.07.2019 21:18, schrieb Xavier M:
So...
After having changed the folder names, I entered the first command line to get:
Enter Export Password:
Verifying - Enter Export Password:
I wrote down a password - I guess I defined it at this step?
Then the second command line delivered:
Importing keystore /opt/open500/conf/red5.p12 to /opt/open500/conf/keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
Any idea of what happens and what I should do? I did not try the third command line.
By the way, can you explain me in a few words what I'm doing with these command lines ?
Have a good evening,
Xavier
Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
Maybe to make a quick check (every command in one line):
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem
sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu: your domain an OM_Folder: your OM installation folder.
Greetz
Stefan
Am 04.07.2019 18:00, schrieb Xavier M:
Then let's go with Proxy through Apache.
I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
... among other prior to install OM.
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:53
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
Proxy through Apache would be the easier solution for upgrading
when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
On 7/4/19 11:48 AM, Xavier M wrote:
Thank you Aaron.
Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:40
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
LetEncrypt places the cert at:
/etc/letsencrypt/live/<domain>
On 7/4/19 11:34 AM, Xavier M wrote:
Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
Xavier
________________________________
De : Stefan Kühl <st...@quatrekuehl.eu>
Envoyé : jeudi 4 juillet 2019 17:06
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc : R. Scholz
Objet : Re: Log-in and security
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin <Ro...@cumberland.co.uk>
Envoyé : jeudi 4 juillet 2019 15:43
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
Re: Log-in and security
Posted by Stefan Kühl <st...@quatrekuehl.eu>.
Hi Xavier,
sorry for being late, I'm a bit busy these days ;-)
First: we should keep the usergroup in loop, that's why I'm take the
user@openmeetings.apache.org in place. ;-)
Second: I totally agree with maxim. Setting the ports in listening state
for the apache keep them busy and unusable for openmeetings. Of course
the address is reachable then, but only via the apache webserver. The
error message means that you want to deliver secure conten via an
insecure apache port.
Can you please post the result from ls -al of the OM-Folder/conf? It's
weird that you get a password error message for the keystore, because we
set it to password at the import I think. Any typos in the code-lines?
To cancel this lines, just copy the keystore from the original file
fromn the install source into the OM-Folder/conf.
Greetz
Stefan
Am 06.07.2019 21:21, schrieb Xavier M:
> Hi Stefan,
>
> I wonder if there is a way to cancel what I did with these command lines? Indeed, I can not connect anymore to OpenMeetings... and I want to check where it comes from. In Catalina log, I can read things like:
>
> * Caused by: java.lang.IllegalArgumentException: keystore password was incorrect
>
> * Caused by: java.io.IOException: keystore password was incorrect
>
> ... so I suppose that something went wrong.
>
> Thanks in advance, have a good week-end!
>
> Xavier
>
> Le 04/07/2019 à 22:05, Stefan Kühl a écrit :
>
> Ok, please restart the server and it should work.
> If you use open500 as folder open500/conf is correct.
>
> Just restart it.
>
> Greetz
>
> Stefan
>
> PS: if you want to access to "permission denied" folders you need to switch to root, sudo won't work in this case. But be careful, keep in mind that you change the ownership if you change files as root.
>
> Bonne soiree
>
> Am 04.07.2019 21:57, schrieb Xavier M:
>
> Thank you!
>
> Each command line worked... But it did not change anything when I want to log in. Maybe shall I restart "a service"?
>
> NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory with a "keystore" file. But I have an "openmeetings" subdirectory too... to which I can not access (Permission denied).
>
> Greetings,
>
> Xavier
>
> Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
>
> Yes, I'm sorry. Did this so many times and forgot an important point. First: the password is: password
>
> ;-)
>
> Let's go through the lines:
>
> "sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem"
>
> Here you use the openssl library to export the the key from the letsencrypt certificate into the red5.p12 file and store it in youtr OM Folder (red5 is just an name - you could also use any other name)
>
> "sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem"
>
> by using keytool you import the certificate key by setting the password (-srcstorepass password -> deststorepass password) into the file keystore.jks and confirming the trust by the chain.pem
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks"
>
> now creating the trustscore.jks by copying the keystore.jks
>
> at least and only if you have OM 5.* installed:
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
> this is neccesary because OM5-'looks only for keystore and not for keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you could update the config file to look for keystore.jks"
>
> So if you will be asked for
>
> _Enter Export Password:_
> _Verifying - Enter Export Password:_
>
> _and again_
>
> Enter Import Password:
> Verifying - Enter Import Password:
>
> _you need to enter password _
>
> _Just to keep it simple, you can choose your own password, but keep in mind top change it within the command too;-)_
>
> _Greetz_
>
> _Stefan_
>
> Am 04.07.2019 21:18, schrieb Xavier M:
>
> So...
>
> After having changed the folder names, I entered the first command line to get:
>
> _Enter Export Password:_
> _Verifying - Enter Export Password:_
>
> I wrote down a password - I guess I defined it at this step?
>
> Then the second command line delivered:
>
> _Importing keystore /opt/open500/conf/red5.p12 to /opt/open500/conf/keystore.jks..._
> _keytool error: java.io.IOException: keystore password was incorrect_
>
> Any idea of what happens and what I should do? I did not try the third command line.
>
> By the way, can you explain me in a few words what I'm doing with these command lines ?
>
> Have a good evening,
>
> Xavier
>
> Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
>
> Maybe to make a quick check (every command in one line):
>
> sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem
>
> sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
>
> Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu: your domain an OM_Folder: your OM installation folder.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 18:00, schrieb Xavier M:
> Then let's go with Proxy through Apache.
>
> I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
>
> The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
>
> sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
>
> ... among other prior to install OM.
>
> Xavier
>
> -------------------------
>
> DE : Aaron Hepp <aa...@gmail.com>
> ENVOYÉ : jeudi 4 juillet 2019 17:53
> À : user@openmeetings.apache.org
> OBJET : Re: Log-in and security
>
> Proxy through Apache would be the easier solution for upgrading
>
> when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
>
> On 7/4/19 11:48 AM, Xavier M wrote:
> Thank you Aaron.
>
> Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
>
> How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
>
> Xavier
>
> -------------------------
>
> DE : Aaron Hepp <aa...@gmail.com>
> ENVOYÉ : jeudi 4 juillet 2019 17:40
> À : user@openmeetings.apache.org
> OBJET : Re: Log-in and security
>
> That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
>
> You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
>
> LetEncrypt places the cert at:
> /etc/letsencrypt/live/<domain>
>
> On 7/4/19 11:34 AM, Xavier M wrote:
> Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
>
> Xavier
>
> -------------------------
>
> DE : Stefan Kühl <st...@quatrekuehl.eu>
> ENVOYÉ : jeudi 4 juillet 2019 17:06
> À : user@openmeetings.apache.org
> CC : R. Scholz
> OBJET : Re: Log-in and security
>
> Hi @all,
>
> port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
> Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 16:57, schrieb R. Scholz: Hello Xavier,
>
> Hm, you using on Port 80 Tomcat or Apache?
>
> Best regards,
>
> René
>
> Am 04.07.2019 um 16:24 schrieb Xavier M:
> Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
> * The common name is "rusa.fr"
> * There is no subject alternative name (even www.rusa.fr [1])
> * It is not a wildcard
>
> ... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
>
> Xavier
>
> -------------------------
>
> DE : Clayton, Robin <Ro...@cumberland.co.uk>
> ENVOYÉ : jeudi 4 juillet 2019 15:43
> À : user@openmeetings.apache.org
> OBJET : RE: Log-in and security
>
> What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
>
> The TCP port should be irrelevant.
