Daniel26 2 Posted December 18, 2018 Posted December 18, 2018 Hello, I try to install a new ERA Management Server on a Debian Stretch. After some problems because of the database (mysql instead of mariaDB, correct version of mysql, correct version of odbc a.s.o.) the DB seems to be OK. But the installation struggles at the certificate. I used the switches "--skip-cert", "--cert-hostname" and --server-cert-path="/etc/ssl/certs/" Our certificate is located at /etc/ssl/certs/, but the installation says: "Storing server peer certificate to configuration ... failure" Thats what I found in the installation log: " 2018-12-18 15:04:28 Error: ConfigInsertCertificate: Server peer certificate path is not correct. Provided path - '/etc/ssl/certs/' 2018-12-18 15:04:28 Information: Installer: Failed storing peer certificate. 2018-12-18 15:04:28 Information: Installer: Error: : Error occurred while storing peer certificate NThe same if I provide the path and the name of the certificate. What I'm doing wrong here? Regards Daniel
ESET Staff MartinK 384 Posted December 18, 2018 ESET Staff Posted December 18, 2018 Mentioned parameters are used to either generate new, or re-use existing peer certificate for ERA/ESMC server. This certificate will be used for AGENT-to-SERVER connections, not as HTTPS certificate for console. In this specific case, parameter --server-cert-path is expected to contain path to certificate in PFX/PKCS12 format, containing peer certificate and private key for this certificate. I would consider this parameter to be advanced, and my recommendation is to generate new certificate (i.e. do not use --skip-cert): anytime later it is possible to change those certificates, or generate new ones. There is a simple example of such installation in documentation.
Daniel26 2 Posted December 18, 2018 Author Posted December 18, 2018 I wan't to use my own certificate because perhaps I have to move the era server to an other data-center in the future, so the domain name changes. My certificate also includes also an alias hostname which doesn't change when I move my machine so I don't have to change the cert (and perhaps the certs on the clients) later. Can I move the whole machine later without rolling out new keys if I don't use "skip-cert" and "server-cert-path"?
ESET Staff MartinK 384 Posted December 18, 2018 ESET Staff Posted December 18, 2018 You can use parameter "--cert-hostname" to specify required domain names and aliases. When moving server / changing hostname for AGENTs, you have to be sure that hostname is listed in certificate, but this is the same for certificates generated automatically as for certificate created outside. There is still possibility to create new SERVER's certificate before moving to new hostname -> in case it will be signed by the same CA certificate, AGENT's won't have problem with connection.
Daniel26 2 Posted December 19, 2018 Author Posted December 19, 2018 Ok, installation was ok now. But How do I activate SSL? I tried it like described here , but then I get "connection failed" from the browser. I found in server.xml: <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> and replaced it by: <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/root/tomcat.jks" keystorePass="my_password" keyAlias="av-cert"/> I can't find a error in tomcat logfile. Any hints? Regards Daniel
Daniel26 2 Posted December 19, 2018 Author Posted December 19, 2018 Ok, got it fixed. It works now. Regards Daniel
Recommended Posts