The best way to make everything working is to perform atomic steps And ensure everything still works after each step
In your case 0) you need to understand what is your goal 1) then achieve it :) As I understand you would like to have OM at port 443 You can do it by ether change OM https port to be 443 Or By set up frontend proxy Each option has pros and cons You have to choose one option before any other step :) On Fri, Jul 5, 2019, 20:34 Xavier M <xa...@hotmail.com> wrote: > This is possible! But: > > - What does Alvaro mean by "To be able to connect from the Internet or > LAN with this server, remember to open the following > ports: 5443 8888" ? > - I could not connect anymore to "https://domain.eu:5443/openmeetings" > (while I could connect to "https://domain.eu > <https://domain.eu:5443/openmeetings>") until I did that: and now it > "works" again, with the error SSL_ERROR_RX_RECORD_TOO_LONG... > - ... and I have no idea why! > > If you have any idea/explanation, I really don't know neither what happens > nor what to do! I will comment the lines in ports.conf and restart, to > check whether it works like before or not. > > Thank you! > Xavier > > ------------------------------ > *De :* Maxim Solodovnik <solomax...@gmail.com> > *Envoyé :* vendredi 5 juillet 2019 15:14 > *À :* Openmeetings user-list > *Objet :* Re: Log-in and security > > I'm afraid this > I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf > make no sense :( > > Apache HTTPD will listen these ports and both OM and Kurento will be > unable to start since the port are already busy .... > > On Fri, 5 Jul 2019 at 17:37, Xavier M <xa...@hotmail.com> wrote: > > Hi all, > > I just added "Listen 5443" and "Listen 8888" into /etc/apache2/ports.conf > (and nothing into /etc/apache2/sites-enabled/000-default.conf) > > I can now access to "https://domain.eu:5443/openmeetings", but with the > error SSL_ERROR_RX_RECORD_TOO_LONG > How can I solve it? Could it be due to the changes I made yesterday thanks > to Stefan's help? > > *sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem > <http://domain.eu/cert.pem> -inkey > /etc/letsencrypt/live/domain.eu/privkey.pem <http://domain.eu/privkey.pem> > -out /opt/OM_Folder/conf/red5.p12 -name red5 -certfile > /etc/letsencrypt/live/domain.eu/chain.pem <http://domain.eu/chain.pem>* > > > * sudo keytool -importkeystore -srcstorepass password -srckeystore > /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password > -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5* > > *sudo keytool -import -alias root -keystore > /opt/OM_Folder/conf/keystore.jks -trustcacerts -file > /etc/letsencrypt/live/domain.eu/chain.pem <http://domain.eu/chain.pem>* > > > * sudo cp -f /opt/OM_Folder/conf/keystore.jks > /opt/OM_Folder/conf/trustscore.jks* > > > * sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore > (<- only if you have version 5.*)* > > Bis demnächst, > Xavier > > > > > ------------------------------ > *De :* Xavier M <xa...@hotmail.com> > *Envoyé :* vendredi 5 juillet 2019 10:36 > *À :* user@openmeetings.apache.org > *Objet :* RE: Log-in and security > > Hello Maxim, > > That's a good idea... I had already heard of it, but I still have to look > how I do it. But it seems that I forgot something, since I can not access > to Open Meetings since I "shutdown -r now" the server. Any idea of which > command it is? > > Xavier > > ------------------------------ > *De :* Maxim Solodovnik <solomax...@gmail.com> > *Envoyé :* vendredi 5 juillet 2019 09:38 > *À :* Openmeetings user-list > *Objet :* Re: Log-in and security > > You need to set-up autostart for these services > > On Fri, Jul 5, 2019, 14:04 Xavier M <xa...@hotmail.com> wrote: > > Hmm... It sounds a bit complicated for me, I have to make it "slowly". But > I'm pretty sure I'll do it. > > For the moment, I do not understand why I can not connect anymore to " > https://domain.eu:5443/openmeetings" (while I can connect to " > https://domain.eu <https://domain.eu:5443/openmeetings>") after I > "shutdown -r now" the web server? It has been a full night since I typed > after the "reboot": > sudo /etc/init.d/mysql start > sudo /etc/init.d/kurento-media-server start > sudo /etc/init.d/tomcat3 start > > Did I forget something? Is there anywhere a log which could help? > > Have a good day! > Xavier > > ------------------------------ > *De :* Maxim Solodovnik <solomax...