I have a script that converts the stanard config of openmeetings to
https. It prompts the user for keystore passwords currently but that
too could be automated via expect.
I posted before if anybody wants it but nobody replied, maybe I will
stop posting about it.
Because of the frequency of this topic I figured it might be helpful
though, at least as a starting point.
-Dave
On Sat, Mar 31, 2018 at 10:14 AM, Maxim Solodovnik <solomax...@gmail.com> wrote:
> Thanks Aaron for the answers
> I'm little bit busy with personal stuff and my day time job
>
> @Alan,
> to set up HTTPS
> you need
> 1) create keystore located at `rtmps.keystorefile` with password
> `rtmps.keystorepass` (and truststore)
> 2) modify jee*.xml to enable Tomcat with SSL (and disable Tomcat without SSL)
>
> not sure how this 2 step instruction can be further simplified :(
>
> This topic was discussed million times, this is why I send you the
> link to search
> Maybe previous QA might help
>
> I'll try to check if this can be further simplified (not sure how yet)
> but my time is very limited right now .....
>
>
> On Fri, Mar 30, 2018 at 11:40 PM, Aaron Hepp <aaron.h...@gmail.com> wrote:
>> Did you use a different password then in the instructions (which was
>> password) when creating your .jks files? This was my original mistake as
>> well.
>>
>> If so then you will need to change your red5.properties file and put the
>> password in there.
>>
>> # RTMPS Key and Trust store parameters
>> rtmps.keystorepass=password
>> rtmps.keystorefile=conf/keystore.jks
>> rtmps.truststorepass=password
>> rtmps.truststorefile=conf/truststore.jks
>>
>>
>> On 3/30/2018 12:27 PM, Alan Johnson wrote:
>>
>> I changed it to this:
>>
>> <!-- Tomcat without SSL enabled
>> <bean id="tomcat.server" class="org.red5.server.tomcat.TomcatLoader"
>> depends-on="context.loader" lazy-init="true">
>> <property name="webappFolder" value="${red5.root}/webapps"
>> />
>> <property name="connectors">
>> <list>
>> <bean name="httpConnector"
>> class="org.red5.server.tomcat.TomcatConnector">
>> <property name="protocol"
>> value="org.apache.coyote.http11.Http11NioProtocol" />
>> <property name="address"
>> value="${http.host}:${http.port}" />
>> <property name="redirectPort"
>> value="${https.port}" />
>> <property
>> name="connectionProperties">
>> <map>
>> <entry
>> key="maxKeepAliveRequests" value="${http.max_keep_alive_requests}"/>
>> <entry
>> key="keepAliveTimout" value="-1"/>
>> </map>
>> </property>
>> </bean>
>> </list>
>> </property>
>> <property name="baseHost">
>> <bean class="org.apache.catalina.core.StandardHost">
>> <property name="name" value="${http.host}"
>> />
>> </bean>
>> </property>
>> <property name="valves">
>> <list>
>> <bean id="valve.access"
>> class="org.apache.catalina.valves.AccessLogValve">
>> <property name="directory"
>> value="log" />
>> <property name="prefix"
>> value="${http.host}_access." />
>> <property name="suffix" value=".log"
>> />
>> <property name="pattern"
>> value="common" />
>> <property name="rotatable"
>> value="true" />
>> </bean>
>> <bean id="valve.error"
>> class="org.apache.catalina.valves.ErrorReportValve">
>> <property name="showReport"
>> value="false" />
>> <property name="showServerInfo"
>> value="false" />
>> </bean>
>> </list>
>> </property>
>> </bean>
>>
>> Tomcat with SSL enabled -->
>>
>>
>> The server is still not answering on https ports.
>>
>>
>> On 3/30/2018 12:20 PM, Aaron Hepp wrote:
>>
>> that's because when you put a space between the -- and > then that is not a
>> vaild "closure"argument and at the end of your file you have a valid
>> "closure" --> So it thinks the entire statement is a "comment"
>>
>> On 3/30/2018 12:16 PM, merch...@argentwolf.org wrote:
>>
>> I had added a space and it turned it all yellow in bash.
>>
>> Sent from my android device.
