No no .. when you ask an SSL namecheap asks the type of server you are using to install this SSL cert.
2017-08-23 12:26 GMT-05:00 Maxim Solodovnik <solomax...@gmail.com>: > Why do you need additional server? > Are you going to set up proxy? > > On Thu, Aug 24, 2017 at 12:19 AM, Ramón Zárate Moedano <hor...@gmail.com> > wrote: > >> Hello everyone. >> >> i am issuing a SSL certificate with namecheap. To use a "real one". >> >> What kind of the server type do i have to choose? >> 1 .- Apache / cpanel >> 2.- Microsoft IIS / Tomcat >> >> >> Thanks. >> >> 2017-08-23 11:41 GMT-05:00 Maxim Solodovnik <solomax...@gmail.com>: >> >>> Hello Nick, >>> >>> please check this: https://builds.apache.or >>> g/view/M-R/view/OpenMeetings/job/Openmeetings%203.3.x/site/o >>> penmeetings-server/RTMPSAndHTTPS.html >>> I'm not sure what is the difference between v1 and v2, too much text :( >>> >>> Thanks a lot for the contribution! >>> >>> On Wed, Aug 23, 2017 at 3:30 PM, Yakovlev N. <yakovlev...@krvostok.ru> >>> wrote: >>> >>>> Maxim, >>>> >>>> red5.key missed >>>> >>>> >>>> >>>> The second edition. J >>>> >>>> >>>> >>>> Using self-signed certificates. >>>> >>>> Prerequicites: >>>> >>>> - CA's root certificate: ca.crt >>>> >>>> - server key: red5.key (distinguished Name while creating key should be >>>> assign to FQDN of your site, for example - vkc.company.com) >>>> >>>> - self-signed server certificate: red5.crt >>>> >>>> Preparing of OM server. >>>> >>>> 1. Rename the existing keystore file red5/conf/keystore.jks to >>>> red5/conf/keystore.jks.bak >>>> >>>> Rename the existing truststore file red5/conf/truststore.jks to >>>> red5/conf/truststore.jks.bak >>>> >>>> 2. Export existing keys into PKCS12 format: >>>> >>>> enter to folder the ca.crt and red5.crt placed >>>> >>>> openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 >>>> -name red5 -certfile ca.crt >>>> >>>> 3. Import resulting red5.p12 into keystore: >>>> >>>> keytool -importkeystore -srcstorepass changeit -srckeystore red5.p12 >>>> -srcstoretype PKCS12 -deststorepass changeit -destkeystore >>>> /opt/red5/conf/keystore.jks -alias red5 >>>> >>>> This command creates the keystore.jks with password changeit (may be >>>> any password) >>>> >>>> 4. Import your CA's root certificate into the keystore: >>>> >>>> keytool -import -alias root -keystore /opt/red5/conf/keystore.jks >>>> -trustcacerts -file ca.crt >>>> >>>> (need to enter password to keystore.jks - changeit) >>>> >>>> 5. copy keystore to truststore >>>> >>>> cd /opt/red5/conf >>>> >>>> cp keystore.jks truststore.jks >>>> >>>> 6. Change /opt/red5/conf/red5.properties >>>> >>>> rtmps.keystorepass=changeit >>>> >>>> rtmps.truststorepass=changeit >>>> >>>> jmx.keystorepass=changeit >>>> >>>> 7. Set up SSL according "SSL for the web interface" section. >>>> >>>> 8. Set RTMPS according "Tunneling RTMPS" or "Native RTMPS" sections. >>>> >>>> 9. Restart OM service or whole OM server. Now OM server is ready to >>>> accept SSL-connections. >>>> >>>> >>>> >>>> Preparing of clients. >>>> >>>> 1. Add the ca.crt certificate as trusted into the CA's list on all >>>> windows PC at the system level (certmgr.msc applet). >>>> >>>> 2. Add the ca.crt certificate as trusted into Firefox if it used >>>> (Firefox uses own store of certificates). >>>> >>>> 3. Add the ca.crt certificate into %JAVA%\lib\security\cacerts with >>>> keytool utility on a PC that organizes screensharing. >>>> >>>> For example, Java Version 8 Update 144 has been installed on Windows >>>> machine by default location path. >>>> >>>> Copy ca.crt to a folder : c:\ca.crt >>>> >>>> Start command line interface as administrator: >>>> >>>> runas /user:AdminAccount cmd.exe >>>> >>>> Enter admin password >>>> >>>> Enter to bin directory of java: >>>> >>>> cd "c:\Program Files\Java\jre1.8.0_144\bin" >>>> >>>> Import ca.crt into keystore: >>>> >>>> keytool -import -alias root -keystore ..\lib\security\cacerts -file >>>> c:\ca.crt >>>> >>>> Enter the password to keystore: changeit >>>> >>>> Now the clients are ready to connect to OM via SSL. >>>> >>>> >>>> >>>> >>>> >>>> *From:* Yakovlev N. [mailto:yakovlev...