Unable to renew SSL Certificate of ESMC 7.2

[Nono 3]

I'll soon reach the end of validity of my Web Console certificate.

 

I tried to follow the following KB: https://support.eset.com/en/kb6721-set-up-an-httpsssl-connection-for-eset-security-management-center-web-console-7x

 

But I'm always getting a Cipher mismatch "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" on the browser (when I don't get any error on tomcat).

My SSL Certificate provider gave me for my wildcard a:

- Server Certificate (PEM) in .crt format

- Server Certificate (PKCS7) in .p7b

- CA Intermediate Certificate (PEM) in .crt

 

(When I currently have a keystore.jdk certificate file).

 

I'm generating the .pfx by doing:

openssl pkcs12 -export -nokeys -in intermediate_certificate.crt -in server_certificate.crt -out keystore.pfx

I'm generating the .jdk by doing:

keytool -import -trustcacerts -alias server -file server_certificate.p7b -keystore keystore.jks

In both cases, I've adjusted the right/SELinux types by doing :

chown root:tomcat /etc/tomcat/CERTFILE
chmod 644 /etc/tomcat/CERTFILE
/usr/sbin/semanage fcontext -a -t etc_t /etc/tomcat/CERTFILE
/sbin/restorecon -v /etc/tomcat/CERTFILE

 

 

 

Here are the different config I tried on  /etc/tomcat/server.xml making sure that SELinux was correctly configured

 

Current (working) config, with old certificate :

    <Connector port="64991"
               protocol="HTTP/1.1"
               SSLEnabled="true"
               maxThreads="150"
               scheme="https"
               secure="true"
               clientAuth="false"
               sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
               ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                        TLS_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_RSA_WITH_AES_128_CBC_SHA,
                        TLS_RSA_WITH_AES_256_CBC_SHA256,
                        TLS_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_RSA_WITH_AES_256_CBC_SHA"
               keystoreFile="/etc/tomcat/keystore.jks"
               keyAlias="tomcat"
               keystorePass="xxxx"
               />

Using the same with the new .jks file as well as this config (using a .pfx) give me the mismatch

    <Connector port="64991"
               protocol="HTTP/1.1"
               SSLEnabled="true"
               maxThreads="150"
               scheme="https"
               secure="true"
               clientAuth="false"
               sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
               ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                        TLS_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_RSA_WITH_AES_128_CBC_SHA,
                        TLS_RSA_WITH_AES_256_CBC_SHA256,
                        TLS_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_RSA_WITH_AES_256_CBC_SHA"
               keystoreFile="/etc/tomcat/keystore.pfx"
               keystoreType="PKCS12"
               keystorePass="xxxx"
               />

 

I also try to update the certificate using the GUI, but ending up with this error as soon as I'm entering the password (WITHOUT validating !) :

 

Here is my server versions:

ESET Security Management Center (Server), Version 7.2 (7.2.2236.0)
ESET Security Management Center (Web Console), Version 7.2 (7.2.230.0)
Copyright (c) 1992-2020 ESET, spol. s r.o. All Rights Reserved.

CentOS (64-bit), Version 7.8.2003

[MartinK 378]

Could you please clarify what certificate you are actually trying to renew or replace? Asking because certificate used by console (and set in Apache Tomcat configuration) is different from ESMC's peer certificate, that is used for AGENT-to-ESMC communication and set in configuration via console - also both certificates has different requirements and preferred formats.

[Nono 3]

Hi @MartinK

Indeed, I'm trying to replace the one from Tomcat (to access the web console over https). This is our wildcard "real" SSL Certificate.

Indeed, for the peer-certificate, we use a auto-signed one generated from the console itself (which will not expired anytime soon).

 

To summarize, I would say that I need to :

1) "Transform" my .crt certificate into either a .pfx or a .jdk / .keystore file

2) Get the correct protocol & cipher match the server.xml configuration in order to "accept" the new certificate.

[MartinK 378]

10 hours ago, Nono said:

To summarize, I would say that I need to :

1) "Transform" my .crt certificate into either a .pfx or a .jdk / .keystore file

2) Get the correct protocol & cipher match the server.xml configuration in order to "accept" the new certificate.