>>
>> -----Original Message-----
>> From: Aaron Hepp <aaron.h...@gmail.com>
>> To: user@openmeetings.apache.org, Alan Johnson <merch...@argentwolf.org>,
>> Maxim Solodovnik <solomax...@gmail.com>
>> Sent: Fri, 30 Mar 2018 12:12
>> Subject: Re: Let's Encrypt and OM and Ubuntu
>>
>> Looks like you did not comment out the <!-- Tomcat without SSL enabled
>> -- > section.
>>
>> That has to be commented out to force SSL.
>>
>> remove the --> from that line and add it right above this line
>>
>> <!-- Tomcat with SSL enabled -->
>>
>> That will comment out the entire "non-SSL" portion.
>>
>>
>> On 3/30/2018 12:02 PM, Alan Johnson wrote:
>>> I have done both of those steps.
>>>
>>> I created the keystore via the email chain you sent the link to. That
>>> seemed to work with no errors.
>>>
>>> I had previously enabled/disabled tomcat.
>>>
>>> I tried an experiment and changed the comment on the file and it
>>> seemed to like it better (included below) and seems to have fixed the
>>> errors in the log file, but it isn't answering on any of the expected
>>> ports (5443/8443/443).
>>>
>>>
>>> From red5.properties:
>>>
>>> # Socket policy
>>> policy.host=0.0.0.0
>>> policy.port=843
>>>
>>> # HTTP
>>> http.host=0.0.0.0
>>> http.port=5080
>>> https.port=443
>>> http.URIEncoding=UTF-8
>>> http.max_headers_size=8192
>>> http.max_keep_alive_requests=-1
>>> http.max_threads=20
>>> http.acceptor_thread_count=10
>>> http.processor_cache=20
>>>
>>> # RTMPS
>>> rtmps.host=0.0.0.0
>>> rtmps.port=8443
>>>
>>>
>>> root@freki:/opt/red5402/log# ufw status
>>> Status: active
>>>
>>> To Action From
>>> -- ------ ----
>>> OpenSSH ALLOW Anywhere
>>> 5080 ALLOW Anywhere
>>> 1935 ALLOW Anywhere
>>> 80 ALLOW Anywhere
>>> 5443 ALLOW Anywhere
>>> 8443 ALLOW Anywhere
>>> 443 ALLOW Anywhere
>>> OpenSSH (v6) ALLOW Anywhere (v6)
>>> 5080 (v6) ALLOW Anywhere (v6)
>>> 1935 (v6) ALLOW Anywhere (v6)
>>> 80 (v6) ALLOW Anywhere (v6)
>>> 5443 (v6) ALLOW Anywhere (v6)
>>> 8443 (v6) ALLOW Anywhere (v6)
>>> 443 (v6) ALLOW Anywhere (v6)
>>>
>>> This is what is in the red5.log file, if it helps:
>>>
>>> root@freki:/opt/red5402/log# cat red5.log
>>> 2018-03-30 01:20:35,450 [main] INFO org.red5.server.Launcher - Red5
>>> Server 1.0.10 (https://github.com/Red5)
>>> 2018-03-30 01:20:35,570 [main] INFO
>>> o.s.c.s.FileSystemXmlApplicationContext - Refreshing
>>>
>>> org.springframework.context.support.FileSystemXmlApplicationContext@548b7f67:
>>> startup date [Fri Mar 30 01:20:35 UTC 2018]; root of context hierarchy
>>> 2018-03-30 01:20:35,687 [main] INFO
>>> o.s.b.f.xml.XmlBeanDefinitionReader - Loading XML bean definitions
>>> from class path resource [red5.xml]
>>> 2018-03-30 01:20:36,074 [main] INFO
>>> o.s.b.f.xml.XmlBeanDefinitionReader - Loading XML bean definitions
>>> from class path resource [jee-container.xml]
>>> 2018-03-30 01:21:36,609 [http-nio-0.0.0.0-5080-exec-4] INFO
>>> o.a.coyote.http11.Http11Processor - Error parsing HTTP request header
>>> Note: further occurrences of HTTP request parsing errors will be
>>> logged at DEBUG level.