@krvostok.ru] >>>> *Sent:* Wednesday, August 23, 2017 11:04 AM >>>> >>>> *To:* user@openmeetings.apache.org >>>> *Subject:* RE: [ANNOUNCE] HTTPS is now required >>>> >>>> >>>> >>>> Hi Maxim, >>>> >>>> This is the first eddition of "self-signed" section. >>>> >>>> >>>> >>>> Using self-signed certificates. >>>> >>>> Prerequicites: >>>> >>>> - CA's root certificate: ca.crt >>>> >>>> - self-signed server certificate: red5.crt (distinguished Name while >>>> creating certificate should be assign to FQDN of your site, for example - >>>> vkc.company.com) >>>> >>>> Preparing of OM server. >>>> >>>> 1. Rename the existing keystore file red5/conf/keystore.jks to >>>> red5/conf/keystore.jks.bak >>>> >>>> Rename the existing truststore file red5/conf/truststore.jks to >>>> red5/conf/truststore.jks.bak >>>> >>>> 2. Export existing keys into PKCS12 format: >>>> >>>> enter to folder the ca.crt and red5.crt placed >>>> >>>> openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 >>>> -name red5 -certfile ca.crt >>>> >>>> 3. Import resulting red5.p12 into keystore: >>>> >>>> keytool -importkeystore -srcstorepass changeit -srckeystore red5.p12 >>>> -srcstoretype PKCS12 -deststorepass changeit -destkeystore >>>> /opt/red5/conf/keystore.jks -alias red5 >>>> >>>> This command creates the keystore.jks with password changeit (may be >>>> any password) >>>> >>>> 4. Import your CA's root certificate into the keystore: >>>> >>>> keytool -import -alias root -keystore /opt/red5/conf/keystore.jks >>>> -trustcacerts -file ca.crt >>>> >>>> (need to enter password to keystore.jks - changeit) >>>> >>>> 5. copy keystore to truststore >>>> >>>> cd /opt/red5/conf >>>> >>>> cp keystore.jks truststore.jks >>>> >>>> 6. Change passwords in /opt/red5/conf/red5.properties: >>>> >>>> rtmps.keystorepass=changeit >>>> >>>> rtmps.truststorepass=changeit >>>> >>>> jmx.keystorepass=changeit >>>> >>>> 7. Set up SSL according "SSL for the web interface" section. >>>> >>>> 8. Set up RTMPS according "Tunneling RTMPS" or "Native RTMPS" sections. >>>> >>>> 9. Restart OM service or whole OM server. Now OM server is ready to >>>> accept SSL-connections. >>>> >>>> >>>> >>>> Preparing of clients. >>>> >>>> 1. Add the ca.crt certificate as trusted into the CA's list on all >>>> windows PC at the system level (certmgr.msc applet). >>>> >>>> 2. Add the ca.crt certificate as trusted into Firefox if it used >>>> (Firefox uses own store of certificates). >>>> >>>> 3. Add the ca.crt certificate into %JAVA%\lib\security\cacerts with >>>> keytool utility on a PC that organizes screensharing. >>>> >>>> For example, Java Version 8 Update 144 has been installed on Windows >>>> machine by default location path. >>>> >>>> Copy ca.crt to a folder : c:\ca.crt >>>> >>>> Start command line interface as administrator: >>>> >>>> runas /user:AdminAccount cmd.exe >>>> >>>> Enter admin password >>>> >>>> Enter to bin directory of java: >>>> >>>> cd "c:\Program Files\Java\jre1.8.0_144\bin" >>>> >>>> Import ca.crt into keystore: >>>> >>>> keytool -import -alias root -keystore ..\lib\security\cacerts -file >>>> c:\ca.crt >>>> >>>> Enter the password to keystore: changeit >>>> >>>> Now the clients are ready to connect to OM via SSL https:// >>>> vkc.company.com:5443. >>>> >>>> >>>> >>>> Nik >>>> >>>> >>>> >>>> *From:* Maxim Solodovnik [mailto:solomax...@gmail.com >>>> <solomax...@gmail.com>] >>>> *Sent:* Wednesday, August 23, 2017 8:58 AM >>>> *To:* Openmeetings user-list >>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>> >>>> >>>> >>>> I believe this is correct. >>>> >>>> >>>> >>>> will try to add "Self-signed" section to site >>>> >>>> >>>> >>>> On Wed, Aug 23, 2017 at 12:54 PM, Yakovlev N. <yakovlev...