>
> Rob
>
> FROM: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
> SENT: 04 July 2019 14:16
> TO: user@openmeetings.apache.org
> CC: Xavier M
> SUBJECT: Re: Log-in and security
>
> Hi,
>
> are you sure that you request your certificate also for domain.eu [2] or only for www.domain.eu [3]. You should check this. Sometimes webhoster only use the www adresses for certificates.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 14:18, schrieb Xavier M:
>
> Hi everybody,
>
> I'm quite sure that the answer is already somewhere, but I couldn't find it...
>
> After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
>
> https://localhost:5443/openmeetings
>
> If OM is installed on a web server, let's say "domain.eu [2]", it works correctly with:
>
> https://domain.eu:5443/openmeetings
>
> But the user will get a warning for security reason, even if domain.eu [2] works with https, since the common certificates will not work with this port.
>
> I stated that following URL worked for the "demo version":
>
> https://om.alteametasoft.com/openmeetings
>
> Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
>
> Have a good day!
>
> Xavier
>
> DISCLAIMER
>
> This email has been scanned by the Mimecast security service.
>
> DISCLAIMER
>
> Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
>
> Cumberland Building Society
> Cumberland House
> Cooper Way
> Parkhouse
> CARLISLE CA3 0JF
> To help us monitor and improve customer service telephone calls may be recorded.
> Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
> To find out more about us, visit www.cumberland.co.uk [4]
>
> CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
>
> Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
>
> Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
>
> This email has been scanned by the Mimecast security service.
Links:
------
[1] http://www.rusa.fr
[2] http://domain.eu
[3] http://www.domain.eu
[4] http://www.cumberland.co.uk/
Re: Log-in and security
Posted by Stefan Kühl <st...@quatrekuehl.eu>.
Ok, please restart the server and it should work.
If you use open500 as folder open500/conf is correct.
Just restart it.
Greetz
Stefan
PS: if you want to access to "permission denied" folders you need to
switch to root, sudo won't work in this case. But be careful, keep in
mind that you change the ownership if you change files as root.
Bonne soiree
Am 04.07.2019 21:57, schrieb Xavier M:
> Thank you!
>
> Each command line worked... But it did not change anything when I want to log in. Maybe shall I restart "a service"?
>
> NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory with a "keystore" file. But I have an "openmeetings" subdirectory too... to which I can not access (Permission denied).
>
> Greetings,
>
> Xavier
>
> Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
>
> Yes, I'm sorry. Did this so many times and forgot an important point. First: the password is: password
>
> ;-)
>
> Let's go through the lines:
>
> "sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem"
>
> Here you use the openssl library to export the the key from the letsencrypt certificate into the red5.p12 file and store it in youtr OM Folder (red5 is just an name - you could also use any other name)
>
> "sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem"
>
> by using keytool you import the certificate key by setting the password (-srcstorepass password -> deststorepass password) into the file keystore.jks and confirming the trust by the chain.pem
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks"
>
> now creating the trustscore.jks by copying the keystore.jks
>
> at least and only if you have OM 5.* installed:
>
> "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
> this is neccesary because OM5-'looks only for keystore and not for keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you could update the config file to look for keystore.jks"
>
> So if you will be asked for
>
> _Enter Export Password:_
> _Verifying - Enter Export Password:_
>
> _and again_
>
> Enter Import Password:
> Verifying - Enter Import Password:
>
> _you need to enter password _
>
> _Just to keep it simple, you can choose your own password, but keep in mind top change it within the command too;-)_
>
> _Greetz_
>
> _Stefan_
>
> Am 04.07.2019 21:18, schrieb Xavier M:
>
> So...
>
> After having changed the folder names, I entered the first command line to get:
>
> _Enter Export Password:_
> _Verifying - Enter Export Password:_
>
> I wrote down a password - I guess I defined it at this step?
>
> Then the second command line delivered:
>
> _Importing keystore /opt/open500/conf/red5.p12 to /opt/open500/conf/keystore.jks..._
> _keytool error: java.io.IOException: keystore password was incorrect_
>
> Any idea of what happens and what I should do? I did not try the third command line.
>
> By the way, can you explain me in a few words what I'm doing with these command lines ?
>
> Have a good evening,
>
> Xavier
>
> Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
>
> Maybe to make a quick check (every command in one line):
>
> sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem
>
> sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
>
> Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu: your domain an OM_Folder: your OM installation folder.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 18:00, schrieb Xavier M:
> Then let's go with Proxy through Apache.
>
> I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
>
> The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
>
> sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
>
> ... among other prior to install OM.
>
> Xavier
>
> -------------------------
>
> DE : Aaron Hepp <aa...@gmail.com>
> ENVOYÉ : jeudi 4 juillet 2019 17:53
> À : user@openmeetings.apache.org
> OBJET : Re: Log-in and security
>
> Proxy through Apache would be the easier solution for upgrading
>
> when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
>
> On 7/4/19 11:48 AM, Xavier M wrote:
> Thank you Aaron.
>
> Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
>
> How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
>
> Xavier
>
> -------------------------
>
> DE : Aaron Hepp <aa...@gmail.com>
> ENVOYÉ : jeudi 4 juillet 2019 17:40
> À : user@openmeetings.apache.org
> OBJET : Re: Log-in and security
>
> That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
>
> You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
>
> LetEncrypt places the cert at:
> /etc/letsencrypt/live/<domain>
>
> On 7/4/19 11:34 AM, Xavier M wrote:
> Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
>
> Xavier
>
> -------------------------
>
> DE : Stefan Kühl <st...@quatrekuehl.eu>
> ENVOYÉ : jeudi 4 juillet 2019 17:06
> À : user@openmeetings.apache.org
> CC : R. Scholz
> OBJET : Re: Log-in and security
>
> Hi @all,
>
> port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
> Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 16:57, schrieb R. Scholz: Hello Xavier,
>
> Hm, you using on Port 80 Tomcat or Apache?
>
> Best regards,
>
> René
>
> Am 04.07.2019 um 16:24 schrieb Xavier M:
> Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
> * The common name is "rusa.fr"
> * There is no subject alternative name (even www.rusa.fr [1])
> * It is not a wildcard
>
> ... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
>
> Xavier
>
> -------------------------
>
> DE : Clayton, Robin <Ro...@cumberland.co.uk>
> ENVOYÉ : jeudi 4 juillet 2019 15:43
> À : user@openmeetings.apache.org
> OBJET : RE: Log-in and security
>
> What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
>
> The TCP port should be irrelevant.
>
> Rob
>
> FROM: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
> SENT: 04 July 2019 14:16
> TO: user@openmeetings.apache.org
> CC: Xavier M
> SUBJECT: Re: Log-in and security
>
> Hi,
>
> are you sure that you request your certificate also for domain.eu [2] or only for www.domain.eu [3]. You should check this. Sometimes webhoster only use the www adresses for certificates.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 14:18, schrieb Xavier M:
>
> Hi everybody,
>
> I'm quite sure that the answer is already somewhere, but I couldn't find it...
>
> After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
>
> https://localhost:5443/openmeetings
>
> If OM is installed on a web server, let's say "domain.eu [2]", it works correctly with:
>
> https://domain.eu:5443/openmeetings
>
> But the user will get a warning for security reason, even if domain.eu [2] works with https, since the common certificates will not work with this port.
