["HTTPS certificate chain is incomplete. Enrollment is not allowed" after update to MDM 7.0.394]

Hi,

You are right, appending the CA certificate PEM to the fullchain.pem file before converting it into .pfx using the above command worked.

I used the PEM at https://censys.io/certificates/0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739/pem

["HTTPS certificate chain is incomplete. Enrollment is not allowed" after update to MDM 7.0.394]

Hi,

I am using ESET ERA on a VPS with Ubuntu 16.04 x64. and I used Letsencrypt certificate for https.

While on version 6 of ESET, i used the following command to generate the required .pfx file for MDC:

sudo openssl pkcs12 -inkey /etc/letsencrypt/live/my.domain/privkey.pem -in /etc/letsencrypt/live/my.domain/fullchain.pem -export -out /etc/letsencrypt/live/my.domain/certificate.pfx -password pass:pass123

 

However, now that I am on version 7, ESET gives an alert that 'HTTPS certificate chain is incomplete. Enrollment is not allowed' Can anyone please give a step by step guide on how to include the root CA certificate of Letsencrypt in the .pfx file so that it is accepted by ESET 7.

 

Thanks

[Step by Step Tutorial for installing Eset Remote Administrator & Mobile device connector on a VPS (OpenVZ) with Ubuntu 16.04 64bit with letsencrypt]

Disclaimers:

Some information has been copied from other forums

I have not tested that renewal of letsencrypt certificate using the bash file is accepted by era and mdc

Suggested configuration for solely running ESET ERA and MDC is 4 cores and 2 GB ram, anything lower runs abysmally slow.

I am currently using this configuration on woothosting (cheapest that I could find)

All commands are assuming clean vps instance as root user with no other applications to be running or to be run in future.

Some components installed may be of no use. I don't know enought to remove them.

Please substitute domain names and passwords with your own.

Please feel to post corrections or better methods of doing what I have already done.

Text in code boxes is to be added/edited in the file opened.

Text in Red are comments to be read carefully

 

Start

sudo apt-get update && apt-get upgrade && apt-get install software-properties-common python-software-properties unixodbc xvfb cifs-utils libqtwebkit4 krb5-user winbind ldap-utils libsasl2-modules-gssapi-mit snmp samba mysql-server nano aptitude default-jdk tomcat7  tomcat7-docs tomcat7-admin

 

 

To Let Tomcat be the ONLY app on the server and use port 80 and 443

-------------------------------------------------------

 

apt-get remove apache2  ((or any other web server like nginx))

nano /etc/default/tomcat7

 

AUTHBIND=yes

 

 

sudo touch /etc/authbind/byport/80

sudo chmod 500 /etc/authbind/byport/80

sudo chown tomcat7 /etc/authbind/byport/80

sudo touch /etc/authbind/byport/443

sudo chmod 500 /etc/authbind/byport/443

sudo chown tomcat7 /etc/authbind/byport/443

 

-------------------------------------------------------

 

 

 

 

Letsencrypt

-------------------------------------------------------

 

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update

sudo apt-get install certbot

sudo service apache2 stop

sudo certbot certonly --text --agree-tos --email email@gmail.com --standalone --expand --renew-by-default --manual-public-ip-logging-ok --preferred-challenges http-01 -d domain.com

sudo service apache2 start

sudo mkdir /etc/tomcatcertificate

cd /etc/tomcatcertificate

 

((Bash script for automatic renewal of https certificate from letsencrypt -- untested))

nano letsencrypt.sh

 

#!/bin/bash

cd /etc/tomcatcertificate

echo " -- Cleaning -- "

sudo rm request.csr

sudo rm *.pem

 

echo " -- Stop Services -- "

sudo iptables-save > /etc/iptables.backup

sudo iptables -F -t nat

sudo service tomcat7 stop

sudo service apache2 stop

 

echo " -- Delete Keystore -- "

sudo rm /usr/share/tomcat7/.keystore

 

echo " -- Recreate Keystore -- "

sudo keytool -genkey -noprompt -alias tomcat -dname "CN="domain.com", OU="", O="", L="", S="", C=""" -keystore /usr/share/tomcat7/.keystore -storepass "password" -KeySize 2048 -keypass "password" -keyalg RSA

 

sudo keytool -list -keystore /usr/share/tomcat7/.keystore -v -storepass "password" > key.check

 

echo " -- Build CSR -- "

sudo keytool -certreq -alias tomcat -file request.csr -keystore /usr/share/tomcat7/.keystore -storepass "password"

 

echo " -- Request Certificate -- "

sudo certbot certonly --csr ./request.csr --text --agree-tos --email name@gmail.com --standalone --expand --renew-by-default --manual-public-ip-logging-ok --preferred-challenges http-01 -d domain.com

certbot certonly --standalone -d domain.com -n

 

echo " -- import Certificate -- "

sudo keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore /usr/share/tomcat7/.keystore -storepass "password"

sudo openssl pkcs12 -inkey /etc/letsencrypt/live/domain.com/privkey.pem -in /etc/letsencrypt/live/domain.com/fullchain.pem -export -out /etc/letsencrypt/live/domain.com/certificate.pfx -password pass:password

 

echo " -- Restart services -- "

sudo service tomcat7 start

sudo service apache2 start

sudo iptables-restore < /etc/iptables.backup

sudo rm /etc/iptables.backup

 

echo " -- Cleaning -- "

sudo rm request.csr

sudo rm *.pem

 

echo " -- Script Finish -- "

 

 

sudo chmod +x letsencrypt.sh

 

((as "root" run :))

crontab -e

 

0 2 */15 * * /etc/tomcatcertificate/letsencrypt.sh

 

sudo /etc/tomcatcertificate/letsencrypt.sh

 

sudo nano /etc/tomcat7/server.xml

 