@krvostok.ru> >>>> wrote: >>>> >>>> OK. >>>> >>>> I would like to sum up all the work with the SSL and I think one will >>>> be interesting for our community. >>>> >>>> 1. The self-signed certificates can be used but using of them requires >>>> some manual operations: >>>> >>>> 1.1. The certificates (root CA and server) must be installed into >>>> /opt/red5/conf/keystore.jks and /opt/red5/conf/truststore.jks on OM server >>>> >>>> as described at http://openmeetings.apache.org/RTMPSAndHTTPS.html >>>> page. >>>> >>>> 1.2. It's not necessary to add the root certificate into >>>> java/cacerts on OM server because all works OK with java/cacerts installed >>>> by default. >>>> >>>> 1.3. The root certificate must be added as trusted into the CA list >>>> on all windows PC at the system level (certmgr.msc applet). >>>> >>>> 1.4. The root certificate must be added as trusted into Firefox if >>>> it is used (FF has own store for the certificates). >>>> >>>> 1.5. The root certificate must be added into >>>> %JAVA%\lib\security\cacerts with keytool utility on a PC that organizes >>>> screensharing. >>>> >>>> 2. The use of real certificates is more preferable since it does not >>>> require as much work as described above. >>>> >>>> There are only two places where the certificates have to be >>>> installed: see 1.1 and 1.5 above. >>>> >>>> 3. The http://openmeetings.apache.org/RTMPSAndHTTPS.html page should >>>> be changed and supplemented. >>>> >>>> It will allow to exсlude a lot of questions for OM users. Those >>>> questions that I had to meet. >>>> >>>> >>>> >>>> Is all correct? >>>> >>>> >>>> >>>> Nik >>>> >>>> >>>> >>>> *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] >>>> *Sent:* Wednesday, August 23, 2017 7:41 AM >>>> *To:* Openmeetings user-list >>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>> >>>> >>>> >>>> I believe this is standard behavior for Windows systems >>>> >>>> >>>> >>>> On Tue, Aug 22, 2017 at 6:37 PM, Yakovlev N. <yakovlev...@krvostok.ru> >>>> wrote: >>>> >>>> After adding CA into windows system store entering into rooms works >>>> good. >>>> >>>> Does FF use not only own ca-store but ca-store in system?! Or it’s not >>>> FF? >>>> >>>> >>>> >>>> >>>> >>>> *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] >>>> *Sent:* Tuesday, August 22, 2017 2:05 PM >>>> *To:* Openmeetings user-list >>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>> >>>> >>>> >>>> ERR_UNKNOWN_ISSUER most probably caused by the fact >>>> >>>> 1) server cert was added to trusted >>>> >>>> 2) CA was not added >>>> >>>> >>>> >>>> in case of Windows it worth to add CA at system level AND to the >>>> browser (CA tab with permission to verify sites code etc. I would check all >>>> checkboxes) >>>> >>>> >>>> >>>> On Tue, Aug 22, 2017 at 4:41 PM, Yakovlev N. <yakovlev...@krvostok.ru> >>>> wrote: >>>> >>>> Yes, the ca certificate was added as trusted. >>>> >>>> I found one difference in behavior of FF when it connected to >>>> https-sites with the self-signed certificates. >>>> >>>> Typically, the first connection prompts you to add the site to an >>>> exception but OM server does not give us this option. >>>> >>>> See pls two screenshots. >>>> >>>> This occurs before the СA is added to the Trusted CAs lists. If first >>>> an root certificate is added to the CAs list then we can access to an OM >>>> cabinet with green lock icon but will have the errors in the rooms as I >>>> wrote before. >>>> >>>> There is something in OM webserver….. >>>> >>>> >>>> >>>> Nik >>>> >>>> >>>> >>>> *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] >>>> *Sent:* Tuesday, August 22, 2017 11:54 AM >>>> *To:* Openmeetings user-list >>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>> >>>> >>>> >>>> I guess CA was added to trusted CA's of FF? >>>> >>>> >>>> >>>> On Tue, Aug 22, 2017 at 3:40 PM, Maxim Solodovnik <solomax...@gmail.com> >>>> wrote: >>>> >>>> This is the issue of "self-signed" certificate. >>>> >>>> "Real" certificate provides the way to ensure it wasn't revoked. >>>> >>>> >>>> >>>> I would recommend to set up one of the free real certificates to prod >>>> system >>>> >>>> >>>> >>>> On Tue, Aug 22, 2017 at 2:45 PM, Yakovlev N. <yakovlev...