Saumitra Rathi

Hi, You are right, appending the CA certificate PEM to the fullchain.pem file before converting it into .pfx using the above command worked. I used the PEM at https://censys.io/certificates/0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739/pem

Hi, I am using ESET ERA on a VPS with Ubuntu 16.04 x64. and I used Letsencrypt certificate for https. While on version 6 of ESET, i used the following command to generate the required .pfx file for MDC: sudo openssl pkcs12 -inkey /etc/letsencrypt/live/my.domain/privkey.pem -in /etc/letsencrypt/live/my.domain/fullchain.pem -export -out /etc/letsencrypt/live/my.domain/certificate.pfx -password pass:pass123 However, now that I am on version 7, ESET gives an alert that 'HTTPS certificate chain is incomplete. Enrollment is not allowed' Can anyone please give a step by step guide on how to include the root CA certificate of Letsencrypt in the .pfx file so that it is accepted by ESET 7. Thanks

Disclaimers: Some information has been copied from other forums I have not tested that renewal of letsencrypt certificate using the bash file is accepted by era and mdc Suggested configuration for solely running ESET ERA and MDC is 4 cores and 2 GB ram, anything lower runs abysmally slow. I am currently using this configuration on woothosting (cheapest that I could find) All commands are assuming clean vps instance as root user with no other applications to be running or to be run in future. Some components installed may be of no use. I don't know enought to remove them. Please substitute domain names and passwords with your own. Please feel to post corrections or better methods of doing what I have already done. Text in code boxes is to be added/edited in the file opened. Text in Red are comments to be read carefully Start sudo apt-get update && apt-get upgrade && apt-get install software-properties-common python-software-properties unixodbc xvfb cifs-utils libqtwebkit4 krb5-user winbind ldap-utils libsasl2-modules-gssapi-mit snmp samba mysql-server nano aptitude default-jdk tomcat7 tomcat7-docs tomcat7-admin To Let Tomcat be the ONLY app on the server and use port 80 and 443 ------------------------------------------------------- apt-get remove apache2 ((or any other web server like nginx)) nano /etc/default/tomcat7 AUTHBIND=yes sudo touch /etc/authbind/byport/80 sudo chmod 500 /etc/authbind/byport/80 sudo chown tomcat7 /etc/authbind/byport/80 sudo touch /etc/authbind/byport/443 sudo chmod 500 /etc/authbind/byport/443 sudo chown tomcat7 /etc/authbind/byport/443 ------------------------------------------------------- Letsencrypt ------------------------------------------------------- sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot sudo service apache2 stop sudo certbot certonly --text --agree-tos --email email@gmail.com --standalone --expand --renew-by-default --manual-public-ip-logging-ok --preferred-challenges http-01 -d domain.com sudo service apache2 start sudo mkdir /etc/tomcatcertificate cd /etc/tomcatcertificate ((Bash script for automatic renewal of https certificate from letsencrypt -- untested)) nano letsencrypt.sh #!/bin/bash cd /etc/tomcatcertificate echo " -- Cleaning -- " sudo rm request.csr sudo rm *.pem echo " -- Stop Services -- " sudo iptables-save > /etc/iptables.backup sudo iptables -F -t nat sudo service tomcat7 stop sudo service apache2 stop echo " -- Delete Keystore -- " sudo rm /usr/share/tomcat7/.keystore echo " -- Recreate Keystore -- " sudo keytool -genkey -noprompt -alias tomcat -dname "CN="domain.com", OU="", O="", L="", S="", C=""" -keystore /usr/share/tomcat7/.keystore -storepass "password" -KeySize 2048 -keypass "password" -keyalg RSA sudo keytool -list -keystore /usr/share/tomcat7/.keystore -v -storepass "password" > key.check echo " -- Build CSR -- " sudo keytool -certreq -alias tomcat -file request.csr -keystore /usr/share/tomcat7/.keystore -storepass "password" echo " -- Request Certificate -- " sudo certbot certonly --csr ./request.csr --text --agree-tos --email name@gmail.com --standalone --expand --renew-by-default --manual-public-ip-logging-ok --preferred-challenges http-01 -d domain.com certbot certonly --standalone -d domain.com -n echo " -- import Certificate -- " sudo keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore /usr/share/tomcat7/.keystore -storepass "password" sudo openssl pkcs12 -inkey /etc/letsencrypt/live/domain.com/privkey.pem -in /etc/letsencrypt/live/domain.com/fullchain.pem -export -out /etc/letsencrypt/live/domain.com/certificate.pfx -password pass:password echo " -- Restart services -- " sudo service tomcat7 start sudo service apache2 start sudo iptables-restore < /etc/iptables.backup sudo rm /etc/iptables.backup echo " -- Cleaning -- " sudo rm request.csr sudo rm *.pem echo " -- Script Finish -- " sudo chmod +x letsencrypt.sh ((as "root" run :)) crontab -e 0 2 */15 * * /etc/tomcatcertificate/letsencrypt.sh sudo /etc/tomcatcertificate/letsencrypt.sh sudo nano /etc/tomcat7/server.xml <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" KeystoreFile="/usr/share/tomcat7/.keystore" KeystorePass="password" /> (( change port 8080 to 80 at <Connector port="80" protocol="HTTP/1.1" change