>
> I stated that following URL worked for the "demo version":
>
> https://om.alteametasoft.com/openmeetings
>
> Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
>
> Have a good day!
>
> Xavier
>
> DISCLAIMER
>
> This email has been scanned by the Mimecast security service.
>
> DISCLAIMER
>
> Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
>
> Cumberland Building Society
> Cumberland House
> Cooper Way
> Parkhouse
> CARLISLE CA3 0JF
> To help us monitor and improve customer service telephone calls may be recorded.
> Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
> To find out more about us, visit www.cumberland.co.uk [4]
>
> CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
>
> Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
>
> Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
>
> This email has been scanned by the Mimecast security service.
Links:
------
[1] http://www.rusa.fr
[2] http://domain.eu
[3] http://www.domain.eu
[4] http://www.cumberland.co.uk/
Re: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Thank you!
Each command line worked... But it did not change anything when I want to log in. Maybe shall I restart "a service"?
NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory with a "keystore" file. But I have an "openmeetings" subdirectory too... to which I can not access (Permission denied).
Greetings,
Xavier
Le 04/07/2019 à 21:35, Stefan Kühl a écrit :
Yes, I'm sorry. Did this so many times and forgot an important point. First: the password is: password
;-)
Let's go through the lines:
"sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem"
Here you use the openssl library to export the the key from the letsencrypt certificate into the red5.p12 file and store it in youtr OM Folder (red5 is just an name - you could also use any other name)
"sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem"
by using keytool you import the certificate key by setting the password (-srcstorepass password -> deststorepass password) into the file keystore.jks and confirming the trust by the chain.pem
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks"
now creating the trustscore.jks by copying the keystore.jks
at least and only if you have OM 5.* installed:
"sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore"
this is neccesary because OM5-'looks only for keystore and not for keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you could update the config file to look for keystore.jks"
So if you will be asked for
Enter Export Password:
Verifying - Enter Export Password:
and again
Enter Import Password:
Verifying - Enter Import Password:
you need to enter password
Just to keep it simple, you can choose your own password, but keep in mind top change it within the command too;-)
Greetz
Stefan
Am 04.07.2019 21:18, schrieb Xavier M:
So...
After having changed the folder names, I entered the first command line to get:
Enter Export Password:
Verifying - Enter Export Password:
I wrote down a password - I guess I defined it at this step?
Then the second command line delivered:
Importing keystore /opt/open500/conf/red5.p12 to /opt/open500/conf/keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
Any idea of what happens and what I should do? I did not try the third command line.
By the way, can you explain me in a few words what I'm doing with these command lines ?
Have a good evening,
Xavier
Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
Maybe to make a quick check (every command in one line):
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem
sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu: your domain an OM_Folder: your OM installation folder.
Greetz
Stefan
Am 04.07.2019 18:00, schrieb Xavier M:
Then let's go with Proxy through Apache.
I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
... among other prior to install OM.
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:53
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
Proxy through Apache would be the easier solution for upgrading
when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
On 7/4/19 11:48 AM, Xavier M wrote:
Thank you Aaron.
Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:40
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
LetEncrypt places the cert at:
/etc/letsencrypt/live/<domain>
On 7/4/19 11:34 AM, Xavier M wrote:
Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
Xavier
________________________________
De : Stefan Kühl <st...@quatrekuehl.eu>
Envoyé : jeudi 4 juillet 2019 17:06
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc : R. Scholz
Objet : Re: Log-in and security
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin <Ro...@cumberland.co.uk>
Envoyé : jeudi 4 juillet 2019 15:43
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
Re: Log-in and security
Posted by Stefan Kühl <st...@quatrekuehl.eu>.
Yes, I'm sorry. Did this so many times and forgot an important point.
First: the password is: password
;-)
Let's go through the lines:
"sudo openssl pkcs12 -export -in
/etc/letsencrypt/live/domain.eu/cert.pem -inkey
/etc/letsencrypt/live/domain.eu/privkey.pem -out
/opt/OM_Folder/conf/red5.p12 -name red5 -certfile
/etc/letsencrypt/live/domain.eu/chain.pem"
Here you use the openssl library to export the the key from the
letsencrypt certificate into the red5.p12 file and store it in youtr OM
Folder (red5 is just an name - you could also use any other name)
"sudo keytool -importkeystore -srcstorepass password -srckeystore
/opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass
password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore
/opt/OM_Folder/conf/keystore.jks -trustcacerts -file
/etc/letsencrypt/live/domain.eu/chain.pem"
by using keytool you import the certificate key by setting the password
(-srcstorepass password -> deststorepass password) into the file
keystore.jks and confirming the trust by the chain.pem
"sudo cp -f /opt/OM_Folder/conf/keystore.jks
/opt/OM_Folder/conf/trustscore.jks"
now creating the trustscore.jks by copying the keystore.jks
at least and only if you have OM 5.* installed:
"sudo cp -f /opt/OM_Folder/conf/keystore.jks
/opt/OM_Folder/conf/keystore"
this is neccesary because OM5-'looks only for keystore and not for
keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you
could update the config file to look for keystore.jks"
So if you will be asked for
_Enter Export Password:_
_Verifying - Enter Export Password:_
_and again_
Enter Import Password:
Verifying - Enter Import Password:
_you need to enter password _
_Just to keep it simple, you can choose your own password, but keep in
mind top change it within the command too;-)_
_Greetz_
_Stefan_
Am 04.07.2019 21:18, schrieb Xavier M:
> So...
>
> After having changed the folder names, I entered the first command line to get:
>
> _Enter Export Password:_
> _Verifying - Enter Export Password:_
>
> I wrote down a password - I guess I defined it at this step?
>
> Then the second command line delivered:
>
> _Importing keystore /opt/open500/conf/red5.p12 to /opt/open500/conf/keystore.jks..._
> _keytool error: java.io.IOException: keystore password was incorrect_
>
> Any idea of what happens and what I should do? I did not try the third command line.
>
> By the way, can you explain me in a few words what I'm doing with these command lines ?
>
> Have a good evening,
>
> Xavier
>
> Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
>
> Maybe to make a quick check (every command in one line):
>
> sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem
>
> sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
>
> sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
>
> sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
>
> Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu: your domain an OM_Folder: your OM installation folder.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 18:00, schrieb Xavier M:
> Then let's go with Proxy through Apache.
>
> I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
>
> The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
>
> sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
>
> ... among other prior to install OM.
>
> Xavier
>
> -------------------------
>
> DE : Aaron Hepp <aa...@gmail.com>
> ENVOYÉ : jeudi 4 juillet 2019 17:53
> À : user@openmeetings.apache.org
> OBJET : Re: Log-in and security
>
> Proxy through Apache would be the easier solution for upgrading
>
> when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
>
> On 7/4/19 11:48 AM, Xavier M wrote:
> Thank you Aaron.
>
> Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
>
> How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
>
> Xavier
>
> -------------------------
>
> DE : Aaron Hepp <aa...@gmail.com>
> ENVOYÉ : jeudi 4 juillet 2019 17:40
> À : user@openmeetings.apache.org
> OBJET : Re: Log-in and security
>
> That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
>
> You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
>
> LetEncrypt places the cert at:
> /etc/letsencrypt/live/<domain>
>
> On 7/4/19 11:34 AM, Xavier M wrote:
> Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
>
> Xavier
>
> -------------------------
>
> DE : Stefan Kühl <st...@quatrekuehl.eu>
> ENVOYÉ : jeudi 4 juillet 2019 17:06
> À : user@openmeetings.apache.org
> CC : R. Scholz
> OBJET : Re: Log-in and security
>
> Hi @all,
>
> port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
> Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 16:57, schrieb R. Scholz: Hello Xavier,
>
> Hm, you using on Port 80 Tomcat or Apache?