@krvostok.ru> >>>> wrote: >>>> >>>> Hi Maxim, >>>> >>>> you was right when suggested to add a ca certificate into client >>>> machine with screensharing. I added the root certificate not correctly via >>>> "java control panel->security->manage certificates". It's wrong and not ne >>>> сessary. The certificate must be inserted into java/keystore with >>>> keytool utility. >>>> >>>> Now screen sharing works as expected. >>>> >>>> But... >>>> >>>> I tried to connect from another machines to the machine with >>>> screensharing and all worked fine with remote desktop if IE used but not >>>> Firefox. >>>> >>>> The error screenshots are attached and the errors take place when >>>> entering into any rooms. >>>> >>>> Do you know how to resolve it? And why only FF ? >>>> >>>> The latest version of FF and Adobe Flash Player for FF is used. >>>> >>>> >>>> >>>> Nik >>>> >>>> >>>> >>>> *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] >>>> *Sent:* Monday, August 21, 2017 11:46 AM >>>> *To:* Openmeetings user-list >>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>> >>>> >>>> >>>> I guess first thing to do is to ensure >>>> >>>> jre is used by javaws >>>> >>>> and >>>> >>>> jre containing cacert >>>> >>>> >>>> >>>> is the same jre >>>> >>>> >>>> >>>> can be checked using by inspecting PATH >>>> >>>> and checking which binaries are actually started using system task >>>> manager >>>> >>>> >>>> >>>> On Mon, Aug 21, 2017 at 3:00 PM, Yakovlev N. <yakovlev...@krvostok.ru> >>>> wrote: >>>> >>>> First i tried to add only one CA certificate to java on a client >>>> machine. >>>> >>>> Than the site certificate was added for additional checking. >>>> >>>> Both cases are unsuccessful. >>>> >>>> What I should make the next? >>>> >>>> >>>> >>>> *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] >>>> *Sent:* Monday, August 21, 2017 9:51 AM >>>> *To:* Openmeetings user-list >>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>> >>>> >>>> >>>> Works for me >>>> >>>> >>>> >>>> What were your steps? >>>> >>>> >>>> >>>> BTW no need to add site certificate to trusted certs in case you are >>>> having Root CA. Verified Root CA will successfully validate site cert >>>> >>>> >>>> >>>> On Mon, Aug 21, 2017 at 1:44 PM, Yakovlev N. <yakovlev...@krvostok.ru> >>>> wrote: >>>> >>>> No, >>>> >>>> It did not help. >>>> >>>> The client machine is Windows, the CA root certificate (crt) and the >>>> client self-signed certificate (p12) have been added into java via java >>>> control panel->security->manage certificates. >>>> >>>> >>>> >>>> The full error log is : >>>> >>>> >>>> >>>> ERROR 08-21 09:39:23.861 63 o.a.o.s.RTMPTSScreenShare [Thread-23] - {} >>>> >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>> find valid certification path to requested target >>>> >>>> at sun.security.validator.PKIXValidator.doBuild(Unknown >>>> Source) >>>> >>>> at >>>> sun.security.validator.PKIXValidator.engineValidate(Unknown >>>> Source) >>>> >>>> at sun.security.validator.Validator.validate(Unknown >>>> Source) >>>> >>>> at sun.security.ssl.X509TrustManagerImpl.validate(Unknown >>>> Source) >>>> >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown >>>> Source) >>>> >>>> at sun.security.ssl.X509TrustMana >>>> gerImpl.checkServerTrusted(Unknown Source) >>>> >>>> at >>>> sun.security.ssl.ClientHandshaker.serverCertificate(Unknown >>>> Source) >>>> >>>> at sun.security.ssl.ClientHandshaker.processMessage(Unknown >>>> Source) >>>> >>>> at sun.security.ssl.Handshaker.processLoop(Unknown >>>> Source) >>>> >>>> at sun.security.ssl.Handshaker.process_record(Unknown >>>> Source) >>>> >>>> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown >>>> Source) >>>> >>>> at sun.security.ssl.SSLSocketImpl >>>> .performInitialHandshake(Unknown Source) >>>> >>>> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown >>>> Source) >>>> >>>> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown >>>> Source) >>>> >>>> at org.apache.http.conn.ssl.SSLCo >>>> nnectionSocketFactory.createLayeredSocket(SSLConnectionSocke >>>> tFactory.java:396) >>>> >>>> at