@gmail.com> > *Envoyé :* vendredi 5 juillet 2019 04:18 > *À :* Openmeetings user-list > *Objet :* Re: Log-in and security > > Demo server uses Apache as frontend proxy > The config is here: > https://stackoverflow.com/questions/51721771/apache-openmeetings-4-0-4-csrf-attack-when-using-apache2-as-proxypass > > On Fri, 5 Jul 2019 at 03:51, Xavier M <xa...@hotmail.com> wrote: > > Ok, at the time being, I won't switch to root... > > I "sudo shutdown -r now" and waited. The server has gone on again (website > "https://domain.eu <https://domain.eu:5443/openmeetings>" reachable). I > connected through SSH and typed: > > sudo /etc/init.d/mysql start > sudo /etc/init.d/tomcat3 start > > > Now I'm waiting... But I can't connect at all to OpenMeetings with the URL > that previously worked ("https://domain.eu:5443/openmeetings"): Firefox > can not establish a connection with this address... > > > Thank you all and have a good night, > > Xavier > > > Le 04/07/2019 à 22:05, Stefan Kühl a écrit : > > Ok, please restart the server and it should work. > If you use open500 as folder open500/conf is correct. > > Just restart it. > > Greetz > > Stefan > > PS: if you want to access to "permission denied" folders you need to > switch to root, sudo won't work in this case. But be careful, keep in mind > that you change the ownership if you change files as root. > > > Bonne soiree > > Am 04.07.2019 21:57, schrieb Xavier M: > > Thank you! > > > Each command line worked... But it did not change anything when I want to > log in. Maybe shall I restart "a service"? > > NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory > with a "keystore" file. But I have an "openmeetings" subdirectory too... to > which I can not access (Permission denied). > > > Greetings, > > Xavier > > > Le 04/07/2019 à 21:35, Stefan Kühl a écrit : > > Yes, I'm sorry. Did this so many times and forgot an important point. > First: the password is: password > > ;-) > > > Let's go through the lines: > > "sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem > -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out > /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/ > domain.eu/chain.pem" > > Here you use the openssl library to export the the key from the > letsencrypt certificate into the red5.p12 file and store it in youtr OM > Folder (red5 is just an name - you could also use any other name) > > "sudo keytool -importkeystore -srcstorepass password -srckeystore > /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password > -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5 > > sudo keytool -import -alias root -keystore > /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/ > domain.eu/chain.pem" > > by using keytool you import the certificate key by setting the password > (-srcstorepass password -> deststorepass password) into the file > keystore.jks and confirming the trust by the chain.pem > > "sudo cp -f /opt/OM_Folder/conf/keystore.jks > /opt/OM_Folder/conf/trustscore.jks" > > now creating the trustscore.jks by copying the keystore.jks > > at least and only if you have OM 5.* installed: > > "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore" > this is neccesary because OM5-'looks only for keystore and not for > keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you > could update the config file to look for keystore.jks" > > So if you will be asked for > > *Enter Export Password:* > *Verifying - Enter Export Password:* > > *and again* > > > *Enter Import Password: Verifying - Enter Import Password:* > > *you need to enter password * > > *Just to keep it simple, you can choose your own password, but keep in > mind top change it within the command too;-)* > > *Greetz* > > *Stefan* > > Am 04.07.2019 21:18, schrieb Xavier M: > > So... > > After having changed the folder names, I entered the first command line to > get: > > *Enter Export Password:* > *Verifying - Enter Export Password:* > > I wrote down a password - I guess I defined it at this step? > > > Then the second command line delivered: > > *Importing keystore /opt/open500/conf/red5.p12 to > /opt/open500/conf/keystore.jks...