>>> java.lang.IllegalArgumentException: Invalid character found in method
>>> name. HTTP method names must be tokens
>>> at
>>>
>>> org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:410)
>>> at
>>> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:291)
>>> at
>>>
>>> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
>>> at
>>>
>>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
>>> at
>>>
>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1376)
>>> at
>>>
>>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>>> at
>>>
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>>> at
>>>
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>>> at
>>>
>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>> at java.lang.Thread.run(Thread.java:748)
>>>
>>> Full Jee-container.xml if it helps:
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <!--
>>> Licensed to the Apache Software Foundation (ASF) under one or more
>>> contributor license agreements. See the NOTICE file distributed with
>>> this work for additional information regarding copyright ownership.
>>> The ASF licenses this file to You under the Apache License, Version
>>> 2.0
>>> (the "License"); you may not use this file except in compliance with
>>> the License. You may obtain a copy of the License at
>>>
>>> http://www.apache.org/licenses/LICENSE-2.0
>>>
>>> Unless required by applicable law or agreed to in writing, software
>>> distributed under the License is distributed on an "AS IS" BASIS,
>>> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
>>> implied.
>>> See the License for the specific language governing permissions and
>>> limitations under the License.
>>> -->
>>> <beans xmlns="http://www.springframework.org/schema/beans";
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>>> xmlns:lang="http://www.springframework.org/schema/lang";
>>> xsi:schemaLocation="
>>> http://www.springframework.org/schema/beans
>>> http://www.springframework.org/schema/beans/spring-beans.xsd
>>> http://www.springframework.org/schema/lang
>>> http://www.springframework.org/schema/lang/spring-lang.xsd
>>> ">
>>> <!--
>>> The tomcat connectors may be blocking or non-blocking. Select
>>> between either option via the protocol property.
>>> Blocking I/O:
>>> <property name="protocol"
>>> value="org.apache.coyote.http11.Http11Protocol" />
>>> Non-blocking I/O:
>>> <property name="protocol"
>>> value="org.apache.coyote.http11.Http11NioProtocol" />
>>> -->
>>> <!-- Tomcat without SSL enabled -- >
>>> <bean id="tomcat.server"
>>> class="org.red5.server.tomcat.TomcatLoader"
>>> depends-on="context.loader" lazy-init="true">
>>> <property name="webappFolder"
>>> value="${red5.root}/webapps" />
>>> <property name="connectors">
>>> <list>
>>> <bean name="httpConnector"
>>> class="org.red5.server.tomcat.TomcatConnector">
>>> <property name="protocol"
>>> value="org.apache.coyote.http11.Http11NioProtocol" />
>>> <property name="address"
>>> value="${http.host}:${http.port}" />
>>> <property name="redirectPort"
>>> value="${https.port}" />
>>> <property
>>> name="connectionProperties">
>>> <map>
>>> <entry
>>> key="maxKeepAliveRequests" value="${http.max_keep_alive_requests}"/>
>>> <entry
>>> key="keepAliveTimout" value="-1"/>
>>> </map>
>>> </property>
>>> </bean>
>>> </list>
>>> </property>
>>> <property name="baseHost">
>>> <bean
>>> class="org.apache.catalina.core.StandardHost">
>>> <property name="name"
>>> value="${http.host}" />
>>> </bean>
>>> </property>
>>> <property name="valves">
>>> <list>
>>> <bean id="valve.access"
>>> class="org.apache.catalina.valves.AccessLogValve">
>>> <property name="directory"
>>> value="log" />
>>> <property name="prefix"
>>> value="${http.host}_access." />
>>> <property name="suffix"
>>> value=".log" />
>>> <property name="pattern"
>>> value="common" />
>>> <property name="rotatable"
>>> value="true" />