org.apache.http.conn.ssl.SSLCo >>>> nnectionSocketFactory.connectSocket(SSLConnectionSocketFacto >>>> ry.java:355) >>>> >>>> at org.apache.http.impl.conn.Defa >>>> ultHttpClientConnectionOperator.connect(DefaultHttpClientCon >>>> nectionOperator.java:142) >>>> >>>> at org.apache.http.impl.conn.Pool >>>> ingHttpClientConnectionManager.connect(PoolingHttpClientConn >>>> ectionManager.java:359) >>>> >>>> at org.apache.http.impl.execchain >>>> .MainClientExec.establishRoute(MainClientExec.java:381) >>>> >>>> at org.apache.http.impl.execchain >>>> .MainClientExec.execute(MainClientExec.java:237) >>>> >>>> at org.apache.http.impl.execchain >>>> .ProtocolExec.execute(ProtocolExec.java:185) >>>> >>>> at org.apache.http.impl.execchain >>>> .RetryExec.execute(RetryExec.java:89) >>>> >>>> at org.apache.http.impl.client.In >>>> ternalHttpClient.doExecute(InternalHttpClient.java:185) >>>> >>>> at org.apache.http.impl.client.Cl >>>> oseableHttpClient.execute(CloseableHttpClient.java:118) >>>> >>>> at org.apache.http.impl.client.Cl >>>> oseableHttpClient.execute(CloseableHttpClient.java:56) >>>> >>>> at org.red5.client.net.rtmps.RTMP >>>> TSClientConnector.openConnection(RTMPTSClientConnector.java:139) >>>> >>>> at org.red5.client.net.rtmps.RTMP >>>> TSClientConnector.run(RTMPTSClientConnector.java:64) >>>> >>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>>> unable to find valid certification path to requested target >>>> >>>> at sun.security.provider.certpath >>>> .SunCertPathBuilder.build(Unknown Source) >>>> >>>> at sun.security.provider.certpath >>>> .SunCertPathBuilder.engineBuild(Unknown Source) >>>> >>>> at java.security.cert.CertPathBuilder.build(Unknown >>>> Source) >>>> >>>> ... 27 common frames omitted >>>> >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>> find valid certification path to requested target >>>> >>>> No context named default was found!! >>>> >>>> >>>> >>>> *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] >>>> *Sent:* Monday, August 21, 2017 8:45 AM >>>> *To:* Openmeetings user-list >>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>> >>>> >>>> >>>> You can fix it by adding self-signed CA to the java/cacerts at the >>>> "client" machine (The machine Screen-sharing web-app is started) >>>> >>>> >>>> >>>> On Mon, Aug 21, 2017 at 11:51 AM, Yakovlev N. <yakovlev...@krvostok.ru> >>>> wrote: >>>> >>>> Tunneling RTMPS >>>> >>>> >>>> >>>> *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] >>>> *Sent:* Monday, August 21, 2017 5:56 AM >>>> >>>> >>>> *To:* Openmeetings user-list >>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>> >>>> >>>> >>>> What type of SSL are you checking? "native" of "tunneled" ? >>>> >>>> >>>> >>>> On Sun, Aug 20, 2017 at 10:45 AM, Yakovlev N. <yakovlev...@krvostok.ru> >>>> wrote: >>>> >>>> Hi Maxim, >>>> >>>> Screensharing with SSL does not work. >>>> >>>> >>>> >>>> Java outputs the next errors: >>>> >>>> ERROR 08-20 06:00:11.429 63 o.a.o.s.RTMPTSScreenShare [Thread-22] - {} >>>> >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>> find valid certification path to requested target >>>> >>>> >>>> >>>> Where can be place the datastore for screensharing and what its file >>>> name? >>>> >>>> /opt/red5/conf/keystore.screen.jks or /opt/red5/conf/keystore.screen ? >>>> >>>> Where should be assigned the password for this keystore? >>>> >>>> >>>> >>>> The /opt/red5/conf/jee-container.xml and >>>> /opt/red5/conf/red5.properties files contain the following parameters: >>>> >>>> >>>> >>>> key="keystoreFile" value=...... >>>> >>>> key="keystorePass" value=...... >>>> >>>> key="truststoreFile" value=...... >>>> >>>> key="truststorePass" value=...... >>>> >>>> >>>> >>>> rtmps.keystorepass=xxxxx >>>> >>>> rtmps.keystorefile=conf/keystore.jks >>>> >>>> rtmps.truststorepass=xxxxx >>>> >>>> rtmps.truststorefile=conf/truststore.jks >>>> >>>> >>>> >>>> But for screensharing I could not find relevant information. >>>> >>>> >>>> >>>> Best regards, >>>> >>>> Nik >>>> >>>> >>>> >>>> *From:* Yakovlev N. [mailto:yakovlev...