Please check OM is running: `ps -ef|grep java` and necessary ports are being LISTEN `netstat -an|grep 5443`
The result of the last command should be something like tcp6 0 0 :::5443 :::* LISTEN On Fri, 5 Jul 2019 at 22:21, Xavier M <[email protected]> wrote: > Atomic steps sounds fine... Except if it is a nuclear bomb! > > In my case, I'd like as first step to understand why I can not connect > anymore to "https://domain.eu:5443/openmeetings"; (while I could connect > to "https://domain.eu <https://domain.eu:5443/openmeetings>") - domain.eu > was a generic name in my explanation - since I followed the steps given > yesterday. Nota Bene: it works again when I modify /etc/apache2/ports.conf > to add "Listen 5443" and "Listen 8888", but I got the error > SSL_ERROR_RX_RECORD_TOO_LONG. > > Assume that I go back to the previous problem, that is I can connect, but > with a warning "self made certificate", or whatever the correct name... > Then I have to understand what Aaron means by "Proxy through Apache, or > configure your OM instance to be able to read where the keys are" and > what are pros and cons. Aaron suggested me to "proxy", but actually I do > not know how one does this. > > Thanks all of you for your help, > Xavier > > ------------------------------ > *De :* Maxim Solodovnik <[email protected]> > *Envoyé :* vendredi 5 juillet 2019 16:28 > *À :* Openmeetings user-list > *Objet :* Re: Log-in and security > > The best way to make everything working is to perform atomic steps > And ensure everything still works after each step > > In your case > 0) you need to understand what is your goal > 1) then achieve it :) > > As I understand you would like to have OM at port 443 > > You can do it by ether change OM https port to be 443 > Or > By set up frontend proxy > > Each option has pros and cons > You have to choose one option before any other step :) > > On Fri, Jul 5, 2019, 20:34 Xavier M <[email protected]> wrote: > > This is possible! But: > > - What does Alvaro mean by "To be able to connect from the Internet or > LAN with this server, remember to open the following > ports: 5443 8888" ? > - I could not connect anymore to "https://domain.eu:5443/openmeetings"; > (while I could connect to "https://domain.eu > <https://domain.eu:5443/openmeetings>") until I did that: and now it > "works" again, with the error SSL_ERROR_RX_RECORD_TOO_LONG... > - ... and I have no idea why! > > If you have any idea/explanation, I really don't know neither what happens > nor what to do! I will comment the lines in ports.conf and restart, to > check whether it works like before or not. > > Thank you! > Xavier > > ------------------------------ > *De :* Maxim Solodovnik <[email protected]> > *Envoyé :* vendredi 5 juillet 2019 15:14 > *À :* Openmeetings user-list > *Objet :* Re: Log-in and security > > I'm afraid this > I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf > make no sense :( > > Apache HTTPD will listen these ports and both OM and Kurento will be > unable to start since the port are already busy .... > > On Fri, 5 Jul 2019 at 17:37, Xavier M <[email protected]> wrote: > > Hi all, > > I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf > (and nothing into /etc/apache2/sites-enabled/000-default.conf) > > I can now access to "https://domain.eu:5443/openmeetings";, but with the > error SSL_ERROR_RX_RECORD_TOO_LONG > How can I solve it? Could it be due to the changes I made yesterday thanks > to Stefan's help? > > *sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem > <http://domain.eu/cert.pem> -inkey > /etc/letsencrypt/live/domain.eu/privkey.pem <http://domain.eu/privkey.pem> > -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile > /etc/letsencrypt/live/domain.eu/chain.pem <http://domain.eu/chain.pem>* > > > * sudo keytool -importkeystore -srcstorepass password -srckeystore > /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password > -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5* > > *sudo keytool -import -alias root -keystore > /opt/OM_Folder/conf/keystore.jks -trustcacerts -file > /etc/letsencrypt/live/domain.eu/chain.pem <http://domain.eu/chain.pem>* > > > * sudo cp -f /opt/OM_Folder/conf/keystore.jks > /opt/OM_Folder/conf/trustscore.jks* > > > * sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore > (<- only if you have version 5.