>
> Best regards,
>
> René
>
> Am 04.07.2019 um 16:24 schrieb Xavier M:
> Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
> * The common name is "rusa.fr"
> * There is no subject alternative name (even www.rusa.fr [1])
> * It is not a wildcard
>
> ... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
>
> Xavier
>
> -------------------------
>
> DE : Clayton, Robin <Ro...@cumberland.co.uk>
> ENVOYÉ : jeudi 4 juillet 2019 15:43
> À : user@openmeetings.apache.org
> OBJET : RE: Log-in and security
>
> What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
>
> The TCP port should be irrelevant.
>
> Rob
>
> FROM: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
> SENT: 04 July 2019 14:16
> TO: user@openmeetings.apache.org
> CC: Xavier M
> SUBJECT: Re: Log-in and security
>
> Hi,
>
> are you sure that you request your certificate also for domain.eu [2] or only for www.domain.eu [3]. You should check this. Sometimes webhoster only use the www adresses for certificates.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 14:18, schrieb Xavier M:
>
> Hi everybody,
>
> I'm quite sure that the answer is already somewhere, but I couldn't find it...
>
> After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
>
> https://localhost:5443/openmeetings
>
> If OM is installed on a web server, let's say "domain.eu [2]", it works correctly with:
>
> https://domain.eu:5443/openmeetings
>
> But the user will get a warning for security reason, even if domain.eu [2] works with https, since the common certificates will not work with this port.
>
> I stated that following URL worked for the "demo version":
>
> https://om.alteametasoft.com/openmeetings
>
> Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
>
> Have a good day!
>
> Xavier
>
> DISCLAIMER
>
> This email has been scanned by the Mimecast security service.
>
> DISCLAIMER
>
> Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
>
> Cumberland Building Society
> Cumberland House
> Cooper Way
> Parkhouse
> CARLISLE CA3 0JF
> To help us monitor and improve customer service telephone calls may be recorded.
> Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
> To find out more about us, visit www.cumberland.co.uk [4]
>
> CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
>
> Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
>
> Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
>
> This email has been scanned by the Mimecast security service.
Links:
------
[1] http://www.rusa.fr
[2] http://domain.eu
[3] http://www.domain.eu
[4] http://www.cumberland.co.uk/
Re: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
So...
After having changed the folder names, I entered the first command line to get:
Enter Export Password:
Verifying - Enter Export Password:
I wrote down a password - I guess I defined it at this step?
Then the second command line delivered:
Importing keystore /opt/open500/conf/red5.p12 to /opt/open500/conf/keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
Any idea of what happens and what I should do? I did not try the third command line.
By the way, can you explain me in a few words what I'm doing with these command lines ?
Have a good evening,
Xavier
Le 04/07/2019 à 19:15, Stefan Kühl a écrit :
Maybe to make a quick check (every command in one line):
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem
sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*)
Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu: your domain an OM_Folder: your OM installation folder.
Greetz
Stefan
Am 04.07.2019 18:00, schrieb Xavier M:
Then let's go with Proxy through Apache.
I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
... among other prior to install OM.
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:53
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
Proxy through Apache would be the easier solution for upgrading
when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
On 7/4/19 11:48 AM, Xavier M wrote:
Thank you Aaron.
Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:40
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
LetEncrypt places the cert at:
/etc/letsencrypt/live/<domain>
On 7/4/19 11:34 AM, Xavier M wrote:
Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
Xavier
________________________________
De : Stefan Kühl <st...@quatrekuehl.eu>
Envoyé : jeudi 4 juillet 2019 17:06
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc : R. Scholz
Objet : Re: Log-in and security
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin <Ro...@cumberland.co.uk>
Envoyé : jeudi 4 juillet 2019 15:43
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
Re: Log-in and security
Posted by Stefan Kühl <st...@quatrekuehl.eu>.
Maybe to make a quick check (every command in one line):
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem
-inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out
/opt/OM_Folder/conf/red5.p12 -name red5 -certfile
/etc/letsencrypt/live/domain.eu/chain.pem
sudo keytool -importkeystore -srcstorepass password -srckeystore
/opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass
password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5
sudo keytool -import -alias root -keystore
/opt/OM_Folder/conf/keystore.jks -trustcacerts -file
/etc/letsencrypt/live/domain.eu/chain.pem
sudo cp -f /opt/OM_Folder/conf/keystore.jks
/opt/OM_Folder/conf/trustscore.jks
sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore
(<- only if you have version 5.*)
Please remeber: If you leave it like this, you need to repaet this lines
after every renew of your certificate. Be aware of the folders ->
domain.eu: your domain an OM_Folder: your OM installation folder.
Greetz
Stefan
Am 04.07.2019 18:00, schrieb Xavier M:
> Then let's go with Proxy through Apache.
>
> I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
>
> The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
>
> sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
>
> ... among other prior to install OM.
>
> Xavier
>
> -------------------------
>
> DE : Aaron Hepp <aa...@gmail.com>
> ENVOYÉ : jeudi 4 juillet 2019 17:53
> À : user@openmeetings.apache.org
> OBJET : Re: Log-in and security
>
> Proxy through Apache would be the easier solution for upgrading
>
> when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
>
> On 7/4/19 11:48 AM, Xavier M wrote:
> Thank you Aaron.
>
> Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
>
> How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
>
> Xavier
>
> -------------------------
>
> DE : Aaron Hepp <aa...@gmail.com>
> ENVOYÉ : jeudi 4 juillet 2019 17:40
> À : user@openmeetings.apache.org
> OBJET : Re: Log-in and security
>
> That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
>
> You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
>
> LetEncrypt places the cert at:
> /etc/letsencrypt/live/<domain>
>
> On 7/4/19 11:34 AM, Xavier M wrote:
> Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
>
> Xavier
>
> -------------------------
>
> DE : Stefan Kühl <st...@quatrekuehl.eu>
> ENVOYÉ : jeudi 4 juillet 2019 17:06
> À : user@openmeetings.apache.org
> CC : R. Scholz
> OBJET : Re: Log-in and security
>
> Hi @all,
>
> port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
> Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 16:57, schrieb R. Scholz: Hello Xavier,
>
> Hm, you using on Port 80 Tomcat or Apache?
>
> Best regards,
>
> René
>
> Am 04.07.2019 um 16:24 schrieb Xavier M:
> Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
> * The common name is "rusa.fr"
> * There is no subject alternative name (even www.rusa.fr [1])
> * It is not a wildcard
>
> ... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
>
> Xavier
>
> -------------------------
>
> DE : Clayton, Robin <Ro...@cumberland.co.uk>
> ENVOYÉ : jeudi 4 juillet 2019 15:43
> À : user@openmeetings.apache.org
> OBJET : RE: Log-in and security
>
> What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
>
> The TCP port should be irrelevant.
>
> Rob
>
> FROM: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
> SENT: 04 July 2019 14:16
> TO: user@openmeetings.apache.org
> CC: Xavier M
> SUBJECT: Re: Log-in and security
>
> Hi,
>
> are you sure that you request your certificate also for domain.eu [2] or only for www.domain.eu [3]. You should check this. Sometimes webhoster only use the www adresses for certificates.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 14:18, schrieb Xavier M:
>
> Hi everybody,
>
> I'm quite sure that the answer is already somewhere, but I couldn't find it...