@krvostok.ru] >>>> *Sent:* Saturday, August 19, 2017 8:23 AM >>>> *To:* user@openmeetings.apache.org >>>> *Subject:* RE: [ANNOUNCE] HTTPS is now required >>>> >>>> >>>> >>>> Hi Maxim, >>>> >>>> SSL is working fine. >>>> >>>> I found a mistake in http://openmeetings.apache.org/RTMPSAndHTTPS.html >>>> manual: >>>> >>>> All keytool commands must have the filename keystore.jks but none >>>> keystore without extension. J >>>> >>>> This also applies to the filename truststore: it should be >>>> truststore.jks. >>>> >>>> >>>> >>>> Otherwise the names of kestore and truststore should be changed in >>>> /opt/red5/conf/red5.properties. >>>> >>>> >>>> >>>> Nik >>>> >>>> >>>> >>>> *From:* Maxim Solodovnik [mailto:solomax...@gmail.com >>>> <solomax...@gmail.com>] >>>> *Sent:* Saturday, August 19, 2017 7:23 AM >>>> *To:* Openmeetings user-list >>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>> >>>> >>>> >>>> I'll try to check steps with self-signed cert and will report back >>>> >>>> >>>> >>>> On Sat, Aug 19, 2017 at 11:21 AM, Yakovlev N. <yakovlev...@krvostok.ru> >>>> wrote: >>>> >>>> Hello Ramon, >>>> >>>> All the hope of Maxim….:) >>>> >>>> >>>> >>>> Nik >>>> >>>> >>>> >>>> *From:* Ramón Zárate Moedano [mailto:hor...@gmail.com] >>>> *Sent:* Saturday, August 19, 2017 2:22 AM >>>> >>>> >>>> *To:* user@openmeetings.apache.org >>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>> >>>> >>>> >>>> Hello everyone ... >>>> >>>> >>>> >>>> i just cannot install SSL (from namecheap) ... this is beyond my skills. >>>> >>>> >>>> >>>> Is there someone who can help me with the installation in exchange for >>>> some money???? >>>> >>>> >>>> >>>> Thanks in advance. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> 2017-08-18 1:23 GMT-05:00 Yakovlev N. <yakovlev...@krvostok.ru>: >>>> >>>> Hi Maxim, >>>> >>>> Thanks for reply. >>>> >>>> I've reinstalled two times certificates but ssl does not work. >>>> >>>> 1. Both certificates root-CA and client one were added into >>>> /etc/pki/ca-trust/extracted/java/cacerts (this place is for Centos) >>>> with commands: >>>> >>>> keytool -import -keystore cacerts -file red5.crt -alias red5 >>>> >>>> keytool -import -keystore cacerts -trustcacerts -file ca.crt -alias root >>>> >>>> 2. As you recommend OM was started with red5-debug + option >>>> "-Djavax.net.debug=all" >>>> >>>> Logs have nothing while a ssl session was established. >>>> >>>> To exclude the impact of browsers, I tried to start up a session using >>>> telnet. >>>> >>>> Session to port 5080 (none ssl) were fixed in loggs but sessions to >>>> 5443 did not. >>>> >>>> In this case, the netstat command shows ESTABLISHED status to port 5443. >>>> >>>> Firewall is off. >>>> >>>> According to http://openmeetings.apache.org/RTMPSAndHTTPS.html two >>>> config files have to be changed: >>>> >>>> 1. Edit red5/conf/jee-container.xml file: >>>> >>>> Comment Tomcat without SSL enabled section >>>> >>>> UNComment Tomcat with SSL enabled section >>>> >>>> 2. Edit red5/webapps/openmeetings/public/config.xml and set >>>> >>>> <protocol>https</protocol> >>>> >>>> <red5httpport>5443</red5httpport> >>>> >>>> Are these changes enough or need more? >>>> >>>> >>>> >>>> Best regards, >>>> >>>> Nik >>>> >>>> >>>> >>>> *From:* Maxim Solodovnik [mailto:solomax...@gmail.com] >>>> *Sent:* Thursday, August 17, 2017 10:28 AM >>>> *To:* Openmeetings user-list >>>> >>>> >>>> *Subject:* Re: [ANNOUNCE] HTTPS is now required >>>> >>>> >>>> >>>> Here is useful link >>>> >>>> I'm using these scripts (with some modifications) Chrome shows green >>>> icon :) >>>> >>>> https://stackoverflow.com/questions/7580508/getting-chrome-t >>>> o-accept-self-signed-localhost-certificate/43666288#43666288 >>>> >>>> >>>> >>>> On Thu, Aug 17, 2017 at 2:25 PM, Maxim Solodovnik <solomax...