*)* > > Bis demnächst, > Xavier > > > > > ------------------------------ > *De :* Xavier M <[email protected]> > *Envoyé :* vendredi 5 juillet 2019 10:36 > *À :* [email protected] > *Objet :* RE: Log-in and security > > Hello Maxim, > > That's a good idea... I had already heard of it, but I still have to look > how I do it. But it seems that I forgot something, since I can not access > to Open Meetings since I "shutdown -r now" the server. Any idea of which > command it is? > > Xavier > > ------------------------------ > *De :* Maxim Solodovnik <[email protected]> > *Envoyé :* vendredi 5 juillet 2019 09:38 > *À :* Openmeetings user-list > *Objet :* Re: Log-in and security > > You need to set-up autostart for these services > > On Fri, Jul 5, 2019, 14:04 Xavier M <[email protected]> wrote: > > Hmm... It sounds a bit complicated for me, I have to make it "slowly". But > I'm pretty sure I'll do it. > > For the moment, I do not understand why I can not connect anymore to " > https://domain.eu:5443/openmeetings"; (while I can connect to " > https://domain.eu <https://domain.eu:5443/openmeetings>") after I > "shutdown -r now" the web server? It has been a full night since I typed > after the "reboot": > sudo /etc/init.d/mysql start > sudo /etc/init.d/kurento-media-server start > sudo /etc/init.d/tomcat3 start > > Did I forget something? Is there anywhere a log which could help? > > Have a good day! > Xavier > > ------------------------------ > *De :* Maxim Solodovnik <[email protected]> > *Envoyé :* vendredi 5 juillet 2019 04:18 > *À :* Openmeetings user-list > *Objet :* Re: Log-in and security > > Demo server uses Apache as frontend proxy > The config is here: > https://stackoverflow.com/questions/51721771/apache-openmeetings-4-0-4-csrf-attack-when-using-apache2-as-proxypass > > On Fri, 5 Jul 2019 at 03:51, Xavier M <[email protected]> wrote: > > Ok, at the time being, I won't switch to root... > > I "sudo shutdown -r now" and waited. The server has gone on again (website > "https://domain.eu <https://domain.eu:5443/openmeetings>" reachable). I > connected through SSH and typed: > > sudo /etc/init.d/mysql start > sudo /etc/init.d/tomcat3 start > > > Now I'm waiting... But I can't connect at all to OpenMeetings with the URL > that previously worked ("https://domain.eu:5443/openmeetings";): Firefox > can not establish a connection with this address... > > > Thank you all and have a good night, > > Xavier > > > Le 04/07/2019 à 22:05, Stefan Kühl a écrit : > > Ok, please restart the server and it should work. > If you use open500 as folder open500/conf is correct. > > Just restart it. > > Greetz > > Stefan > > PS: if you want to access to "permission denied" folders you need to > switch to root, sudo won't work in this case. But be careful, keep in mind > that you change the ownership if you change files as root. > > > Bonne soiree > > Am 04.07.2019 21:57, schrieb Xavier M: > > Thank you! > > > Each command line worked... But it did not change anything when I want to > log in. Maybe shall I restart "a service"? > > NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory > with a "keystore" file. But I have an "openmeetings" subdirectory too... to > which I can not access (Permission denied). > > > Greetings, > > Xavier > > > Le 04/07/2019 à 21:35, Stefan Kühl a écrit : > > Yes, I'm sorry. Did this so many times and forgot an important point. > First: the password is: password > > ;-) > > > Let's go through the lines: > > "sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem > -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out > /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/ > domain.eu/chain.pem" > > Here you use the openssl library to export the the key from the > letsencrypt certificate into the red5.p12 file and store it in youtr OM > Folder (red5 is just an name - you could also use any other name) > > "sudo keytool -importkeystore -srcstorepass password -srckeystore > /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password > -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5 > > sudo keytool -import -alias root -keystore > /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/ > domain.eu/chain.pem" > > by using keytool you import the certificate key by setting the password > (-srcstorepass password -> deststorepass password) into the file > keystore.jks and confirming the trust by the chain.pem > > "sudo cp -f /opt/OM_Folder/conf/keystore.jks > /opt/OM_Folder/conf/trustscore.jks" > > now creating the trustscore.jks by copying the keystore.jks > > at least and only if you have OM 5.