port 8443 to 443 at redirectPort="8443" /> Change port 8443 to 443 at <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" if required -- if server to be dedicated entirely to era and you don't want to deal with port nos. in URL)) ------------------------------------------------------- Add Admin user to tomcat GUI (optional) ------------------------------------------------------- nano /etc/tomcat7/tomcat-users.xml user username="admin" password="password" roles="manager-gui,admin-gui"/> sudo service tomcat7 restart ------------------------------------------------------- ODBC ------------------------------------------------------- cd /opt wget https://dev.mysql.com/get/Downloads/Connector-ODBC/5.3/mysql-connector-odbc-5.3.9-linux-ubuntu16.04-x86-64bit.tar.gz((get latest link from https://dev.mysql.com/downloads/connector/odbc/)) tar xvzf mysql-connector-odbc-5.3.9-linux-ubuntu16.04-x86-64bit.tar.gz cd mysql-connector-odbc-5.3.9-linux-ubuntu16.04-x86-64bit/lib cp * /usr/lib/x86_64-linux-gnu/odbc/ nano /etc/odbcinst.ini [MySQL] Description = ODBC for MySQL Driver = /usr/lib/x86_64-linux-gnu/odbc/libmyodbc5a.so Setup = /usr/lib/x86_64-linux-gnu/odbc/libodbcmyS.so FileUsage = 1 sudo odbcinst -i -d -f /etc/odbcinst.ini ------------------------------------------------------- Configuration of MySQL ------------------------------------------------------- sudo nano /etc/mysql/my.cnf ((if the file is not present, try /etc/my.cnf)) ((Find the following configuration in the [mysqld] section of the my.cnf file and modify the values. (If the parameters are not present in the file, add them to the [mysqld] section ) after the last existing lines in the file:)) [mysqld] max_allowed_packet=33M innodb_log_file_size=100M innodb_log_files_in_group=2 ((Save and close the file and enter the following command to restart the MySQL server and apply the configuration (in some cases, the service name is mysqld):)) sudo service mysql restart ((Run the following command to set up MySQL including privileges and password (this is optional and may not work for some Linux distributions):)) /usr/bin/mysql_secure_installation ((Enter the following command to check whether the MySQL server is running:)) sudo netstat -tap | grep mysql ((If the MySQL server is running, the following line will be displayed. Note that the process identifier - PID (7668 in the example below) will be different: tcp 0 0 localhost:mysql *:* LISTEN 7668/mysqld)) ------------------------------------------------------- Install ESET ------------------------------------------------------- cd /opt wget https://download.eset.com/com/eset/apps/business/era/server/linux/latest/server-linux-x86_64.sh wget https://download.eset.com/com/eset/apps/business/era/agent/latest/agent-linux-x86_64.sh wget https://download.eset.com/com/eset/apps/business/era/webconsole/latest/era.war wget https://download.eset.com/com/eset/apps/business/era/mdm/v6/6.5.510.0/mdmcore-linux-x86_64.sh chmod +x *.sh sudo cp era.war /var/lib/tomcat7/webapps/ service tomcat7 restart ----------------------------------------------------------- sudo ./server-linux-x86_64.sh \ --skip-license \ --db-driver=MySQL \ --db-hostname=127.0.0.1 \ --db-port=3306 \ --db-admin-username=root \ --db-admin-password=password \ --server-root-password=password \ --db-user-username=root \ --db-user-password=password \ --cert-hostname="domain.com" ((wait 2 minutes to let the server start, repeat commands if cannot connect to db or other errors after 2 mins break or reboot the vps and check whether era server is running by entering : service era* status )) sudo ./agent-linux-x86_64.sh \ --skip-license \ --webconsole-port=2223 \ --webconsole-user=Administrator \ --webconsole-password=password \ --hostname=domain.com \ --port=2222 ----------------------------------------------------------- sudo ./mdmcore-linux-x86_64.sh \ --https-cert-path="/etc/letsencrypt/live/domain.com/certificate.pfx" \ --https-cert-password="password" \ --port=2222 \ --db-type="MySQL" \ --db-driver="MySQL" \ --db-admin-username="root" \ --db-admin-password=password \ --db-user-username="root" \ --db-user-password=password \ --db-hostname="127.0.0.1" \ --webconsole-password=password \ --hostname=domain.com \ --mdm-hostname=domain.com ----------------------------------------------------------- To Make ERA the default app in Tomcat so that directly typing the domain will launch ERA and you will not have to enter /era at the end of the domain to access era ----------------------------------------------------------- cd /var/lib/tomcat7/webapps/ rm -r ROOT rm -r era mv era.war ROOT.war service tomcat7 restart ----------------------------------------------------------- To redirect all http traffic from tomcat to https ----------------------------------------------------------- nano /etc/tomcat7/web.xml ((Add below configuration but make sure to add it after all the servlet mapping tags.)) <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> service tomcat7 restart enter https://domain.com:9980 in your web browser to check MDM server is up enter domain.com in your web browser and login using the webconsole password that you have set earlier.