@gmail.com> >>>> wrote: >>>> >>>> The steps on the site are for the "real" certificates ... >>>> >>>> 1) add certificate to trusted certs of Java >>>> >>>> >>>> >>>> means Java need to know about your certificate I'm using self-signed CA >>>> for testing and I'm adding it to >>>> >>>> /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts >>>> >>>> >>>> >>>> Additionally I would recommend to run red5 using red5-debug and modify >>>> it by adding "*-Djavax.net.debug=all*" to see all SSL messages >>>> >>>> >>>> >>>> On Thu, Aug 17, 2017 at 1:23 PM, Yakovlev N. <yakovlev...@krvostok.ru> >>>> wrote: >>>> >>>> Hello Maxim, >>>> Don't worry that my question was missed because we all understand how >>>> much work you do. >>>> Your message made me return to the question of HTTPS for OM. >>>> >>>> So... >>>> >>>> 1) add certificate to trusted certs of Java >>>> >>>> Lets see an output of command keytool: >>>> >>>> cd /opt/red5/conf >>>> keytool -list -keystore keystore >>>> Enter keystore password: >>>> xxxxx >>>> Keystore type: JKS >>>> Keystore provider: SUN >>>> >>>> Your keystore contains 2 entries >>>> >>>> vkc.krvostok.ru, Aug 16, 2017, PrivateKeyEntry, >>>> Certificate fingerprint (SHA1): 7D:39:11:AA:76:5F:BF:D1:E5:57: >>>> 99:67:D5:1C:B8:25:1A:D9:88:0F >>>> root, Aug 16, 2017, trustedCertEntry, >>>> Certificate fingerprint (SHA1): FF:2B:E0:44:3C:0F:83:36:6F:F0: >>>> 6E:2F:1F:9A:83:F9:B0:1F:E1:45 >>>> >>>> Is it OK? >>>> >>>> 2) add certificate to trusted certs of browser (icon should be green) >>>> Done >>>> >>>> 3) correctly create red5 keystore/truststore >>>> Done according to the reference http://openmeetings.apache.org >>>> /RTMPSAndHTTPS.html >>>> truststore is a copy of keystore >>>> OK? >>>> >>>> Maxim, I would like to draw on one detail. >>>> A simple way to test of a SSL-connection is to use the next command: >>>> openssl s_client -connect FQDN:port >>>> For example, >>>> openssl s_client -connect www.mail.ru:443, >>>> openssl s_client -connect www.ya.ru:443 >>>> and so on. >>>> This way does not use browsers and allows to test ssl-connections at a >>>> lower level than using browsers. >>>> This command does not work and hangs for my OM as I wrote before and I >>>> think that the question is not in the types of certificates (trusted or >>>> selfsigned ones). >>>> But where is the problem? I don't now yet... >>>> >>>> Nik >>>> >>>> -----Original Message----- >>>> From: Maxim Solodovnik [mailto:solomax...@gmail.com] >>>> >>>> Sent: Wednesday, August 16, 2017 5:51 PM >>>> To: Openmeetings user-list >>>> Subject: Re: [ANNOUNCE] HTTPS is now required >>>> >>>> Hello Nik, >>>> >>>> I'm trying to answer all emails, sorry if I missed yours :( To make >>>> self-signed certificate work with red5 you MUST >>>> 1) add certificate to trusted certs of Java >>>> 2) add certificate to trusted certs of browser (icon should be green) >>>> 3) correctly create red5 keystore/truststore >>>> >>>> to provide thurther help I need you detailed steps >>>> >>>> On Wed, Aug 16, 2017 at 8:30 PM, Yakovlev N. <yakovlev...@krvostok.ru> >>>> wrote: >>>> > Hi Andreas, >>>> > OK, your opinion is your opinion and I respect it. >>>> > We speak about an internal OM service but not about the world one... >>>> > I understand the trusted certificates are more preferable but in my >>>> case unnecessary I think. >>>> > I'm not sure blacklists are my cases... >>>> > >>>> > Nik >>>> > >>>> > -----Original Message----- >>>> > From: df...@gmx.de [mailto:df...@gmx.de] >>>> > Sent: Wednesday, August 16, 2017 4:18 PM >>>> > To: user@openmeetings.apache.org >>>> > Subject: Re: [ANNOUNCE] HTTPS is now required >>>> > >>>> > Hi Nik, >>>> > >>>> > sorry - I cannot agree to your "I cannot agree". Most email client >>>> programs do check certificates and deny connections if certificate is not >>>> trusted. May be 5% will work - but 95% will not (and tomorrow percentage is >>>> higher than today). I can not recommend to use any self-signed certificate >>>> (except for internal tasks). Additionally maybe you are added to blacklists >>>> if you are "on the air" using a self-signed certificate. >>>> > >>>> > Best regards >>>> > Andreas >>>> > >>>> > Am Mittwoch, 16. August 2017, 16:01:52 CEST schrieb Yakovlev N.: >>>> >> I don't agree. >>>> >> I use selfsigned certiticates on other corporate services >>>> successfully (mail, cloud and so on). >>>> >> Yes, browsers ask questions but this is no problem. In this case >>>> such certificates must be added as trusted ones. >>>> >> >>>> >> Nik >>>> >> >>>> >> -----Original Message----- >>>> >> From: df...