Maybe to make a quick check (every command in one line): sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/domain.eu/chain.pem
sudo keytool -importkeystore -srcstorepass password -srckeystore /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5 sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/trustscore.jks sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- only if you have version 5.*) Please remeber: If you leave it like this, you need to repaet this lines after every renew of your certificate. Be aware of the folders -> domain.eu: your domain an OM_Folder: your OM installation folder. Greetz Stefan Am 04.07.2019 18:00, schrieb Xavier M: > Then let's go with Proxy through Apache. > > I'm not running as root, but my account has the whole rights so that I > thought I could do exactly the same things. "sudo" is my friend... even sudo > chmod. > > The server works with Ubuntu - my account was created at the installation. > When I refer to a "LAMP-server", I executed the command > > sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql > > ... among other prior to install OM. > > Xavier > > ------------------------- > > DE : Aaron Hepp <aaron.h...@gmail.com> > ENVOYÉ : jeudi 4 juillet 2019 17:53 > À : user@openmeetings.apache.org > OBJET : Re: Log-in and security > > Proxy through Apache would be the easier solution for upgrading > > when you say Admin of the sever you are running as root or that you can log > into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.) > > On 7/4/19 11:48 AM, Xavier M wrote: > Thank you Aaron. > > Even if I have admin rights, I can access only to /etc/letsencrypt/. The > permission is denied when I want to open the subdirectory "live". > > How do both solution work? I know neither how to "Proxy through Apache", nor > how to "configure my OM instance to be able to read where the keys are". > Sorry for all that... > > Xavier > > ------------------------- > > DE : Aaron Hepp <aaron.h...@gmail.com> > ENVOYÉ : jeudi 4 juillet 2019 17:40 > À : user@openmeetings.apache.org > OBJET : Re: Log-in and security > > That is your issue. Apache has the cert installed via LetEncrypt. Tomcat > which is running on 5443 needs to have the configuration set to know where > the cert is located as well as the keystore created. > > You can do two things. Proxy through Apache, or configure your OM instance > to be able to read where the keys are. > > LetEncrypt places the cert at: > /etc/letsencrypt/live/<domain> > > On 7/4/19 11:34 AM, Xavier M wrote: > Hem... No... Do you mean I have to copy and paste the certificate in each > folder? Actually, I even don't know where the certificate is to be found on > the server... But I guess I find it somewhere if needed. > > Xavier > > ------------------------- > > DE : Stefan Kühl <ste...@quatrekuehl.eu> > ENVOYÉ : jeudi 4 juillet 2019 17:06 > À : user@openmeetings.apache.org > CC : R. Scholz > OBJET : Re: Log-in and security > > Hi @all, > > port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. > https works as expected. > Did you export they certificate keys (like keystore and trustscore) to your > %OM%/conf folder? > > Greetz > > Stefan > > Am 04.07.2019 16:57, schrieb R. Scholz: Hello Xavier, > > Hm, you using on Port 80 Tomcat or Apache? > > Best regards, > > René > > Am 04.07.2019 um 16:24 schrieb Xavier M: > Thank you for answering... I'm sorry, but I don't know enough about > certificates to give you a relevant answer. I think that : > * The common name is "rusa.fr" > * There is no subject alternative name (even www.rusa.fr [1]) > * It is not a wildcard > > ... But I'm not 100% sure, it is the first time I administrate a server, I'm > discovering many things at the same time! > > Xavier > > ------------------------- > > DE : Clayton, Robin <robin.clay...@cumberland.co.uk> > ENVOYÉ : jeudi 4 juillet 2019 15:43 > À : user@openmeetings.apache.org > OBJET : RE: Log-in and security > > What is the CN of the certificate, is there any SAN entries on the > certificate? Or is it a wildcard? > > The TCP port should be irrelevant. > > Rob > > FROM: Stefan Kühl [mailto:ste...@quatrekuehl.eu] > SENT: 04 July 2019 14:16 > TO: user@openmeetings.apache.org > CC: Xavier M > SUBJECT: Re: Log-in and security > > Hi, > > are you sure that you request your certificate also for domain.eu [2] or only > for www.domain.eu [3]. You should check this. Sometimes webhoster only use > the www adresses for certificates. > > Greetz > > Stefan > > Am 04.07.2019 14:18, schrieb Xavier M: > > Hi everybody, > > I'm quite sure that the answer is already somewhere, but I couldn't find > it... > > After having installed OM on a web-server, the "written" way to access to the > log-in is following, according to Alvaro's tuto: > > https://localhost:5443/openmeetings > > If OM is installed on a web server, let's say "domain.eu [2]", it works > correctly with: > > https://domain.eu:5443/openmeetings > > But the user will get a warning for security reason, even if domain.eu [2] > works with https, since the common certificates will not work with this port. > > I stated that following URL worked for the "demo version": > > https://om.alteametasoft.com/openmeetings > > Does anyone know how this was done? I would like to avoid the use of the port > 5443 with the warning. > > Have a good day! > > Xavier > > DISCLAIMER > > This email has been scanned by the Mimecast security service. > > DISCLAIMER > > Please, consider your environmental responsibility. Before printing this > e-mail ask yourself: Do I need a hard copy? > > Cumberland Building Society > Cumberland House > Cooper Way > Parkhouse > CARLISLE CA3 0JF > To help us monitor and improve customer service telephone calls may be > recorded. > Cumberland Building Society is authorised by the Prudential Regulation > Authority and regulated by the Financial Conduct Authority and Prudential > Regulation Authority. We arrange life assurance and critical illness cover > only with Legal & General Assurance Society Limited and general insurance > only with Aviva Insurance Limited. > To find out more about us, visit www.cumberland.co.uk [4] > > CONFIDENTIALITY: This e-mail and any files transmitted with it are > confidential, may be legally privileged and are intended for the addressee(s) > only. If you are not the intended recipient you may not disclose, copy, > distribute, or retain all or part of this e-mail without our authority. > Please notify the sender immediately by replying to this e-mail and then > permanently delete it. > > Any views or opinions expressed are solely those of the author and do not > necessarily represent those of Cumberland Building Society or any of its > subsidiaries. > > Although we have taken steps to ensure that this e-mail and any attachments > are free from virus contamination, please rely on your own virus checking > procedures as no guarantee is implied or given. We will not be liable for any > loss or damage arising from alteration of the contents of this e-mail by a > third party or as a result of any virus. > > This email has been scanned by the Mimecast security service. Links: ------ [1] http://www.rusa.fr [2] http://domain.eu [3] http://www.domain.eu [4] http://www.cumberland.co.uk/