* > *keytool error: java.io.IOException: keystore password was incorrect* > > Any idea of what happens and what I should do? I did not try the third > command line. > > By the way, can you explain me in a few words what I'm doing with these > command lines ? > > > Have a good evening, > > Xavier > > > Le 04/07/2019 à 19:15, Stefan Kühl a écrit : > > Maybe to make a quick check (every command in one line): > > sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem > -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out > /opt/OM_Folder/conf/red5.p12 -name red5 -certfile /etc/letsencrypt/live/ > domain.eu/chain.pem > > > sudo keytool -importkeystore -srcstorepass password -srckeystore > /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password > -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5 > > sudo keytool -import -alias root -keystore > /opt/OM_Folder/conf/keystore.jks -trustcacerts -file /etc/letsencrypt/live/ > domain.eu/chain.pem > > > sudo cp -f /opt/OM_Folder/conf/keystore.jks > /opt/OM_Folder/conf/trustscore.jks > > > sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore > (<- only if you have version 5.*) > > > > Please remeber: If you leave it like this, you need to repaet this lines > after every renew of your certificate. Be aware of the folders -> > domain.eu: your domain an OM_Folder: your OM installation folder. > > Greetz > > Stefan > > Am 04.07.2019 18:00, schrieb Xavier M: > > Then let's go with Proxy through Apache. > > I'm not running as root, but my account has the whole rights so that I > thought I could do exactly the same things. "sudo" is my friend... even > sudo chmod. > > The server works with Ubuntu - my account was created at the installation. > When I refer to a "LAMP-server", I executed the command > > sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql > > > ... among other prior to install OM. > > > Xavier > > ------------------------------ > *De :* Aaron Hepp <aaron.h...@gmail.com> <aaron.h...@gmail.com> > *Envoyé :* jeudi 4 juillet 2019 17:53 > *À :* user@openmeetings.apache.org > *Objet :* Re: Log-in and security > > Proxy through Apache would be the easier solution for upgrading > > when you say Admin of the sever you are running as root or that you can > log into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, > etc.) > > On 7/4/19 11:48 AM, Xavier M wrote: > > Thank you Aaron. > > Even if I have admin rights, I can access only to /etc/letsencrypt/. The > permission is denied when I want to open the subdirectory "live". > > How do both solution work? I know neither how to "Proxy through Apache", > nor how to "configure my OM instance to be able to read where the keys > are". Sorry for all that... > > Xavier > > ------------------------------ > *De :* Aaron Hepp <aaron.h...@gmail.com> <aaron.h...@gmail.com> > *Envoyé :* jeudi 4 juillet 2019 17:40 > *À :* user@openmeetings.apache.org > *Objet :* Re: Log-in and security > > That is your issue. Apache has the cert installed via LetEncrypt. Tomcat > which is running on 5443 needs to have the configuration set to know where > the cert is located as well as the keystore created. > > You can do two things. Proxy through Apache, or configure your OM > instance to be able to read where the keys are. > > LetEncrypt places the cert at: > /etc/letsencrypt/live/<domain> > > > > On 7/4/19 11:34 AM, Xavier M wrote: > > Hem... No... Do you mean I have to copy and paste the certificate in each > folder? Actually, I even don't know where the certificate is to be found on > the server... But I guess I find it somewhere if needed. > > Xavier > > ------------------------------ > *De :* Stefan Kühl <ste...@quatrekuehl.eu> <ste...