As I have no experience with using tomcat with PKCS12 type certificate, I would recommend to convert PFX to JKS. For this, I would use free utility "KeyStore Explorer", which you can use to edit or create new JKS keystore.

Once done, just be sure permissions are properly set on new file. I do not think you have to modify list of cipher-suites.

[Nono 3]

Hi @MartinK,

I tried to generate 2 keystores with KeyStore Explorer:

1) Including only my Server Certificate

2) Including my Server Certificate + Intermediate one.

On both case, I'm still having the CIPHER Mistmatch error ...

Note, I had to remove this entry from server.xml :

keyAlias="tomcat"

(Do you know anyone who have) any idea how I can check my keystore cipher list in order to "correct" the server.xml following entries ?: 

              sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
               ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                        TLS_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_RSA_WITH_AES_128_CBC_SHA,
                        TLS_RSA_WITH_AES_256_CBC_SHA256,
                        TLS_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_RSA_WITH_AES_256_CBC_SHA"

 

[MartinK 378]

Unfortunately I lost ideas as there is probably some misunderstanding or some step is not working as expected.

In this case, it might be helpful to use ESMC 7.2 all-in-one installer to generate propper configuration, i.e this:

which would require you either to uninstall console, or even better to install console just on some testing machine, without any other components, and just migrate certstore and possibly server.xml configuration to your production server.

[Nono 3]

EDIT:

Ok, I finally finds out the correct "all in one installer" but ended up with:

 

Hi @MartinK,

I setup a "test server" in order to do that, but when I use the all-in-one installer, generated from my production server, there is no screen like the one you show me to use a custom certificate.

Did I miss something ?

Edited December 4, 2020 by Nono
One step ahead

[nhesetnod32 0]

I ran into an issue with importing a new cert into the ESET Mobile Device manager policy where ESMC was not accepting certificate stating is was invalid.  After working with Eset support we ended up recreating the cert with a different passphrase and the cert was validated.  I believe the specific character was a '/'. 

[Nono 3]

11 hours ago, nhesetnod32 said:

I ran into an issue with importing a new cert into the ESET Mobile Device manager policy where ESMC was not accepting certificate stating is was invalid.  After working with Eset support we ended up recreating the cert with a different passphrase and the cert was validated.  I believe the specific character was a '/'. 

Thanks @nhesetnod32 on my case, the passphrase contains only letters & digits, no special chars.

@MartinK could you point me (or ping) someone who may help me ?

[MartinK 378]

On 12/4/2020 at 11:02 AM, Nono said:

I setup a "test server" in order to do that, but when I use the all-in-one installer, generated from my production server, there is no screen like the one you show me to use a custom certificate.

Did I miss something ?

I am just guessing, but error indicates that content of PFX is not as expected. As this certificate is used to host service, it has to contains both public and private part (private keys). Could you verify this criteria is met? I am looking at openssl command you used to create PFX file and I am not sure it actually contains private key for certificate, which would be reason for failure. Also it might explain original issues, as Tomcat will definitely require keys.

[Nono 3]

Hi @MartinK,

As stated initially, I have only 3 types of certificate from my provider : 

- Server Certificate (PEM) in .crt format
- Server Certificate (PKCS7) in .p7b
- CA Intermediate Certificate (PEM) in .crt

So, no private key per say ... That's why I used the following openssl commands with "-nokeys".

openssl pkcs12 -export -nokeys -in server_certificate.crt -out keystore.pfx
openssl pkcs12 -export -nokeys -in intermediate_certificate.crt -in server_certificate.crt -out keystore.pfx
openssl pkcs12 -export -nokeys -certfile server_certificate.crt -out keystore.pfx

Please note that the creation ofthe .pfx file is asking me for a password, it's this one I use when I wan't to import it (and used on the tomcat config).

Note: I tried without the "-nokeys", but ending up with the following error:

unable to load private key
139852820779456:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY

 

[Nono 3]

Okay, the problem was on my side.

Indeed, I was missing the private key somehow (was already generated by a colleague).