Hey Xavier, thats fine. Normally the keystore.jks file shoukd have the same data as the keystore file, but that is ald stuff I think and not longer necessary. No let us go to the server.xml file in the conf directory. Just type "sudo cat OM_Folder/conf/server.xml and have a look to the SSL Part. It should start with "<Connector port="5443"...". There you will find the used keystore password and the path for the keystore file.
If the configuration is the same as we did it days before with the commands I suggest there must be the "keystorePass="password"". Otherwise checkt for typos etc. We should check this before reinstall the old files (I can provide them if necessary). And yes, this is a folderlisting with -a (all, even hidden directorys and files) and -l (long). Greetz Stefan Am 07.07.2019 10:58, schrieb Xavier M: > Hi Stefan, > > No matters, we all have another life (or even some other lives?)... That's > the advantage of the e-mails, that we can report to later! > > First of all: you're right for the usergroup, I didn't take care that I > answered to the sender only when I was using Thunderbird (it is not the case > when I'm using the webmail). > > Then, 2 points: > > 1/ Can you please tell me which is the keystore from the original file from > the install source - that is in which folder I should find it? I guess I > modified the keystore files with the -import option of the command lines? > > 1bis/ There is no problem if I have to uninstall / install again OpenMeetings > to have it again. Is there any way to uninstall it properly, or do I have to > delete /opt/open500/ folder from a shell? > > 2/ Here the result you asked me (is it a list of files in the folder, with > the right for the access, owner and owner-group, and the date of last > modification?): > > _xavier@sd-118950:/opt/open500/conf$ ls -al_ > _total 264_ > _drwxr-xr-x 3 nobody nogroup 4096 juil. 5 14:45 ._ > _drwxr-xr-x 9 nobody nogroup 4096 juil. 3 10:27 .._ > _drwxr-x--- 3 root root 4096 juil. 3 10:34 Catalina_ > _-rw-r--r-- 1 nobody nogroup 12873 mars 13 22:58 catalina.policy_ > _-rw-r--r-- 1 nobody nogroup 7243 mars 13 22:58 catalina.properties_ > _-rw-r--r-- 1 nobody nogroup 1400 mars 13 22:58 context.xml_ > _-rw-r--r-- 1 nobody nogroup 1149 mars 13 22:58 jaspic-providers.xml_ > _-rw-r--r-- 1 nobody nogroup 2313 mars 13 22:58 jaspic-providers.xsd_ > _-rw-r--r-- 1 root root 5651 juil. 5 14:45 keystore_ > _-rw-r--r-- 1 root root 5651 juil. 4 21:43 keystore.jks_ > _-rw-r--r-- 1 nobody nogroup 4144 mars 13 22:58 logging.properties_ > _-rw------- 1 root root 4222 juil. 4 21:42 red5.p12_ > _-rw-r--r-- 1 nobody nogroup 6433 mars 28 21:01 server.xml_ > _-rw-r--r-- 1 root root 5651 juil. 5 14:45 trustscore.jks_ > _-rw-r--r-- 1 nobody nogroup 170202 mars 13 22:58 web.xml_ > _xavier@sd-118950:/opt/open500/conf$ _ > > Bis bald, > > Xavier > > Le 06/07/2019 à 22:36, Stefan Kühl a écrit : > > Hi Xavier, > > sorry for being late, I'm a bit busy these days ;-) > > First: we should keep the usergroup in loop, that's why I'm take the > user@openmeetings.apache.org in place. ;-) > > Second: I totally agree with maxim. Setting the ports in listening state for > the apache keep them busy and unusable for openmeetings. Of course the > address is reachable then, but only via the apache webserver. The error > message means that you want to deliver secure conten via an insecure apache > port. > > Can you please post the result from ls -al of the OM-Folder/conf? It's weird > that you get a password error message for the keystore, because we set it to > password at the import I think. Any typos in the code-lines? > > To cancel this lines, just copy the keystore from the original file fromn the > install source into the OM-Folder/conf. > > Greetz > > Stefan > > Am 06.07.2019 21:21, schrieb Xavier M: > > Hi Stefan, > > I wonder if there is a way to cancel what I did with these command lines? > Indeed, I can not connect anymore to OpenMeetings... and I want to check > where it comes from. In Catalina log, I can read things like: > > * Caused by: java.lang.IllegalArgumentException: keystore password was > incorrect > > * Caused by: java.io.IOException: keystore password was incorrect > > ... so I suppose that something went wrong. > > Thanks in advance, have a good week-end! > > Xavier > > Le 04/07/2019 à 22:05, Stefan Kühl a écrit : > > Ok, please restart the server and it should work. > If you use open500 as folder open500/conf is correct. > > Just restart it. > > Greetz > > Stefan > > PS: if you want to access to "permission denied" folders you need to switch > to root, sudo won't work in this case. But be careful, keep in mind that you > change the ownership if you change files as root. > > Bonne soiree > > Am 04.07.2019 21:57, schrieb Xavier M: > > Thank you! > > Each command line worked... But it did not change anything when I want to log > in. Maybe shall I restart "a service"? > > NB : as OM_Folder, I wrote "open500", where I found a "conf" subdirectory > with a "keystore" file. But I have an "openmeetings" subdirectory too... to > which I can not access (Permission denied). > > Greetings, > > Xavier > > Le 04/07/2019 à 21:35, Stefan Kühl a écrit : > > Yes, I'm sorry. Did this so many times and forgot an important point. First: > the password is: password > > ;-) > > Let's go through the lines: > > "sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem > -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out > /opt/OM_Folder/conf/red5.p12 -name red5 -certfile > /etc/letsencrypt/live/domain.eu/chain.pem" > > Here you use the openssl library to export the the key from the letsencrypt > certificate into the red5.p12 file and store it in youtr OM Folder (red5 is > just an name - you could also use any other name) > > "sudo keytool -importkeystore -srcstorepass password -srckeystore > /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password > -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5 > > sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks > -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem" > > by using keytool you import the certificate key by setting the password > (-srcstorepass password -> deststorepass password) into the file keystore.jks > and confirming the trust by the chain.pem > > "sudo cp -f /opt/OM_Folder/conf/keystore.jks > /opt/OM_Folder/conf/trustscore.jks" > > now creating the trustscore.jks by copying the keystore.jks > > at least and only if you have OM 5.* installed: > > "sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore" > this is neccesary because OM5-'looks only for keystore and not for > keystore.jks. You can do "mv keystore.jks keystore" also. Otherwise you could > update the config file to look for keystore.jks" > > So if you will be asked for > > _Enter Export Password:_ > _Verifying - Enter Export Password:_ > > _and again_ > > Enter Import Password: > Verifying - Enter Import Password: > > _you need to enter password _ > > _Just to keep it simple, you can choose your own password, but keep in mind > top change it within the command too;-)_ > > _Greetz_ > > _Stefan_ > > Am 04.07.2019 21:18, schrieb Xavier M: > > So... > > After having changed the folder names, I entered the first command line to > get: > > _Enter Export Password:_ > _Verifying - Enter Export Password:_ > > I wrote down a password - I guess I defined it at this step? > > Then the second command line delivered: > > _Importing keystore /opt/open500/conf/red5.p12 to > /opt/open500/conf/keystore.jks..._ > _keytool error: java.io.IOException: keystore password was incorrect_ > > Any idea of what happens and what I should do? I did not try the third > command line. > > By the way, can you explain me in a few words what I'm doing with these > command lines ? > > Have a good evening, > > Xavier > > Le 04/07/2019 à 19:15, Stefan Kühl a écrit : > > Maybe to make a quick check (every command in one line): > > sudo openssl pkcs12 -export -in /etc/letsencrypt/live/domain.eu/cert.pem > -inkey /etc/letsencrypt/live/domain.eu/privkey.pem -out > /opt/OM_Folder/conf/red5.p12 -name red5 -certfile > /etc/letsencrypt/live/domain.eu/chain.pem > > sudo keytool -importkeystore -srcstorepass password -srckeystore > /opt/OM_Folder/conf/red5.p12 -srcstoretype PKCS12 -deststorepass password > -destkeystore /opt/OM_Folder/conf/keystore.jks -alias red5 > > sudo keytool -import -alias root -keystore /opt/OM_Folder/conf/keystore.jks > -trustcacerts -file /etc/letsencrypt/live/domain.eu/chain.pem > > sudo cp -f /opt/OM_Folder/conf/keystore.jks > /opt/OM_Folder/conf/trustscore.jks > > sudo cp -f /opt/OM_Folder/conf/keystore.jks /opt/OM_Folder/conf/keystore (<- > only if you have version 5.*) > > Please remeber: If you leave it like this, you need to repaet this lines > after every renew of your certificate. Be aware of the folders -> domain.eu: > your domain an OM_Folder: your OM installation folder. > > Greetz > > Stefan > > Am 04.07.2019 18:00, schrieb Xavier M: > Then let's go with Proxy through Apache. > > I'm not running as root, but my account has the whole rights so that I > thought I could do exactly the same things. "sudo" is my friend... even sudo > chmod. > > The server works with Ubuntu - my account was created at the installation. > When I refer to a "LAMP-server", I executed the command > > sudo apt install apache2 php libapache2-mod-php mariadb-server php-mysql > > ... among other prior to install OM. > > Xavier > > ------------------------- > > DE : Aaron Hepp <aaron.h...@gmail.com> > ENVOYÉ : jeudi 4 juillet 2019 17:53 > À : user@openmeetings.apache.org > OBJET : Re: Log-in and security > > Proxy through Apache would be the easier solution for upgrading > > when you say Admin of the sever you are running as root or that you can log > into it? As well what "type" of server is it (REHL, CentOS, Ubuntu, etc.) > > On 7/4/19 11:48 AM, Xavier M wrote: > Thank you Aaron. > > Even if I have admin rights, I can access only to /etc/letsencrypt/. The > permission is denied when I want to open the subdirectory "live". > > How do both solution work? I know neither how to "Proxy through Apache", nor > how to "configure my OM instance to be able to read where the keys are". > Sorry for all that... > > Xavier > > ------------------------- > > DE : Aaron Hepp <aaron.h...