>
> After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
>
> https://localhost:5443/openmeetings
>
> If OM is installed on a web server, let's say "domain.eu [2]", it works correctly with:
>
> https://domain.eu:5443/openmeetings
>
> But the user will get a warning for security reason, even if domain.eu [2] works with https, since the common certificates will not work with this port.
>
> I stated that following URL worked for the "demo version":
>
> https://om.alteametasoft.com/openmeetings
>
> Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
>
> Have a good day!
>
> Xavier
>
> DISCLAIMER
>
> This email has been scanned by the Mimecast security service.
>
> DISCLAIMER
>
> Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
>
> Cumberland Building Society
> Cumberland House
> Cooper Way
> Parkhouse
> CARLISLE CA3 0JF
> To help us monitor and improve customer service telephone calls may be recorded.
> Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
> To find out more about us, visit www.cumberland.co.uk [4]
>
> CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
>
> Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
>
> Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
>
> This email has been scanned by the Mimecast security service.
Links:
------
[1] http://www.rusa.fr
[2] http://domain.eu
[3] http://www.domain.eu
[4] http://www.cumberland.co.uk/
RE: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Then let's go with Proxy through Apache.
I'm not running as root, but my account has the whole rights so that I thought I could do exactly the same things. "sudo" is my friend... even sudo chmod.
The server works with Ubuntu - my account was created at the installation. When I refer to a "LAMP-server", I executed the command
sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql
... among other prior to install OM.
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:53
À : user@openmeetings.apache.org
Objet : Re: Log-in and security
Proxy through Apache would be the easier solution for upgrading
when you say Admin of the sever you are running as root or that you can log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.)
On 7/4/19 11:48 AM, Xavier M wrote:
Thank you Aaron.
Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:40
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : Re: Log-in and security
That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
LetEncrypt places the cert at:
/etc/letsencrypt/live/<domain>
On 7/4/19 11:34 AM, Xavier M wrote:
Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
Xavier
________________________________
De : Stefan Kühl <st...@quatrekuehl.eu>
Envoyé : jeudi 4 juillet 2019 17:06
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc : R. Scholz
Objet : Re: Log-in and security
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin <Ro...@cumberland.co.uk>
Envoyé : jeudi 4 juillet 2019 15:43
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
Re: Log-in and security
Posted by Aaron Hepp <aa...@gmail.com>.
Proxy through Apache would be the easier solution for upgrading
when you say Admin of the sever you are running as root or that you can
log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu,
etc.)
On 7/4/19 11:48 AM, Xavier M wrote:
> Thank you Aaron.
>
> Even if I have admin rights, I can access only to /etc/letsencrypt/.
> The permission is denied when I want to open the subdirectory "live".
>
> How do both solution work? I know neither how to "Proxy through
> Apache", nor how to "configure my OM instance to be able to read where
> the keys are". Sorry for all that...
>
> Xavier
>
> ------------------------------------------------------------------------
> *De :* Aaron Hepp <aa...@gmail.com>
> *Envoyé :* jeudi 4 juillet 2019 17:40
> *À :* user@openmeetings.apache.org
> *Objet :* Re: Log-in and security
> That is your issue. Apache has the cert installed via LetEncrypt.
> Tomcat which is running on 5443 needs to have the configuration set to
> know where the cert is located as well as the keystore created.
>
> You can do two things. Proxy through Apache, or configure your OM
> instance to be able to read where the keys are.
>
> LetEncrypt places the cert at:
> /etc/letsencrypt/live/<domain>
>
>
>
> On 7/4/19 11:34 AM, Xavier M wrote:
>> Hem... No... Do you mean I have to copy and paste the certificate in
>> each folder? Actually, I even don't know where the certificate is to
>> be found on the server... But I guess I find it somewhere if needed.
>>
>> Xavier
>>
>> ------------------------------------------------------------------------
>> *De :* Stefan Kühl <st...@quatrekuehl.eu> <ma...@quatrekuehl.eu>
>> *Envoyé :* jeudi 4 juillet 2019 17:06
>> *À :* user@openmeetings.apache.org <ma...@openmeetings.apache.org>
>> *Cc :* R. Scholz
>> *Objet :* Re: Log-in and security
>>
>> Hi @all,
>>
>> port should be irrelevant. I'm using Apache on Ubuntu with port 5443
>> too. https works as expected.
>> Did you export they certificate keys (like keystore and trustscore)
>> to your %OM%/conf folder?
>>
>> Greetz
>>
>> Stefan
>>
>> Am 04.07.2019 16:57, schrieb R. Scholz:
>>
>>> Hello Xavier,
>>>
>>> Hm, you using on Port 80 Tomcat or Apache?
>>>
>>> Best regards,
>>>
>>> René
>>>
>>>
>>> Am 04.07.2019 um 16:24 schrieb Xavier M:
>>>> Thank you for answering... I'm sorry, but I don't know enough about
>>>> certificates to give you a relevant answer. I think that :
>>>> * The common name is "rusa.fr"
>>>> * There is no subject alternative name (even www.rusa.fr
>>>> <http://www.rusa.fr>)
>>>> * It is not a wildcard
>>>> ... But I'm not 100% sure, it is the first time I administrate a
>>>> server, I'm discovering many things at the same time!
>>>> Xavier
>>>> ------------------------------------------------------------------------
>>>> *De :* Clayton, Robin <Ro...@cumberland.co.uk>
>>>> <ma...@cumberland.co.uk>
>>>> *Envoyé :* jeudi 4 juillet 2019 15:43
>>>> *À :* user@openmeetings.apache.org
>>>> <ma...@openmeetings.apache.org>
>>>> *Objet :* RE: Log-in and security
>>>>
>>>> What is the CN of the certificate, is there any SAN entries on the
>>>> certificate? Or is it a wildcard?
>>>>
>>>> The TCP port should be irrelevant.
>>>>
>>>> Rob
>>>>
>>>> *From:*Stefan Kühl [mailto:stefan@quatrekuehl.eu]
>>>> *Sent:* 04 July 2019 14:16
>>>> *To:* user@openmeetings.apache.org
>>>> <ma...@openmeetings.apache.org>
>>>> *Cc:* Xavier M
>>>> *Subject:* Re: Log-in and security
>>>>
>>>> Hi,
>>>>
>>>> are you sure that you request your certificate also for domain.eu
>>>> <http://domain.eu> or only for www.domain.eu
>>>> <http://www.domain.eu>. You should check this. Sometimes webhoster
>>>> only use the www adresses for certificates.
>>>>
>>>> Greetz
>>>>
>>>> Stefan
>>>>
>>>> Am 04.07.2019 14:18, schrieb Xavier M:
>>>>
>>>> Hi everybody,
>>>>
>>>> I'm quite sure that the answer is already somewhere, but I
>>>> couldn't find it...
>>>>
>>>> After having installed OM on a web-server, the "written" way to
>>>> access to the log-in is following, according to Alvaro's tuto:
>>>>
>>>> https://localhost:5443/openmeetings
>>>>
>>>> If OM is installed on a web server, let's say "domain.eu
>>>> <http://domain.eu>", it works correctly with:
>>>>
>>>> https://domain.eu:5443/openmeetings
>>>>
>>>> But the user will get a warning for security reason, even if
>>>> domain.eu <http://domain.eu> works with https, since the common
>>>> certificates will not work with this port.