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

  maxThreads="150" scheme="https" secure="true"

  clientAuth="false" sslProtocol="TLS" KeystoreFile="/usr/share/tomcat7/.keystore" KeystorePass="password" />

 

((

change port 8080 to 80 at <Connector port="80" protocol="HTTP/1.1"

change port 8443 to 443 at redirectPort="8443" />

Change port 8443 to 443 at <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

if required -- if server to be dedicated entirely to era and you don't want to deal with port nos. in URL))

-------------------------------------------------------

 

 

 

 

Add Admin user to tomcat GUI (optional)

-------------------------------------------------------

nano /etc/tomcat7/tomcat-users.xml

 

user username="admin" password="password" roles="manager-gui,admin-gui"/>

 

sudo service tomcat7 restart

-------------------------------------------------------

 

 

 

 

ODBC

-------------------------------------------------------

cd /opt

wget https://dev.mysql.com/get/Downloads/Connector-ODBC/5.3/mysql-connector-odbc-5.3.9-linux-ubuntu16.04-x86-64bit.tar.gz((get latest link from https://dev.mysql.com/downloads/connector/odbc/))

tar xvzf mysql-connector-odbc-5.3.9-linux-ubuntu16.04-x86-64bit.tar.gz

cd mysql-connector-odbc-5.3.9-linux-ubuntu16.04-x86-64bit/lib

cp * /usr/lib/x86_64-linux-gnu/odbc/

 

nano /etc/odbcinst.ini

 

[MySQL]

Description = ODBC for MySQL

Driver = /usr/lib/x86_64-linux-gnu/odbc/libmyodbc5a.so

Setup = /usr/lib/x86_64-linux-gnu/odbc/libodbcmyS.so

FileUsage = 1

 

 

sudo odbcinst -i -d -f /etc/odbcinst.ini

-------------------------------------------------------

 

 

 

Configuration of MySQL

-------------------------------------------------------

 

sudo nano /etc/mysql/my.cnf

((if the file is not present, try /etc/my.cnf))

 

((Find the following configuration in the [mysqld] section of the my.cnf file and modify the values. (If the parameters are not present in the file, add them to the [mysqld] section ) after the last existing lines in the file:))

 

[mysqld]

max_allowed_packet=33M

innodb_log_file_size=100M

innodb_log_files_in_group=2

 

 

((Save and close the file and enter the following command to restart the MySQL server and apply the configuration (in some cases, the service name is mysqld):))

 

sudo service mysql restart

 

((Run the following command to set up MySQL including privileges and password (this is optional and may not work for some Linux distributions):))

 

/usr/bin/mysql_secure_installation

 

((Enter the following command to check whether the MySQL server is running:))

 

sudo netstat -tap | grep mysql

 

((If the MySQL server is running, the following line will be displayed. Note that the process identifier - PID (7668 in the example below) will be different:

 

tcp 0 0 localhost:mysql *:* LISTEN 7668/mysqld))

-------------------------------------------------------

 

 

 

Install ESET

-------------------------------------------------------

 

cd /opt

wget https://download.eset.com/com/eset/apps/business/era/server/linux/latest/server-linux-x86_64.sh

wget https://download.eset.com/com/eset/apps/business/era/agent/latest/agent-linux-x86_64.sh

wget https://download.eset.com/com/eset/apps/business/era/webconsole/latest/era.war

wget https://download.eset.com/com/eset/apps/business/era/mdm/v6/6.5.510.0/mdmcore-linux-x86_64.sh

chmod +x *.sh

 

sudo cp era.war /var/lib/tomcat7/webapps/

service tomcat7 restart

 

-----------------------------------------------------------

sudo ./server-linux-x86_64.sh \

--skip-license \

--db-driver=MySQL \

--db-hostname=127.0.0.1 \

--db-port=3306 \

--db-admin-username=root \

--db-admin-password=password \

--server-root-password=password \

--db-user-username=root \

--db-user-password=password \

--cert-hostname="domain.com"

 

---

((wait 2 minutes to let the server start, repeat commands if cannot connect to db or other errors after 2 mins break or reboot the vps and check whether era server is running by entering : service era* status )) 

---

 

 

sudo ./agent-linux-x86_64.sh \

--skip-license \

--webconsole-port=2223 \

--webconsole-user=Administrator \

--webconsole-password=password \

--hostname=domain.com \

--port=2222

 

-----------------------------------------------------------

 

 

sudo ./mdmcore-linux-x86_64.sh \

--https-cert-path="/etc/letsencrypt/live/domain.com/certificate.pfx" \

--https-cert-password="password" \

--port=2222 \

--db-type="MySQL" \

--db-driver="MySQL" \

--db-admin-username="root" \

--db-admin-password=password \

--db-user-username="root" \

--db-user-password=password \

--db-hostname="127.0.0.1" \

--webconsole-password=password \

--hostname=domain.com \

--mdm-hostname=domain.com

 

-----------------------------------------------------------

 

 

 

To Make ERA the default app in Tomcat so that directly typing the domain will launch ERA and you will not have to enter /era at the end of the domain to access era

-----------------------------------------------------------

 

 

cd /var/lib/tomcat7/webapps/

rm -r ROOT

rm -r era

mv era.war ROOT.war

service tomcat7 restart

 

-----------------------------------------------------------

 

 

 

 

 

To redirect all http traffic from tomcat to https

-----------------------------------------------------------

 

 

nano  /etc/tomcat7/web.xml

((Add below configuration but make sure to add it after all the servlet mapping tags.))

<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

</security-constraint>

service tomcat7 restart

 

enter https://domain.com:9980 in your web browser to check MDM server is up

enter domain.com in your web browser and login using the webconsole password that you have set earlier.