@quatrekuehl.eu> > *Envoyé :* jeudi 4 juillet 2019 17:06 > *À :* user@openmeetings.apache.org > *Cc :* R. Scholz > *Objet :* Re: Log-in and security > > > Hi @all, > > port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. > https works as expected. > Did you export they certificate keys (like keystore and trustscore) to > your %OM%/conf folder? > > > Greetz > > Stefan > > Am 04.07.2019 16:57, schrieb R. Scholz: > > Hello Xavier, > > Hm, you using on Port 80 Tomcat or Apache? > > Best regards, > > René > > > Am 04.07.2019 um 16:24 schrieb Xavier M: > > Thank you for answering... I'm sorry, but I don't know enough about > certificates to give you a relevant answer. I think that : > * The common name is "rusa.fr" > * There is no subject alternative name (even www.rusa.fr) > * It is not a wildcard > > ... But I'm not 100% sure, it is the first time I administrate a server, > I'm discovering many things at the same time! > > Xavier > > ------------------------------ > *De :* Clayton, Robin <robin.clay...@cumberland.co.uk> > <robin.clay...@cumberland.co.uk> > *Envoyé :* jeudi 4 juillet 2019 15:43 > *À :* user@openmeetings.apache.org > *Objet :* RE: Log-in and security > > > What is the CN of the certificate, is there any SAN entries on the > certificate? Or is it a wildcard? > > > > The TCP port should be irrelevant. > > > > Rob > > > > > > > > > > *From:* Stefan Kühl [mailto:ste...@quatrekuehl.eu <ste...@quatrekuehl.eu>] > > *Sent:* 04 July 2019 14:16 > *To:* user@openmeetings.apache.org > *Cc:* Xavier M > *Subject:* Re: Log-in and security > > > > Hi, > > are you sure that you request your certificate also for domain.eu or only > for www.domain.eu. You should check this. Sometimes webhoster only use > the www adresses for certificates. > > Greetz > > Stefan > > > > > > Am 04.07.2019 14:18, schrieb Xavier M: > > Hi everybody, > > > > I'm quite sure that the answer is already somewhere, but I couldn't find > it... > > > > After having installed OM on a web-server, the "written" way to access to > the log-in is following, according to Alvaro's tuto: > > https://localhost:5443/openmeetings > > > > If OM is installed on a web server, let's say "domain.eu", it works > correctly with: > > https://domain.eu:5443/openmeetings > > > > But the user will get a warning for security reason, even if domain.eu > works with https, since the common certificates will not work with this > port. > > > > I stated that following URL worked for the "demo version": > > https://om.alteametasoft.com/openmeetings > > > > Does anyone know how this was done? I would like to avoid the use of the > port 5443 with the warning. > > > > Have a good day! > > Xavier > > > > *Disclaimer* > > This email has been scanned by the Mimecast security service. > > > *Disclaimer* > > > > Please, consider your environmental responsibility. Before printing this > e-mail ask yourself: Do I need a hard copy? > > Cumberland Building Society > Cumberland House > Cooper Way > Parkhouse > CARLISLE CA3 0JF > To help us monitor and improve customer service telephone calls may be > recorded. > Cumberland Building Society is authorised by the Prudential Regulation > Authority and regulated by the Financial Conduct Authority and Prudential > Regulation Authority. We arrange life assurance and critical illness cover > only with Legal & General Assurance Society Limited and general insurance > only with Aviva Insurance Limited. > To find out more about us, visit *www.cumberland.co.uk* > <http://www.cumberland.co.uk/> > > CONFIDENTIALITY: This e-mail and any files transmitted with it are > confidential, may be legally privileged and are intended for the > addressee(s) only. If you are not the intended recipient you may not > disclose, copy, distribute, or retain all or part of this e-mail without > our authority. Please notify the sender immediately by replying to this > e-mail and then permanently delete it. > > Any views or opinions expressed are solely those of the author and do not > necessarily represent those of Cumberland Building Society or any of its > subsidiaries. > > Although we have taken steps to ensure that this e-mail and any > attachments are free from virus contamination, please rely on your own > virus checking procedures as no guarantee is implied or given. We will not > be liable for any loss or damage arising from alteration of the contents of > this e-mail by a third party or as a result of any virus. > > > This email has been scanned by the Mimecast security service. > > > > > > -- > WBR > Maxim aka solomax > > > > -- > WBR > Maxim aka solomax >