>>> </bean>
>>> <bean id="valve.error"
>>> class="org.apache.catalina.valves.ErrorReportValve">
>>> <property name="showReport"
>>> value="false" />
>>> <property
>>> name="showServerInfo" value="false" />
>>> </bean>
>>> </list>
>>> </property>
>>> </bean>
>>>
>>> <!-- Tomcat with SSL enabled -->
>>>
>>> <bean id="tomcat.server"
>>> class="org.red5.server.tomcat.TomcatLoader"
>>> depends-on="context.loader" lazy-init="true">
>>> <property name="webappFolder"
>>> value="${red5.root}/webapps" />
>>> <property name="connectors">
>>> <list>
>>> <bean name="httpConnector"
>>> class="org.red5.server.tomcat.TomcatConnector">
>>> <property name="protocol"
>>> value="org.apache.coyote.http11.Http11NioProtocol" />
>>> <property name="address"
>>> value="${http.host}:${http.port}" />
>>> <property name="redirectPort"
>>> value="${https.port}" />
>>> </bean>
>>> <bean name="httpsConnector"
>>> class="org.red5.server.tomcat.TomcatConnector">
>>> <property name="secure"
>>> value="true" />
>>> <property name="protocol"
>>> value="org.apache.coyote.http11.Http11NioProtocol" />
>>> <property name="address"
>>> value="${http.host}:${https.port}" />
>>> <property name="redirectPort"
>>> value="${http.port}" />
>>> <property
>>> name="connectionProperties">
>>> <map>
>>> <entry
>>> key="port" value="${https.port}" />
>>> <entry
>>> key="redirectPort" value="${http.port}" />
>>> <entry
>>> key="SSLEnabled" value="true" />
>>> <entry
>>> key="sslProtocol" value="TLS" />
>>> <entry
>>> key="keystoreFile" value="${rtmps.keystorefile}" />
>>> <entry
>>> key="keystorePass" value="${rtmps.keystorepass}" />
>>> <entry
>>> key="truststoreFile" value="${rtmps.truststorefile}" />
>>> <entry
>>> key="truststorePass" value="${rtmps.truststorepass}" />
>>> <entry
>>> key="clientAuth" value="false" />
>>> <entry
>>> key="allowUnsafeLegacyRenegotiation" value="true" />
>>> <entry
>>> key="maxKeepAliveRequests" value="${http.max_keep_alive_requests}"/>
>>> <entry
>>> key="keepAliveTimout" value="-1"/>
>>> <entry
>>> key="useExecutor" value="true"/>
>>> <entry
>>> key="maxThreads" value="${http.max_threads}"/>
>>> <entry
>>> key="acceptorThreadCount" value="${http.acceptor_thread_count}"/>
>>> <entry
>>> key="processorCache" value="${http.processor_cache}"/>
>>> </map>
>>> </property>
>>> </bean>
>>> </list>
>>> </property>
>>> <property name="baseHost">
>>> <bean
>>> class="org.apache.catalina.core.StandardHost">
>>> <property name="name"
>>> value="${http.host}" />
>>> </bean>
>>> </property>
>>> <property name="valves">
>>> <list>
>>> <bean id="valve.access"
>>> class="org.apache.catalina.valves.AccessLogValve">
>>> <property name="directory"
>>> value="log" />
>>> <property name="prefix"
>>> value="${http.host}_access." />
>>> <property name="suffix"
>>> value=".log" />
>>> <property name="pattern"
>>> value="common" />
>>> <property name="rotatable"
>>> value="true" />
>>> </bean>
>>> <bean id="valve.error"
>>> class="org.apache.catalina.valves.ErrorReportValve">
>>> <property name="showReport"
>>> value="false" />
>>> <property
>>> name="showServerInfo" value="false" />
>>> </bean>
>>> </list>
>>> </property>
>>> </bean>
>>> -->
>>> </beans>
>>>
>>>
>>> On 3/30/2018 2:37 AM, Maxim Solodovnik wrote:
>>>> Hello Alan,
>>>>
>>>> To eneble HTTPS for OM you need to do 2 things:
>>>>
>>>> 1) create valid keystore/truststore (ensure filename/path is correctly
>>>> defined in red5.properties)
>>>> 2) Edit red5/conf/jee-container.xml file:
>>>> Comment Tomcat without SSL enabled section
>>>> UNComment Tomcat with SSL enabled section
>>>>
>>>> On Fri, Mar 30, 2018 at 5:30 AM, Alan Johnson
>>>> <merch...@argentwolf.org> wrote:
>>>>> So I tried using the steps in the email, and they successfully
>>>>> created the
>>>>> keystore.
>>>>>
>>>>> However the steps to enable HTTPS web interface appear to be
>>>>> incorrect/have
>>>>> changed.