>>>>
>>>> I stated that following URL worked for the "demo version":
>>>>
>>>> https://om.alteametasoft.com/openmeetings
>>>>
>>>> Does anyone know how this was done? I would like to avoid the
>>>> use of the port 5443 with the warning.
>>>>
>>>> Have a good day!
>>>>
>>>> Xavier
>>>>
>>>> *Disclaimer*
>>>>
>>>> This email has been scanned by the Mimecast security service.
>>>>
>>>>
>>>>
>>>> *Disclaimer*
>>>>
>>>> Please, consider your environmental responsibility. Before printing
>>>> this e-mail ask yourself: Do I need a hard copy?
>>>>
>>>> Cumberland Building Society
>>>> Cumberland House
>>>> Cooper Way
>>>> Parkhouse
>>>> CARLISLE CA3 0JF
>>>> To help us monitor and improve customer service telephone calls may
>>>> be recorded.
>>>> Cumberland Building Society is authorised by the Prudential
>>>> Regulation Authority and regulated by the Financial Conduct
>>>> Authority and Prudential Regulation Authority. We arrange life
>>>> assurance and critical illness cover only with Legal & General
>>>> Assurance Society Limited and general insurance only with Aviva
>>>> Insurance Limited.
>>>> To find out more about us, visit _www.cumberland.co.uk_
>>>> <http://www.cumberland.co.uk/>
>>>>
>>>> CONFIDENTIALITY: This e-mail and any files transmitted with it are
>>>> confidential, may be legally privileged and are intended for the
>>>> addressee(s) only. If you are not the intended recipient you may
>>>> not disclose, copy, distribute, or retain all or part of this
>>>> e-mail without our authority. Please notify the sender immediately
>>>> by replying to this e-mail and then permanently delete it.
>>>>
>>>> Any views or opinions expressed are solely those of the author and
>>>> do not necessarily represent those of Cumberland Building Society
>>>> or any of its subsidiaries.
>>>>
>>>> Although we have taken steps to ensure that this e-mail and any
>>>> attachments are free from virus contamination, please rely on your
>>>> own virus checking procedures as no guarantee is implied or given.
>>>> We will not be liable for any loss or damage arising from
>>>> alteration of the contents of this e-mail by a third party or as a
>>>> result of any virus.
>>>>
>>>>
>>>> This email has been scanned by the Mimecast security service.
>>>>
>
RE: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Thank you Aaron.
Even if I have admin rights, I can access only to /etc/letsencrypt/. The permission is denied when I want to open the subdirectory "live".
How do both solution work? I know neither how to "Proxy through Apache", nor how to "configure my OM instance to be able to read where the keys are". Sorry for all that...
Xavier
________________________________
De : Aaron Hepp <aa...@gmail.com>
Envoyé : jeudi 4 juillet 2019 17:40
À : user@openmeetings.apache.org
Objet : Re: Log-in and security
That is your issue. Apache has the cert installed via LetEncrypt. Tomcat which is running on 5443 needs to have the configuration set to know where the cert is located as well as the keystore created.
You can do two things. Proxy through Apache, or configure your OM instance to be able to read where the keys are.
LetEncrypt places the cert at:
/etc/letsencrypt/live/<domain>
On 7/4/19 11:34 AM, Xavier M wrote:
Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
Xavier
________________________________
De : Stefan Kühl <st...@quatrekuehl.eu>
Envoyé : jeudi 4 juillet 2019 17:06
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc : R. Scholz
Objet : Re: Log-in and security
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin <Ro...@cumberland.co.uk>
Envoyé : jeudi 4 juillet 2019 15:43
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
Re: Log-in and security
Posted by Aaron Hepp <aa...@gmail.com>.
That is your issue. Apache has the cert installed via LetEncrypt.
Tomcat which is running on 5443 needs to have the configuration set to
know where the cert is located as well as the keystore created.
You can do two things. Proxy through Apache, or configure your OM
instance to be able to read where the keys are.
LetEncrypt places the cert at:
/etc/letsencrypt/live/<domain>
On 7/4/19 11:34 AM, Xavier M wrote:
> Hem... No... Do you mean I have to copy and paste the certificate in
> each folder? Actually, I even don't know where the certificate is to
> be found on the server... But I guess I find it somewhere if needed.
>
> Xavier
>
> ------------------------------------------------------------------------
> *De :* Stefan Kühl <st...@quatrekuehl.eu>
> *Envoyé :* jeudi 4 juillet 2019 17:06
> *À :* user@openmeetings.apache.org
> *Cc :* R. Scholz
> *Objet :* Re: Log-in and security
>
> Hi @all,
>
> port should be irrelevant. I'm using Apache on Ubuntu with port 5443
> too. https works as expected.
> Did you export they certificate keys (like keystore and trustscore) to
> your %OM%/conf folder?
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 16:57, schrieb R. Scholz:
>
>> Hello Xavier,
>>
>> Hm, you using on Port 80 Tomcat or Apache?
>>
>> Best regards,
>>
>> René
>>
>>
>> Am 04.07.2019 um 16:24 schrieb Xavier M:
>>> Thank you for answering... I'm sorry, but I don't know enough about
>>> certificates to give you a relevant answer. I think that :
>>> * The common name is "rusa.fr"
>>> * There is no subject alternative name (even www.rusa.fr
>>> <http://www.rusa.fr>)
>>> * It is not a wildcard
>>> ... But I'm not 100% sure, it is the first time I administrate a
>>> server, I'm discovering many things at the same time!
>>> Xavier
>>> ------------------------------------------------------------------------
>>> *De :* Clayton, Robin <Ro...@cumberland.co.uk>
>>> <ma...@cumberland.co.uk>
>>> *Envoyé :* jeudi 4 juillet 2019 15:43
>>> *À :* user@openmeetings.apache.org <ma...@openmeetings.apache.org>
>>> *Objet :* RE: Log-in and security
>>>
>>> What is the CN of the certificate, is there any SAN entries on the
>>> certificate? Or is it a wildcard?
>>>
>>> The TCP port should be irrelevant.
>>>
>>> Rob
>>>
>>> *From:*Stefan Kühl [mailto:stefan@quatrekuehl.eu]
>>> *Sent:* 04 July 2019 14:16
>>> *To:* user@openmeetings.apache.org <ma...@openmeetings.apache.org>
>>> *Cc:* Xavier M
>>> *Subject:* Re: Log-in and security
>>>
>>> Hi,
>>>
>>> are you sure that you request your certificate also for domain.eu
>>> <http://domain.eu> or only for www.domain.eu <http://www.domain.eu>.
>>> You should check this. Sometimes webhoster only use the www adresses
>>> for certificates.
>>>
>>> Greetz
>>>
>>> Stefan
>>>
>>> Am 04.07.2019 14:18, schrieb Xavier M:
>>>
>>> Hi everybody,
>>>
>>> I'm quite sure that the answer is already somewhere, but I
>>> couldn't find it...
>>>
>>> After having installed OM on a web-server, the "written" way to
>>> access to the log-in is following, according to Alvaro's tuto:
>>>
>>> https://localhost:5443/openmeetings
>>>
>>> If OM is installed on a web server, let's say "domain.eu
>>> <http://domain.eu>", it works correctly with:
>>>
>>> https://domain.eu:5443/openmeetings
>>>
>>> But the user will get a warning for security reason, even if
>>> domain.eu <http://domain.eu> works with https, since the common
>>> certificates will not work with this port.
