Jump to content

--server-cert-path at new ERA server installation


Recommended Posts

Hello,

 

I try to install a new ERA Management Server on a Debian Stretch.

After some problems because of the database (mysql instead of mariaDB, correct version of mysql, correct version of odbc a.s.o.) the DB seems to be OK. But the installation struggles at the certificate. I used the switches "--skip-cert", "--cert-hostname" and --server-cert-path="/etc/ssl/certs/"

Our certificate is located at /etc/ssl/certs/, but the installation says: "Storing server peer certificate to configuration ... failure"

Thats what I found in the installation log: "

2018-12-18 15:04:28 Error: ConfigInsertCertificate: Server peer certificate path is not correct. Provided path - '/etc/ssl/certs/'
2018-12-18 15:04:28 Information: Installer: Failed storing peer certificate.
2018-12-18 15:04:28 Information: Installer: Error: : Error occurred while storing peer certificate

NThe same if I provide the path and the name of the certificate.

 

What I'm doing wrong here?

 

Regards

 

Daniel

 

Link to comment
Share on other sites

  • ESET Staff

Mentioned parameters are used to either generate new, or re-use existing peer certificate for ERA/ESMC server. This certificate will be used for AGENT-to-SERVER connections, not as HTTPS certificate for console.

In this specific case, parameter --server-cert-path  is expected to contain path to certificate in PFX/PKCS12 format, containing peer certificate and private key for this certificate. I would consider this parameter to be advanced, and my recommendation is to generate new certificate (i.e. do not use --skip-cert): anytime later it is possible to change those certificates, or generate new ones. There is a simple example of such installation in documentation.

Link to comment
Share on other sites

I wan't to use my own certificate because perhaps I have to move the era server to an other data-center in the future, so the domain name changes. My certificate also includes also an alias hostname which doesn't change when I move my machine so I don't have to change the cert (and perhaps the certs on the clients) later.

 

Can I move the whole machine later without rolling out new keys if I don't use "skip-cert" and "server-cert-path"?

 

 

Link to comment
Share on other sites

  • ESET Staff

You can use parameter "--cert-hostname" to specify required domain names and aliases. When moving server / changing hostname for AGENTs, you have to be sure that hostname is listed in certificate, but this is the same for certificates generated automatically as for certificate created outside. There is still possibility to create new SERVER's certificate before moving to new hostname -> in case it will be signed by the same CA certificate, AGENT's won't have problem with connection.

Link to comment
Share on other sites

Ok, installation was ok now.

But How do I activate SSL? I tried it like described here , but then I get "connection failed" from the browser.

 

I found in server.xml:

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

and replaced it by:

<Connector port="443" 
                protocol="HTTP/1.1" 
                SSLEnabled="true" 
                maxThreads="150" 
                scheme="https" 
                secure="true" 
                clientAuth="false" 
                sslProtocol="TLS" 
                keystoreFile="/root/tomcat.jks" 
                keystorePass="my_password" 
                keyAlias="av-cert"/>

I can't find a error in tomcat logfile.

 

Any hints?

 

Regards

 

Daniel

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...