-
Posts
3 -
Joined
-
Last visited
Posts posted by Saumitra Rathi
-
-
Hi,
I am using ESET ERA on a VPS with Ubuntu 16.04 x64. and I used Letsencrypt certificate for https.
While on version 6 of ESET, i used the following command to generate the required .pfx file for MDC:
sudo openssl pkcs12 -inkey /etc/letsencrypt/live/my.domain/privkey.pem -in /etc/letsencrypt/live/my.domain/fullchain.pem -export -out /etc/letsencrypt/live/my.domain/certificate.pfx -password pass:pass123
However, now that I am on version 7, ESET gives an alert that 'HTTPS certificate chain is incomplete. Enrollment is not allowed' Can anyone please give a step by step guide on how to include the root CA certificate of Letsencrypt in the .pfx file so that it is accepted by ESET 7.
Thanks
-
Disclaimers:
Some information has been copied from other forums
I have not tested that renewal of letsencrypt certificate using the bash file is accepted by era and mdc
Suggested configuration for solely running ESET ERA and MDC is 4 cores and 2 GB ram, anything lower runs abysmally slow.
I am currently using this configuration on woothosting (cheapest that I could find)
All commands are assuming clean vps instance as root user with no other applications to be running or to be run in future.
Some components installed may be of no use. I don't know enought to remove them.
Please substitute domain names and passwords with your own.
Please feel to post corrections or better methods of doing what I have already done.
Text in code boxes is to be added/edited in the file opened.
Text in Red are comments to be read carefully
Start
sudo apt-get update && apt-get upgrade && apt-get install software-properties-common python-software-properties unixodbc xvfb cifs-utils libqtwebkit4 krb5-user winbind ldap-utils libsasl2-modules-gssapi-mit snmp samba mysql-server nano aptitude default-jdk tomcat7 tomcat7-docs tomcat7-adminTo Let Tomcat be the ONLY app on the server and use port 80 and 443-------------------------------------------------------apt-get remove apache2 ((or any other web server like nginx))nano /etc/default/tomcat7AUTHBIND=yessudo touch /etc/authbind/byport/80sudo chmod 500 /etc/authbind/byport/80sudo chown tomcat7 /etc/authbind/byport/80sudo touch /etc/authbind/byport/443sudo chmod 500 /etc/authbind/byport/443sudo chown tomcat7 /etc/authbind/byport/443-------------------------------------------------------Letsencrypt-------------------------------------------------------sudo add-apt-repository ppa:certbot/certbotsudo apt-get updatesudo apt-get install certbotsudo service apache2 stopsudo certbot certonly --text --agree-tos --email email@gmail.com --standalone --expand --renew-by-default --manual-public-ip-logging-ok --preferred-challenges http-01 -d domain.comsudo service apache2 startsudo mkdir /etc/tomcatcertificatecd /etc/tomcatcertificate((Bash script for automatic renewal of https certificate from letsencrypt -- untested))nano letsencrypt.sh#!/bin/bashcd /etc/tomcatcertificateecho " -- Cleaning -- "sudo rm request.csrsudo rm *.pemecho " -- Stop Services -- "sudo iptables-save > /etc/iptables.backupsudo iptables -F -t natsudo service tomcat7 stopsudo service apache2 stopecho " -- Delete Keystore -- "sudo rm /usr/share/tomcat7/.keystoreecho " -- Recreate Keystore -- "sudo keytool -genkey -noprompt -alias tomcat -dname "CN="domain.com", OU="", O="", L="", S="", C=""" -keystore /usr/share/tomcat7/.keystore -storepass "password" -KeySize 2048 -keypass "password" -keyalg RSAsudo keytool -list -keystore /usr/share/tomcat7/.keystore -v -storepass "password" > key.checkecho " -- Build CSR -- "sudo keytool -certreq -alias tomcat -file request.csr -keystore /usr/share/tomcat7/.keystore -storepass "password"echo " -- Request Certificate -- "sudo certbot certonly --csr ./request.csr --text --agree-tos --email name@gmail.com --standalone --expand --renew-by-default --manual-public-ip-logging-ok --preferred-challenges http-01 -d domain.comcertbot certonly --standalone -d domain.com -necho " -- import Certificate -- "sudo keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore /usr/share/tomcat7/.keystore -storepass "password"sudo openssl pkcs12 -inkey /etc/letsencrypt/live/domain.com/privkey.pem -in /etc/letsencrypt/live/domain.com/fullchain.pem -export -out /etc/letsencrypt/live/domain.com/certificate.pfx -password pass:passwordecho " -- Restart services -- "sudo service tomcat7 startsudo service apache2 startsudo iptables-restore < /etc/iptables.backupsudo rm /etc/iptables.backupecho " -- Cleaning -- "sudo rm request.csrsudo rm *.pemecho " -- Script Finish -- "sudo chmod +x letsencrypt.sh((as "root" run :))crontab -e0 2 */15 * * /etc/tomcatcertificate/letsencrypt.shsudo /etc/tomcatcertificate/letsencrypt.shsudo nano /etc/tomcat7/server.xml<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"maxThreads="150" scheme="https" secure="true"clientAuth="false" sslProtocol="TLS" KeystoreFile="/usr/share/tomcat7/.keystore" KeystorePass="password" />((change port 8080 to 80 at <Connector port="80" protocol="HTTP/1.1"change port 8443 to 443 at redirectPort="8443" />Change port 8443 to 443 at <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"if required -- if server to be dedicated entirely to era and you don't want to deal with port nos. in URL))-------------------------------------------------------Add Admin user to tomcat GUI (optional)-------------------------------------------------------nano /etc/tomcat7/tomcat-users.xmluser username="admin" password="password" roles="manager-gui,admin-gui"/>sudo service tomcat7 restart-------------------------------------------------------ODBC-------------------------------------------------------cd /optwget https://dev.mysql.com/get/Downloads/Connector-ODBC/5.3/mysql-connector-odbc-5.3.9-linux-ubuntu16.04-x86-64bit.tar.gz((get latest link from https://dev.mysql.com/downloads/connector/odbc/))tar xvzf mysql-connector-odbc-5.3.9-linux-ubuntu16.04-x86-64bit.tar.gzcd mysql-connector-odbc-5.3.9-linux-ubuntu16.04-x86-64bit/libcp * /usr/lib/x86_64-linux-gnu/odbc/nano /etc/odbcinst.ini[MySQL]Description = ODBC for MySQLDriver = /usr/lib/x86_64-linux-gnu/odbc/libmyodbc5a.soSetup = /usr/lib/x86_64-linux-gnu/odbc/libodbcmyS.soFileUsage = 1sudo odbcinst -i -d -f /etc/odbcinst.ini-------------------------------------------------------Configuration of MySQL-------------------------------------------------------sudo nano /etc/mysql/my.cnf((if the file is not present, try /etc/my.cnf))((Find the following configuration in the [mysqld] section of the my.cnf file and modify the values. (If the parameters are not present in the file, add them to the [mysqld] section ) after the last existing lines in the file:))[mysqld]max_allowed_packet=33Minnodb_log_file_size=100Minnodb_log_files_in_group=2((Save and close the file and enter the following command to restart the MySQL server and apply the configuration (in some cases, the service name is mysqld):))sudo service mysql restart((Run the following command to set up MySQL including privileges and password (this is optional and may not work for some Linux distributions):))/usr/bin/mysql_secure_installation((Enter the following command to check whether the MySQL server is running:))sudo netstat -tap | grep mysql((If the MySQL server is running, the following line will be displayed. Note that the process identifier - PID (7668 in the example below) will be different:tcp 0 0 localhost:mysql *:* LISTEN 7668/mysqld))-------------------------------------------------------Install ESET-------------------------------------------------------cd /optwget https://download.eset.com/com/eset/apps/business/era/server/linux/latest/server-linux-x86_64.shchmod +x *.shsudo cp era.war /var/lib/tomcat7/webapps/service tomcat7 restart-----------------------------------------------------------sudo ./server-linux-x86_64.sh \--skip-license \--db-driver=MySQL \--db-hostname=127.0.0.1 \--db-port=3306 \--db-admin-username=root \--db-admin-password=password \--server-root-password=password \--db-user-username=root \--db-user-password=password \--cert-hostname="domain.com"((wait 2 minutes to let the server start, repeat commands if cannot connect to db or other errors after 2 mins break or reboot the vps and check whether era server is running by entering : service era* status ))sudo ./agent-linux-x86_64.sh \--skip-license \--webconsole-port=2223 \--webconsole-user=Administrator \--webconsole-password=password \--hostname=domain.com \--port=2222-----------------------------------------------------------sudo ./mdmcore-linux-x86_64.sh \--https-cert-path="/etc/letsencrypt/live/domain.com/certificate.pfx" \--https-cert-password="password" \--port=2222 \--db-type="MySQL" \--db-driver="MySQL" \--db-admin-username="root" \--db-admin-password=password \--db-user-username="root" \--db-user-password=password \--db-hostname="127.0.0.1" \--webconsole-password=password \--hostname=domain.com \--mdm-hostname=domain.com-----------------------------------------------------------To Make ERA the default app in Tomcat so that directly typing the domain will launch ERA and you will not have to enter /era at the end of the domain to access era-----------------------------------------------------------cd /var/lib/tomcat7/webapps/rm -r ROOTrm -r eramv era.war ROOT.warservice tomcat7 restart-----------------------------------------------------------To redirect all http traffic from tomcat to https-----------------------------------------------------------nano /etc/tomcat7/web.xml((Add below configuration but make sure to add it after all the servlet mapping tags.))<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint></security-constraint>service tomcat7 restartenter https://domain.com:9980 in your web browser to check MDM server is upenter domain.com in your web browser and login using the webconsole password that you have set earlier.
"HTTPS certificate chain is incomplete. Enrollment is not allowed" after update to MDM 7.0.394
in ESET Products for Mobile Devices
Posted
Hi,
You are right, appending the CA certificate PEM to the fullchain.pem file before converting it into .pfx using the above command worked.
I used the PEM at https://censys.io/certificates/0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739/pem