>>>
>>> I stated that following URL worked for the "demo version":
>>>
>>> https://om.alteametasoft.com/openmeetings
>>>
>>> Does anyone know how this was done? I would like to avoid the
>>> use of the port 5443 with the warning.
>>>
>>> Have a good day!
>>>
>>> Xavier
>>>
>>> *Disclaimer*
>>>
>>> This email has been scanned by the Mimecast security service.
>>>
>>>
>>>
>>> *Disclaimer*
>>>
>>> Please, consider your environmental responsibility. Before printing
>>> this e-mail ask yourself: Do I need a hard copy?
>>>
>>> Cumberland Building Society
>>> Cumberland House
>>> Cooper Way
>>> Parkhouse
>>> CARLISLE CA3 0JF
>>> To help us monitor and improve customer service telephone calls may
>>> be recorded.
>>> Cumberland Building Society is authorised by the Prudential
>>> Regulation Authority and regulated by the Financial Conduct
>>> Authority and Prudential Regulation Authority. We arrange life
>>> assurance and critical illness cover only with Legal & General
>>> Assurance Society Limited and general insurance only with Aviva
>>> Insurance Limited.
>>> To find out more about us, visit _www.cumberland.co.uk_
>>> <http://www.cumberland.co.uk/>
>>>
>>> CONFIDENTIALITY: This e-mail and any files transmitted with it are
>>> confidential, may be legally privileged and are intended for the
>>> addressee(s) only. If you are not the intended recipient you may not
>>> disclose, copy, distribute, or retain all or part of this e-mail
>>> without our authority. Please notify the sender immediately by
>>> replying to this e-mail and then permanently delete it.
>>>
>>> Any views or opinions expressed are solely those of the author and
>>> do not necessarily represent those of Cumberland Building Society or
>>> any of its subsidiaries.
>>>
>>> Although we have taken steps to ensure that this e-mail and any
>>> attachments are free from virus contamination, please rely on your
>>> own virus checking procedures as no guarantee is implied or given.
>>> We will not be liable for any loss or damage arising from alteration
>>> of the contents of this e-mail by a third party or as a result of
>>> any virus.
>>>
>>>
>>> This email has been scanned by the Mimecast security service.
>>>
RE: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Hem... No... Do you mean I have to copy and paste the certificate in each folder? Actually, I even don't know where the certificate is to be found on the server... But I guess I find it somewhere if needed.
Xavier
________________________________
De : Stefan Kühl <st...@quatrekuehl.eu>
Envoyé : jeudi 4 juillet 2019 17:06
À : user@openmeetings.apache.org
Cc : R. Scholz
Objet : Re: Log-in and security
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. https works as expected.
Did you export they certificate keys (like keystore and trustscore) to your %OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin <Ro...@cumberland.co.uk>
Envoyé : jeudi 4 juillet 2019 15:43
À : user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org<ma...@openmeetings.apache.org>
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
Re: Log-in and security
Posted by Stefan Kühl <st...@quatrekuehl.eu>.
Hi @all,
port should be irrelevant. I'm using Apache on Ubuntu with port 5443
too. https works as expected.
Did you export they certificate keys (like keystore and trustscore) to
your %OM%/conf folder?
Greetz
Stefan
Am 04.07.2019 16:57, schrieb R. Scholz:
> Hello Xavier,
>
> Hm, you using on Port 80 Tomcat or Apache?
>
> Best regards,
>
> René
>
> Am 04.07.2019 um 16:24 schrieb Xavier M:
> Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
> * The common name is "rusa.fr"
> * There is no subject alternative name (even www.rusa.fr [1])
> * It is not a wildcard
>
> ... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
>
> Xavier
>
> -------------------------
>
> DE : Clayton, Robin <Ro...@cumberland.co.uk>
> ENVOYÉ : jeudi 4 juillet 2019 15:43
> À : user@openmeetings.apache.org
> OBJET : RE: Log-in and security
>
> What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
>
> The TCP port should be irrelevant.
>
> Rob
>
> FROM: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
> SENT: 04 July 2019 14:16
> TO: user@openmeetings.apache.org
> CC: Xavier M
> SUBJECT: Re: Log-in and security
>
> Hi,
>
> are you sure that you request your certificate also for domain.eu [2] or only for www.domain.eu [3]. You should check this. Sometimes webhoster only use the www adresses for certificates.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 14:18, schrieb Xavier M:
>
> Hi everybody,
>
> I'm quite sure that the answer is already somewhere, but I couldn't find it...
>
> After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
>
> https://localhost:5443/openmeetings
>
> If OM is installed on a web server, let's say "domain.eu [2]", it works correctly with:
>
> https://domain.eu:5443/openmeetings
>
> But the user will get a warning for security reason, even if domain.eu [2] works with https, since the common certificates will not work with this port.
>
> I stated that following URL worked for the "demo version":
>
> https://om.alteametasoft.com/openmeetings
>
> Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
>
> Have a good day!
>
> Xavier
>
> DISCLAIMER
>
> This email has been scanned by the Mimecast security service.
>
> DISCLAIMER
>
> Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
>
> Cumberland Building Society
> Cumberland House
> Cooper Way
> Parkhouse
> CARLISLE CA3 0JF
> To help us monitor and improve customer service telephone calls may be recorded.
> Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
> To find out more about us, visit www.cumberland.co.uk [4]
>
> CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
>
> Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
>
> Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
>
> This email has been scanned by the Mimecast security service.
Links:
------
[1] http://www.rusa.fr
[2] http://domain.eu
[3] http://www.domain.eu
[4] http://www.cumberland.co.uk/
Re: Log-in and security
Posted by "R. Scholz" <re...@abakus-edv-systems.de>.
Hello Xavier,
Hm, you using on Port 80 Tomcat or Apache?
Best regards,
René
Am 04.07.2019 um 16:24 schrieb Xavier M:
> Thank you for answering... I'm sorry, but I don't know enough about
> certificates to give you a relevant answer. I think that :
> * The common name is "rusa.fr"
> * There is no subject alternative name (even www.rusa.fr
> <http://www.rusa.fr>)
> * It is not a wildcard
>
> ... But I'm not 100% sure, it is the first time I administrate a
> server, I'm discovering many things at the same time!
>
> Xavier
>
> ------------------------------------------------------------------------
> *De :* Clayton, Robin <Ro...@cumberland.co.uk>
> *Envoyé :* jeudi 4 juillet 2019 15:43
> *À :* user@openmeetings.apache.org
> *Objet :* RE: Log-in and security
>
> What is the CN of the certificate, is there any SAN entries on the
> certificate? Or is it a wildcard?
>
> The TCP port should be irrelevant.
>
> Rob
>
> *From:*Stefan Kühl [mailto:stefan@quatrekuehl.eu]
> *Sent:* 04 July 2019 14:16
> *To:* user@openmeetings.apache.org
> *Cc:* Xavier M
> *Subject:* Re: Log-in and security
>
> Hi,
>
> are you sure that you request your certificate also for domain.eu
> <http://domain.eu> or only for www.domain.eu <http://www.domain.eu>.
> You should check this. Sometimes webhoster only use the www adresses
> for certificates.
>
> Greetz
>
> Stefan
>
> Am 04.07.2019 14:18, schrieb Xavier M:
>
> Hi everybody,
>
> I'm quite sure that the answer is already somewhere, but I
> couldn't find it...
>
> After having installed OM on a web-server, the "written" way to
> access to the log-in is following, according to Alvaro's tuto:
>
> https://localhost:5443/openmeetings
>
> If OM is installed on a web server, let's say "domain.eu
> <http://domain.eu>", it works correctly with:
>
> https://domain.eu:5443/openmeetings
>
> But the user will get a warning for security reason, even if
> domain.eu <http://domain.eu> works with https, since the common
> certificates will not work with this port.