@gmx.de [mailto:df...@gmx.de] >>>> >> Sent: Wednesday, August 16, 2017 3:44 PM >>>> >> To: user@openmeetings.apache.org >>>> >> Subject: Re: [ANNOUNCE] HTTPS is now required >>>> >> >>>> >> Self-signed will not be accepted by most browsers and will not work. >>>> The goal of SSL *IS THE POSSIBILITY OF VERIFICATION OF THE PAGE OWNER*... >>>> >> >>>> >> Try certificates from lets encrypt - they are free ;) >>>> >> >>>> >> Best regards >>>> >> Andreas >>>> >> >>>> >> Am Mittwoch, 16. August 2017, 15:25:17 CEST schrieb Yakovlev N.: >>>> >> > Hi, Maxim! >>>> >> > I have some problems with SSL and no ideas to solve them. >>>> >> > Five months ago I asked community how to install SSL on OM but >>>> nobody answered. >>>> >> > (http://mail-archives.apache.org/mod_mbox/openmeetings-user/ >>>> 201703.mbox/browser Subject: SSL with OM Date Mon, 20 Mar 2017 >>>> 08:30:40 GMT ) >>>> >> > The manual listed on page http://openmeetings.apache.org >>>> /RTMPSAndHTTPS.html did not help me. >>>> >> > No any errors in logs, browser hangs and shows an empty page. >>>> >> > Firefox outputs "Executing TLS-handshaking with vkc.krvostok.ru" >>>> on the left bottom side. >>>> >> > The "openssl s_client -connect vkc.krvostok.ru:5443" >>>> command hangs also and outputs only one line: CONNECTED(00000003). >>>> >> > Firewall is off, tcp-5443 port is listening on the OM host. >>>> >> > >>>> >> > Is there any roadmap of using selfsigned serfificates for OM? >>>> >> > >>>> >> > Best regards >>>> >> > Nik >>>> >> > >>>> >> > -----Original Message----- >>>> >> > From: Maxim Solodovnik [mailto:solomax...@gmail.com] >>>> >> > Sent: Wednesday, August 16, 2017 7:23 AM >>>> >> > To: Openmeetings user-list >>>> >> > Subject: [ANNOUNCE] HTTPS is now required >>>> >> > >>>> >> > Hello All, >>>> >> > >>>> >> > Google developers are trying to move WWW to HTTPS To force this >>>> transition they restrict features available to HTTP sites in >>>> Chrome/Chromium Latest restriction is: Camera and microphone will not be >>>> available to JS/Flash code for HTTP sites: proof: >>>> >> > >>>> >> > "Microphone and Camera access no longer works on insecure origins. >>>> To use this feature, you should consider switching your application to a >>>> secure origin, such as HTTPS. See https://goo.gl/rStTGz for more >>>> details." >>>> >> > >>>> >> > So please set up HTTPS for your OM site to prevent >>>> camera/microphone issues. >>>> >> > >>>> >> > -- >>>> >> > WBR >>>> >> > Maxim aka solomax >>>> >> > >>>> >> > >>>> >> >>>> >> >>>> >> >>>> > >>>> > >>>> >>>> >>>> >>>> -- >>>> WBR >>>> Maxim aka solomax >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> WBR >>>> Maxim aka solomax >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> WBR >>>> Maxim aka solomax >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> WBR >>>> Maxim aka solomax >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> WBR >>>> Maxim aka solomax >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> WBR >>>> Maxim aka solomax >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> WBR >>>> Maxim aka solomax >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> WBR >>>> Maxim aka solomax >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> WBR >>>> Maxim aka solomax >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> WBR >>>> Maxim aka solomax >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> WBR >>>> Maxim aka solomax >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> WBR >>>> Maxim aka solomax >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> WBR >>>> Maxim aka solomax >>>> >>> >>> >>> >>> -- >>> WBR >>> Maxim aka solomax >>> >> >> > > > -- > WBR > Maxim aka solomax >