* installed: > > "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore" > this is neccesary because OM5-'looks only for keystore and not for > keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you > could update the config file to look for keystore.jks" > > So if you will be asked for > > *Enter Export Password:* > *Verifying - Enter Export Password:* > > *and again* > > > *Enter Import Password: Verifying - Enter Import Password:* > > *you need to enter password * > > *Just to keep it simple, you can choose your own password, but keep in > mind top change it within the command too;-)* > > *Greetz* > > *Stefan* > > Am 04.07.2019 21:18, schrieb Xavier M: > > So... > > After having changed the folder names, I entered the first command line to > get: > > *Enter Export Password:* > *Verifying - Enter Export Password:* > > I wrote down a password - I guess I defined it at this step? > > > Then the second command line delivered: > > *Importing keystore /opt/open500/conf/red5.p12 to > /opt/open500/conf/keystore.jks...* > *keytool error: java.io.IOException: keystore password was incorrect* > > Any idea of what happens and what I should do? I did not try the third > command line. > > By the way, can you explain me in a few words what I'm doing with these > command lines ? > > > Have a good evening, > > Xavier > > > Le 04/07/2019 à 19:15, Stefan Kühl a écrit : > > Maybe to make a quick check (every command in one line): > > sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem > -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out > /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/ > domain.eu/chain.pem > > > sudo keytool -importkeystore -srcstorepass password -srckeystore > /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password > -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5 > > sudo keytool -import -alias root -keystore > /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/ > domain.eu/chain.pem > > > sudo cp -f /opt/OM_Folder/conf/keystore.jks > /opt/OM_Folder/conf/trustscore.jks > > > sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore > (<- only if you have version 5.*) > > > > Please remeber: If you leave it like this, you need to repaet this lines > after every renew of your certificate. Be aware of the folders -> > domain.eu: your domain an OM_Folder: your OM installation folder. > > Greetz > > Stefan > > Am 04.07.2019 18:00, schrieb Xavier M: > > Then let's go with Proxy through Apache. > > I'm not running as root, but my account has the whole rights so that I > thought I could do exactly the same things. "sudo" is my friend... even > sudo chmod. > > The server works with Ubuntu - my account was created at the installation. > When I refer to a "LAMP-server", I executed the command > > sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql > > > ... among other prior to install OM. > > > Xavier > > ------------------------------ > *De :* Aaron Hepp <[email protected]> <[email protected]> > *Envoyé :* jeudi 4 juillet 2019 17:53 > *À :* [email protected] > *Objet :* Re: Log-in and security > > Proxy through Apache would be the easier solution for upgrading > > when you say Admin of the sever you are running as root or that you can > log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, > etc.) > > On 7/4/19 11:48 AM, Xavier M wrote: > > Thank you Aaron. > > Even if I have admin rights, I can access only to /etc/letsencrypt/. The > permission is denied when I want to open the subdirectory "live". > > How do both solution work? I know neither how to "Proxy through Apache", > nor how to "configure my OM instance to be able to read where the keys > are". Sorry for all that... > > Xavier > > ------------------------------ > *De :* Aaron Hepp <[email protected]> <[email protected]> > *Envoyé :* jeudi 4 juillet 2019 17:40 > *À :* [email protected] > *Objet :* Re: Log-in and security > > That is your issue. Apache has the cert installed via LetEncrypt. Tomcat > which is running on 5443 needs to have the configuration set to know where > the cert is located as well as the keystore created. > > You can do two things. Proxy through Apache, or configure your OM > instance to be able to read where the keys are. > > LetEncrypt places the cert at: > /etc/letsencrypt/live/<domain> > > > > On 7/4/19 11:34 AM, Xavier M wrote: > > Hem... No... Do you mean I have to copy and paste the certificate in each > folder? Actually, I even don't know where the certificate is to be found on > the server... But I guess I find it somewhere if needed. > > Xavier > > ------------------------------ > *De :* Stefan Kühl <[email protected]> <[email protected]> > *Envoyé :* jeudi 4 juillet 2019 17:06 > *À :* [email protected] > *Cc :* R. Scholz > *Objet :* Re: Log-in and security > > > Hi @all, > > port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. > https works as expected. > Did you export they certificate keys (like keystore and trustscore) to > your %OM%/conf folder? > > > Greetz > > Stefan > > Am 04.07.2019 16:57, schrieb R. Scholz: > > Hello Xavier, > > Hm, you using on Port 80 Tomcat or Apache? > > Best regards, > > René > > > Am 04.07.2019 um 16:24 schrieb Xavier M: > > Thank you for answering... I'm sorry, but I don't know enough about > certificates to give you a relevant answer. I think that : > * The common name is "rusa.fr" > * There is no subject alternative name (even www.rusa.fr) > * It is not a wildcard > > ... But I'm not 100% sure, it is the first time I administrate a server, > I'm discovering many things at the same time! > > Xavier > > ------------------------------ > *De :* Clayton, Robin <[email protected]> > <[email protected]> > *Envoyé :* jeudi 4 juillet 2019 15:43 > *À :* [email protected] > *Objet :* RE: Log-in and security > > > What is the CN of the certificate, is there any SAN entries on the > certificate? Or is it a wildcard? > > > > The TCP port should be irrelevant. > > > > Rob > > > > > > > > > > *From:* Stefan Kühl [mailto:[email protected] <[email protected]>] > > *Sent:* 04 July 2019 14:16 > *To:* [email protected] > *Cc:* Xavier M > *Subject:* Re: Log-in and security > > > > Hi, > > are you sure that you request your certificate also for domain.eu or only > for www.domain.eu. You should check this. Sometimes webhoster only use > the www adresses for certificates. > > Greetz > > Stefan > > > > > > Am 04.07.2019 14:18, schrieb Xavier M: > > Hi everybody, > > > > I'm quite sure that the answer is already somewhere, but I couldn't find > it... > > > > After having installed OM on a web-server, the "written" way to access to > the log-in is following, according to Alvaro's tuto: > > https://localhost:5443/openmeetings > > > > If OM is installed on a web server, let's say "domain.eu", it works > correctly with: > > https://domain.eu:5443/openmeetings > > > > But the user will get a warning for security reason, even if domain.eu > works with https, since the common certificates will not work with this > port. > > > > I stated that following URL worked for the "demo version": > > https://om.alteametasoft.com/openmeetings > > > > Does anyone know how this was done? I would like to avoid the use of the > port 5443 with the warning. > > > > Have a good day! > > Xavier > > > > *Disclaimer* > > This email has been scanned by the Mimecast security service. > > > *Disclaimer* > > > > Please, consider your environmental responsibility. Before printing this > e-mail ask yourself: Do I need a hard copy? > > Cumberland Building Society > Cumberland House > Cooper Way > Parkhouse > CARLISLE CA3 0JF > To help us monitor and improve customer service telephone calls may be > recorded. > Cumberland Building Society is authorised by the Prudential Regulation > Authority and regulated by the Financial Conduct Authority and Prudential > Regulation Authority. We arrange life assurance and critical illness cover > only with Legal & General Assurance Society Limited and general insurance > only with Aviva Insurance Limited. > To find out more about us, visit *www.cumberland.co.uk* > <http://www.cumberland.co.uk/> > > CONFIDENTIALITY: This e-mail and any files transmitted with it are > confidential, may be legally privileged and are intended for the > addressee(s) only. If you are not the intended recipient you may not > disclose, copy, distribute, or retain all or part of this e-mail without > our authority. Please notify the sender immediately by replying to this > e-mail and then permanently delete it. > > Any views or opinions expressed are solely those of the author and do not > necessarily represent those of Cumberland Building Society or any of its > subsidiaries. > > Although we have taken steps to ensure that this e-mail and any > attachments are free from virus contamination, please rely on your own > virus checking procedures as no guarantee is implied or given. We will not > be liable for any loss or damage arising from alteration of the contents of > this e-mail by a third party or as a result of any virus. > > > This email has been scanned by the Mimecast security service. > > > > > > -- > WBR > Maxim aka solomax > > > > -- > WBR > Maxim aka solomax > > -- WBR Maxim aka solomax
