Hello,
Ihmo: No way to work behind a NAT without a TURN-server.
Best regards,
René
Am 17.10.2019 um 13:05 schrieb Yah's Global Kingdom:
Thanks Ren'e, I got it to work I appreciate your taking the time to
help me. That brings up another question. Do your camera work from
behind a NAT without a stun or turn server?
On Thu, Oct 17, 2019 at 2:16 AM René Scholz
<rene.sch...@abakus-edv-systems.de
<mailto:rene.sch...@abakus-edv-systems.de>> wrote:
Hello,
hm, that looks complicated. In my configuration it was not
necessary to define a protocol like you have done.
The error-message shows that the choosen protocol requires a
library. Its possible that this is the error, but I dont know
if your certificate match to this protocol.
I am afraid without deeper knowledge of your certificates and
(maybe very complicated and high-secured)
network-configuration I have no further idea what goes wrong.
I have only rudimentary knowledge about certificates - in my
configuration "behind a NAT" the https-certificate
was the lesser evil.
Best regrads,
René
Am 16.10.2019 um 15:25 schrieb Yah's Global Kingdom:
Rene, I apologize and thanks for your help! I did use the lines
you sent me and changed the necessary information. .
The private key is using http11NioProtocol, the format you
provided goes into the Http11AprProtocol section.
I got this error:
16-Oct-2019 05:58:47.266 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException
Failed to initialize component
[Connector[org.apache.coyote.http11.Http11AprProtocol-5443]]
org.apache.catalina.LifecycleException: The configured protocol
[org.apache.coyote.http11.Http11AprProtocol] requires the
APR/native library which is not available
When I use the Http11NioProtocol I get this error. My keystore
only has one key in it the private key.
16-Oct-2019 06:05:35.065 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing
ProtocolHandler ["http-nio-5080"]
16-Oct-2019 06:05:35.107 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing
ProtocolHandler ["https-jsse-nio-5443"]
16-Oct-2019 06:05:35.352 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException
Failed to initialize component [Connector[HTTP/1.1-5443]]
org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1059)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
at org.apache.catalina.startup.Catalina.start(Catalina.java:621)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:344)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: Cannot store
non-PrivateKeys
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
... 13 more
Caused by: java.security.KeyStoreException: Cannot store
non-PrivateKeys
at
java.base/sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:262)
at
java.base/sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:111)
at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1174)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:324)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
here is the relevant part of my server.xml that includes the
original configuration plus the two configurations I have tried
to use to get this to work commented out. <fqdn> is my
servername.domainname.org <http://servername.domainname.org>
perhaps you can look and see what I have done wrong.
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file
distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License,
Version 2.0
(the "License"); you may not use this file except in compliance
with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener
className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at
/docs/config/listeners.html
<Listener
className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener
className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax
APIs-->
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener"
/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
/>
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
/>
<!-- A "Service" is a collection of one or more "Connectors"
that share
a single "Container" Note: A "Service" is not itself a
"Container",
so you may not define subcomponents such as "Valves" at
this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define
one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests
are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector port="5080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="5443" />
<Connector port="5443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
keystoreFile="conf/keystore"
keystorePass="openmeetings"
clientAuth="false" sslProtocol="TLS"/>
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which
always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used.
OpenSSL style
configuration is used below.
-->
-->
<!--Connector port="5443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLCertificateFile="/etc/letsencrypt/live/<fqdn>/cert.pem"
maxThreads="150" SSLEnabled="true" scheme="https"
secure="true" URIEncoding="UTF-8"
keystoreFile="/etc/letsencrypt/live/<fqdn>/privkey.pem"
clientAuth="false" sslProtocol="TLS" /-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which
always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used.
OpenSSL style
configuration is used below.
-->
<!--Connector port="5443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate
certificateKeyFile="/etc/letsencrypt/live/<fqdn>/cert.pem"
certificateFile="/etc/letsencrypt/live/<fqdn>/privkey.pem"
certificateChainFile="/etc/letsencrypt/live/<fqdn>/fullchain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
On Wed, Oct 16, 2019 at 1:50 AM René Scholz
<rene.sch...@abakus-edv-systems.de
<mailto:rene.sch...@abakus-edv-systems.de>> wrote:
Hello,
why don't you try out the config-part I sent you?
Make a backup of your sever.xml, edit the part for your
connector-port, restart your OM, pray a little bit and open
your browser with https and your port.
Whats the result?
When you mean that something goes wrong replace it with your
backuped server.xml.
Best regards,
René
Am 15.10.2019 um 22:30 schrieb Yah's Global Kingdom:
Your saying I don't have to use a keystore with these certs?
On Mon, Oct 14, 2019 at 4:06 AM Maxim Solodovnik
<solomax...@gmail.com <mailto:solomax...@gmail.com>> wrote:
With this config import is redundant
you can use your keys as-is :)
On Sun, 13 Oct 2019 at 21:11, Yah's Global Kingdom
<yahs...@gmail.com <mailto:yahs...@gmail.com>> wrote:
Thanks for the information, if I might ask which of
these keys did you import into your keystore for
openmeetings?
On Sat, Oct 12, 2019 at 1:36 PM R. Scholz
<rene.sch...@abakus-edv-systems.de
<mailto:rene.sch...@abakus-edv-systems.de>> wrote:
Hello,
this is the part in my server.xml in the
conf-dir of my openmeeting I use without problems:
<Connector port="5443"
SSLEnabled="true">
<SSLHostConfig>
<Certificate
certificateFile="/etc/letsencrypt/live/subdomain.domain.de/cert.pem
<http://subdomain.domain.de/cert.pem>"
certificateKeyFile="/etc/letsencrypt/live/subdomain.domain.de/privkey.pem
<http://subdomain.domain.de/privkey.pem>"
certificateChainFile="/etc/letsencrypt/live/subdomain.domain.de/fullchain.pem
<http://subdomain.domain.de/fullchain.pem>" />
</SSLHostConfig>
</Connector>
With best regards,
René
Am 12.10.2019 um 17:35 schrieb Yah's Global Kingdom:
Ok understood for the VOIP implementation.
Hopefully, there will be time for in the near
future as it was feature that was really
appreciated and used.
On a different note. I am using LetsEncrypt
for ssl certificates. The wiki at
https://openmeetings.apache.org/HTTPS.html does
not seem to apply as you can not submit a .csr
file to lets encrypt and it only works on port
443. I have changed /conf/server.conf to 443
but the server still refuses to connect. Are
there any instructions for how to make OM
5.0.0.M2 OR M3 work with LetEncrypt and
Certbot? Thanks for all your help Maxim.
On Thu, Oct 10, 2019 at 12:45 PM Maxim
Solodovnik <solomax...@gmail.com
<mailto:solomax...@gmail.com>> wrote:
Yes, sure
unfortunately my time is very limited
not sure i can provide any estimates
On Thu, 10 Oct 2019 at 09:16, Yah's Global
Kingdom <yahs...@gmail.com
<mailto:yahs...@gmail.com>> wrote:
Is there a plan to implement VOIP for
this version of Openmeetings?
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