>>>>>
>>>>> Edit red5/webapps/openmeetings/public/config.xml and set
>>>>> <protocol>https</protocol>
>>>>> Edit red5/webapps/openmeetings/public/config.xml and set
>>>>> red5httpport to
>>>>> https port
>>>>>
>>>>> These files (Config.xml) are missing from the directory.
>>>>>
>>>>> root@freki:/opt/red5402/webapps/openmeetings/public# ls -al
>>>>> total 968
>>>>> drwxr-xr-x 3 nobody root 4096 Mar 29 22:29 .
>>>>> drwxr-xr-x 15 nobody root 4096 Mar 28 21:08 ..
>>>>> -rw-rw-r-- 1 nobody root 4597 Feb 1 23:17 chat_message.mp3
>>>>> drwxrwxr-x 2 nobody root 4096 Feb 24 23:00 cliparts
>>>>> -rw-rw-r-- 1 nobody root 11294 Feb 1 23:17 favicon.ico
>>>>> -rw-rw-r-- 1 nobody root 572587 Feb 24 23:00 main.swf
>>>>> -rw-rw-r-- 1 nobody root 384036 Feb 24 23:01 networktest.swf
>>>>>
>>>>> Please advise.
>>>>>
>>>>>
>>>>>
>>>>> On 3/29/2018 2:52 AM, Maxim Solodovnik wrote:
>>>>>
>>>>> What preventing you from using this script?
>>>>>
>>>>> On Thu, Mar 29, 2018 at 1:41 PM, Anis Aliev <aliev.a...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> Guys from bigbluebutton aleady developed a script for installing
>>>>> with lE
>>>>>
>>>>> чт, 29 марта 2018 г., 9:32 Maxim Solodovnik <solomax...@gmail.com>:
>>>>>
>>>>> great :)
>>>>>
>>>>> ps please CC user@ list :)
>>>>>
>>>>>
>>>>> On Thu, Mar 29, 2018 at 11:18 AM, Alan Johnson
>>>>> <merch...@argentwolf.org>
>>>>> wrote:
>>>>>
>>>>> Thank you for pointing it out. I will try the steps listed in the 18
>>>>> Oct
>>>>> 2017 email tomorrow.
>>>>>
>>>>> I might suggest that given the number of other emails asking about
>>>>> it to
>>>>> update the guide and / or build in certbot functionality to simplify
>>>>> the
>>>>> configuration. If I had my preference, the installer would offer LE
>>>>> https as
>>>>> a default option for installation.
>>>>>
>>>>>
>>>>> On 3/29/2018 12:13 AM, Maxim Solodovnik wrote:
>>>>>
>>>>> This topic was discussed many times:
>>>>>
>>>>>
>>>>>
>>>>> https://openmeetings.markmail.org/search/?q=letsencrypt#query:letsencrypt+page:1+mid:ik4qdhdychl364bp+state:results
>>>>>
>>>>>
>>>>> What steps are not work for you?
>>>>>
>>>>> On Thu, Mar 29, 2018 at 10:14 AM, Anis Aliev <aliev.a...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> This is why I am asking community to arrange tutorial for SSL based on
>>>>> LE.
>>>>>
>>>>> FYI
>>>>>
>>>>> 2018-03-29 7:22 GMT+05:00 Alan Johnson <merch...@argentwolf.org>:
>>>>>
>>>>> I saw a recent thread regarding windows 10 and Let's Encrypt. Has
>>>>> anyone
>>>>> had any success with Ubuntu and LE?
>>>>>
>>>>> I was using this guide
>>>>>
>>>>>
>>>>>
>>>>> (https://openmeetings.apache.org/RTMPSAndHTTPS.html#SSL_for_the_web_interface)
>>>>>
>>>>> after getting OM up and running, but I had no luck figuring out how
>>>>> to
>>>>> convert the LE certs to appropriate formats for OM?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Alan
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> IT Manager,e-learning specialist
>>>>> Skype:aliev_anis
>>>>> www.facebook.com/anis.aliev
>>>>> Тел:989010012
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> WBR
>>>>> Maxim aka solomax
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>
>
>
> --
> WBR
> Maxim aka solomax
