[cannot get HTTPS / SSL webconsole to work]

Thank you! I believe I may have all my requested tasks on this completed! I will run this for a little bit and document odd things noted if I have to follow up with anything. 

 

There is a possibility my boss on an apple device was unable to access it, to view and demonstrate the changes. 

[cannot get HTTPS / SSL webconsole to work]

I have it all fixed, I am elated with joy. I have http > https, AND era.xxxx.com > era.xxxx.com/era automatically. I did skip the step of:

2. Add the following to the Tomcat conf/web.xml file above "</web-app>"

 <!-- Require HTTPS for everything. -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>HTTPSOnly</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

I skipped this, As I think the HTTPS forcing is handled already by the other steps I have done, and I wonder if this would block / affect the ability to automatically redirect HTTP > HTTPS?

 

Should I go back and add this, or is my hunch right? 

[cannot get HTTPS / SSL webconsole to work]

Funny, I literally just found that!

 

[cannot get HTTPS / SSL webconsole to work]

according to the documentation, the appending of the additional /era is normal? I tried accessing the tomcat GUI, but I found the "root" folder and entries in the tomcat webapps folder are not there. I suspect this is intentional to raise security of the era against malicious people. 

[cannot get HTTPS / SSL webconsole to work]

SO! I have news! I did not want to give up on this yesterday, I looked at it as, I know my cert is being used, and everything looks correct. My coworker mentioned this to our boss, and my boss checked our DNS server, there was either an error in the / or a missing PTR record. He showed me that https://era.xxxx.com/era works. Now the challenge is two items: 

1. Get a hxxp://era.xxxx.com to auto-redirect to https://era.xxxx.com

2. Not have to append the additional "era" at the end of https://era.xxxx.com/era, and have just https://era.xxxx.com either work, or auto-redirect to https://era.xxxx.com/era

 

[cannot get HTTPS / SSL webconsole to work]

I am an idiot, but still no great progress. This whole time I have been using the internal IP of the server, to access the ERA webconsole, at https://10.0.x.x,  obviously I will get a cert error for that, and there is no entry in the cert or the firewall, to route the internal address of that server, to the public request. 

the entries we do have, show an inbound from anywhere, requesting https://era.xxxx.com, will take the default 443, and forward to the internal IP of the ERA server. we also sho the DNS record for our cert, to show that era.xxx.com goes to the public IP associated with that server. 

Regardless, from either internal, or external, if I type in the era.xxxx.com OR https://era.xxxx.com, neither loads up, or connects whatsoever. I had some (but not enough) time with a coworker who understands our sonicwall vastly better than I do, he reviewed all of the settings, policies, and entries, and he believes that it all looks like it should be working. he thinks we either need to reboot the sonicwall, or rebuild the entries into it for this. 

I do not know how to test any of this. 

[cannot get HTTPS / SSL webconsole to work]

So I checked, and sure enough my browser IS using the certificate. under view details, I have an error red triangle next to "certificate error", a green square next to secure connection ( says it is using TLS 1.2 with a strong key exchange (ECDHE_RSA), and a strong cipher (AES_128_GCM)). I also have a green square next to Secure resources. 

 

I feel like this means I am using an inappropriate cert for this function? 

when I select "view certificate", I get a viewable chain length of three. 

 

not sure what to do, in the mean time I am researching "net::ERR_CERT_COMMON_NAME_INVALID" which is the error message next to the red triangle for certificate error. 

[cannot get HTTPS / SSL webconsole to work]

I have tried again, this time with the keystore explorer tool you kindly recommend. I changed the alias and password, and edited the three respective fields in the XML. I then started the tomcat service, and got the warning of "not secure site" 

This makes me feel I have the process working, but the certificate, either is wrong, or I missed a step with that. 

I appreciate the assistance on this. 

Please let me know if there is any  more helpful information I can supply. 

[cannot get HTTPS / SSL webconsole to work]

Thank you for the information. 

A few questions: 

Am I supposed to just be converting my certificate to the .keystore type? or am I also supposed to combine it with a cert on the machine / tomcat / eset? 

I converted my cert, edited the three fields at the end of the server.XML and restarted tomcat services as well as ESET remote administrator server, without success to login via HTTPS. A theory as to why, is the alias that I enter in the XML, supposed to be what is shown with the

"keytool -v -list -storetype pkcs12 -keystore KEYSTORE_FILE" 

command?

or is the alias a string I entered somewhere? 

 

I question the cert that I am using. when I have it converted, what is an acceptable chain length? Mine says 1. 

[cannot get HTTPS / SSL webconsole to work]

I am new in the IT field, and I have built a windows 2016 server VM, I used the all-in-one installer to get this guy going, and have 400 clients connecting properly. I have been tasked with getting our webconsole to go to HTTPS://era.******.com without the "your connection is not private" warning on chrome. I have spent an embarrassing amount of time trying to rectify this. I am not sure which end I have is wrong, I feel it is either the certificate I am using is wrong, or I can not get the commands processed properly to get a properly configured .keystore going. I have been following:

https://support.eset.com/kb3724/?locale=en_US

https://support.eset.com/kb5695/#signed

https://forum.eset.com/topic/9027-correct-procedure-to-install-a-commercial-wildcard-cert-into-era-64/

https://forum.eset.com/topic/9027-correct-procedure-to-install-a-commercial-wildcard-cert-into-era-64

https://forum.eset.com/topic/4986-era-v6-webconsole-ssl-certificate/

and a translated version of https://servis.eset.cz/knowledgebase/article/View/497/60/jak-do-era-web-console-nahrat-vlastni-ssl-certifikat

I need some assistance. 

 

What I have is a ***.PFX cert supplied from my company, which has the desired ERA.*****.com entry in it. 

Where I belive I download the cert file from, I have the following version options: Apache, exchange, IIS, MAC OS X, Tomcat, other

I am not sure where to start, but would seriously appreciate some assistance on this please.