@gmail.com> > ENVOYÉ : jeudi 4 juillet 2019 17:40 > À : user@openmeetings.apache.org > OBJET : Re: Log-in and security > > That is your issue. Apache has the cert installed via LetEncrypt. Tomcat > which is running on 5443 needs to have the configuration set to know where > the cert is located as well as the keystore created. > > You can do two things. Proxy through Apache, or configure your OM instance > to be able to read where the keys are. > > LetEncrypt places the cert at: > /etc/letsencrypt/live/<domain> > > On 7/4/19 11:34 AM, Xavier M wrote: > Hem... No... Do you mean I have to copy and paste the certificate in each > folder? Actually, I even don't know where the certificate is to be found on > the server... But I guess I find it somewhere if needed. > > Xavier > > ------------------------- > > DE : Stefan Kühl <ste...@quatrekuehl.eu> > ENVOYÉ : jeudi 4 juillet 2019 17:06 > À : user@openmeetings.apache.org > CC : R. Scholz > OBJET : Re: Log-in and security > > Hi @all, > > port should be irrelevant. I'm using Apache on Ubuntu with port 5443 too. > https works as expected. > Did you export they certificate keys (like keystore and trustscore) to your > %OM%/conf folder? > > Greetz > > Stefan > > Am 04.07.2019 16:57, schrieb R. Scholz: Hello Xavier, > > Hm, you using on Port 80 Tomcat or Apache? > > Best regards, > > René > > Am 04.07.2019 um 16:24 schrieb Xavier M: > Thank you for answering... I'm sorry, but I don't know enough about > certificates to give you a relevant answer. I think that : > * The common name is "rusa.fr" > * There is no subject alternative name (even www.rusa.fr [1]) > * It is not a wildcard > > ... But I'm not 100% sure, it is the first time I administrate a server, I'm > discovering many things at the same time! > > Xavier > > ------------------------- > > DE : Clayton, Robin <robin.clay...@cumberland.co.uk> > ENVOYÉ : jeudi 4 juillet 2019 15:43 > À : user@openmeetings.apache.org > OBJET : RE: Log-in and security > > What is the CN of the certificate, is there any SAN entries on the > certificate? Or is it a wildcard? > > The TCP port should be irrelevant. > > Rob > > FROM: Stefan Kühl [mailto:ste...@quatrekuehl.eu] > SENT: 04 July 2019 14:16 > TO: user@openmeetings.apache.org > CC: Xavier M > SUBJECT: Re: Log-in and security > > Hi, > > are you sure that you request your certificate also for domain.eu [2] or only > for www.domain.eu [3]. You should check this. Sometimes webhoster only use > the www adresses for certificates. > > Greetz > > Stefan > > Am 04.07.2019 14:18, schrieb Xavier M: > > Hi everybody, > > I'm quite sure that the answer is already somewhere, but I couldn't find > it... > > After having installed OM on a web-server, the "written" way to access to the > log-in is following, according to Alvaro's tuto: > > https://localhost:5443/openmeetings > > If OM is installed on a web server, let's say "domain.eu [2]", it works > correctly with: > > https://domain.eu:5443/openmeetings > > But the user will get a warning for security reason, even if domain.eu [2] > works with https, since the common certificates will not work with this port. > > I stated that following URL worked for the "demo version": > > https://om.alteametasoft.com/openmeetings > > Does anyone know how this was done? I would like to avoid the use of the port > 5443 with the warning. > > Have a good day! > > Xavier > > DISCLAIMER > > This email has been scanned by the Mimecast security service. > > DISCLAIMER > > Please, consider your environmental responsibility. Before printing this > e-mail ask yourself: Do I need a hard copy? > > Cumberland Building Society > Cumberland House > Cooper Way > Parkhouse > CARLISLE CA3 0JF > To help us monitor and improve customer service telephone calls may be > recorded. > Cumberland Building Society is authorised by the Prudential Regulation > Authority and regulated by the Financial Conduct Authority and Prudential > Regulation Authority. We arrange life assurance and critical illness cover > only with Legal & General Assurance Society Limited and general insurance > only with Aviva Insurance Limited. > To find out more about us, visit www.cumberland.co.uk [4] > > CONFIDENTIALITY: This e-mail and any files transmitted with it are > confidential, may be legally privileged and are intended for the addressee(s) > only. If you are not the intended recipient you may not disclose, copy, > distribute, or retain all or part of this e-mail without our authority. > Please notify the sender immediately by replying to this e-mail and then > permanently delete it. > > Any views or opinions expressed are solely those of the author and do not > necessarily represent those of Cumberland Building Society or any of its > subsidiaries. > > Although we have taken steps to ensure that this e-mail and any attachments > are free from virus contamination, please rely on your own virus checking > procedures as no guarantee is implied or given. We will not be liable for any > loss or damage arising from alteration of the contents of this e-mail by a > third party or as a result of any virus. > > This email has been scanned by the Mimecast security service. Links: ------ [1] http://www.rusa.fr [2] http://domain.eu [3] http://www.domain.eu [4] http://www.cumberland.co.uk/