>
> I stated that following URL worked for the "demo version":
>
> https://om.alteametasoft.com/openmeetings
>
> Does anyone know how this was done? I would like to avoid the use
> of the port 5443 with the warning.
>
> Have a good day!
>
> Xavier
>
> *Disclaimer*
>
> This email has been scanned by the Mimecast security service.
>
>
>
> *Disclaimer*
>
> Please, consider your environmental responsibility. Before printing
> this e-mail ask yourself: Do I need a hard copy?
>
> Cumberland Building Society
> Cumberland House
> Cooper Way
> Parkhouse
> CARLISLE CA3 0JF
> To help us monitor and improve customer service telephone calls may be
> recorded.
> Cumberland Building Society is authorised by the Prudential Regulation
> Authority and regulated by the Financial Conduct Authority and
> Prudential Regulation Authority. We arrange life assurance and
> critical illness cover only with Legal & General Assurance Society
> Limited and general insurance only with Aviva Insurance Limited.
> To find out more about us, visit _www.cumberland.co.uk_
> <http://www.cumberland.co.uk/>
>
> CONFIDENTIALITY: This e-mail and any files transmitted with it are
> confidential, may be legally privileged and are intended for the
> addressee(s) only. If you are not the intended recipient you may not
> disclose, copy, distribute, or retain all or part of this e-mail
> without our authority. Please notify the sender immediately by
> replying to this e-mail and then permanently delete it.
>
> Any views or opinions expressed are solely those of the author and do
> not necessarily represent those of Cumberland Building Society or any
> of its subsidiaries.
>
> Although we have taken steps to ensure that this e-mail and any
> attachments are free from virus contamination, please rely on your own
> virus checking procedures as no guarantee is implied or given. We will
> not be liable for any loss or damage arising from alteration of the
> contents of this e-mail by a third party or as a result of any virus.
>
>
> This email has been scanned by the Mimecast security service.
>
RE: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Thank you for answering... I'm sorry, but I don't know enough about certificates to give you a relevant answer. I think that :
* The common name is "rusa.fr"
* There is no subject alternative name (even www.rusa.fr<http://www.rusa.fr>)
* It is not a wildcard
... But I'm not 100% sure, it is the first time I administrate a server, I'm discovering many things at the same time!
Xavier
________________________________
De : Clayton, Robin <Ro...@cumberland.co.uk>
Envoyé : jeudi 4 juillet 2019 15:43
À : user@openmeetings.apache.org
Objet : RE: Log-in and security
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Disclaimer
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk<http://www.cumberland.co.uk/>
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast security service.
RE: Log-in and security
Posted by "Clayton, Robin" <Ro...@cumberland.co.uk>.
What is the CN of the certificate, is there any SAN entries on the certificate? Or is it a wildcard?
The TCP port should be irrelevant.
Rob
From: Stefan Kühl [mailto:stefan@quatrekuehl.eu]
Sent: 04 July 2019 14:16
To: user@openmeetings.apache.org
Cc: Xavier M
Subject: Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu<http://domain.eu> or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu<http://domain.eu>", it works correctly with:
https://domain.eu:5443/openmeetings<https://domain.eu:5443/openmeetings>
But the user will get a warning for security reason, even if domain.eu<http://domain.eu> works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings<https://om.alteametasoft.com/openmeetings>
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Disclaimer
This email has been scanned by the Mimecast security service.
Please, consider your environmental responsibility. Before printing this e-mail ask yourself: Do I need a hard copy?
Cumberland Building Society
Cumberland House
Cooper Way
Parkhouse
CARLISLE CA3 0JF
To help us monitor and improve customer service telephone calls may be recorded.
Cumberland Building Society is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. We arrange life assurance and critical illness cover only with Legal & General Assurance Society Limited and general insurance only with Aviva Insurance Limited.
To find out more about us, visit www.cumberland.co.uk
CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential, may be legally privileged and are intended for the addressee(s) only. If you are not the intended recipient you may not disclose, copy, distribute, or retain all or part of this e-mail without our authority. Please notify the sender immediately by replying to this e-mail and then permanently delete it.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cumberland Building Society or any of its subsidiaries.
Although we have taken steps to ensure that this e-mail and any attachments are free from virus contamination, please rely on your own virus checking procedures as no guarantee is implied or given. We will not be liable for any loss or damage arising from alteration of the contents of this e-mail by a third party or as a result of any virus.
This email has been scanned by the Mimecast Email Security cloud service.
RE: Log-in and security
Posted by Xavier M <xa...@hotmail.com>.
Hi,
Yes I am sure. Actually, I could not have a certificate for www.domain.eu<http://www.domain.eu> but just for domain.eu (the website is not reachable at www.domain.eu<http://www.domain.eu>)
The certificate was delivered by SSL Labs after I installed CertBot on an Apache Server... I should say "on the LAMP server where I installed OpenMeetings". I followed those instructions:
https://certbot.eff.org/lets-encrypt/ubuntubionic-apache
... and I configured so that the whole "domain.eu" should use https instead of http.
BUT :
1/ When I connect to https://domain.eu, the certificate is verified by "Let's Encrypt".
2/ When I connect to https://domain.eu:5443/openmeetings, the certificate correspond to a self-signed one.
I assume that it is due to the port, which does not correspond to HTTP/HTTPS protocols ?
Sincerely,
Xavier
________________________________
De : Stefan Kühl <st...@quatrekuehl.eu>
Envoyé : jeudi 4 juillet 2019 15:16
À : user@openmeetings.apache.org
Cc : Xavier M
Objet : Re: Log-in and security
Hi,
are you sure that you request your certificate also for domain.eu or only for www.domain.eu<http://www.domain.eu>. You should check this. Sometimes webhoster only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
Hi everybody,
I'm quite sure that the answer is already somewhere, but I couldn't find it...
After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
https://localhost:5443/openmeetings
If OM is installed on a web server, let's say "domain.eu", it works correctly with:
https://domain.eu:5443/openmeetings
But the user will get a warning for security reason, even if domain.eu works with https, since the common certificates will not work with this port.
I stated that following URL worked for the "demo version":
https://om.alteametasoft.com/openmeetings
Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
Have a good day!
Xavier
Re: Log-in and security
Posted by Stefan Kühl <st...@quatrekuehl.eu>.
Hi,
are you sure that you request your certificate also for domain.eu or
only for www.domain.eu [1]. You should check this. Sometimes webhoster
only use the www adresses for certificates.
Greetz
Stefan
Am 04.07.2019 14:18, schrieb Xavier M:
> Hi everybody,
>
> I'm quite sure that the answer is already somewhere, but I couldn't find it...
>
> After having installed OM on a web-server, the "written" way to access to the log-in is following, according to Alvaro's tuto:
> https://localhost:5443/openmeetings
>
> If OM is installed on a web server, let's say "domain.eu", it works correctly with:
> https://domain.eu:5443/openmeetings
>
> But the user will get a warning for security reason, even if domain.eu works with https, since the common certificates will not work with this port.
>
> I stated that following URL worked for the "demo version":
> https://om.alteametasoft.com/openmeetings
>
> Does anyone know how this was done? I would like to avoid the use of the port 5443 with the warning.
>
> Have a good day!
> Xavier
Links:
------
[1] http://www.domain.eu