hellbeach Absent Member.
Absent Member.
2550 views

SSL problem with officially sign cert

Hello
I have a large FILR 1.0.1 install in place and we ordered a officially signed certificate for our server from Verisign, but I´m having problems installing the cert.
I followed the instruction in the manual:
https://www.novell.com/documentation/novell-filr1/filr1_inst/data/certificates.html#b14y7pwq

And after rebooting I used a service from symantec (https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp) to check if the installation was good but it reports 2 errors.
You can go in to the SSL-checker on the link above and type in our hostname filr.tirma.se to see the errors.

I have talked to Symantec about this and they were quite helpful but after looking around in the filr box through the console (as root) they determined that out system is not configured to run SSL and that is has to be setup to do this before we can get things working...

Linux is not my main expertise so I´m a bit lost on where to go from here, maybe some of you guys can help ?
0 Likes
11 Replies
John_Gill
New Member.

Re: SSL problem with officially sign cert

Hi,

Below is how I configured my certificate for my Novell Datasync server. Maybe it is the same with Filr. First you need your private CSR file from your server which you send to Verisign or similar. They then create a new certificate for you. You might need 1 or 2 intermediate certificates as well. You then combine these 4 certificates into a "new" certificate which you then use on your system.

As for the SSL question, try this :- Login to Filr as "vaadmin" via https://Filr.mycompany.com:9443 then go to "Novel Filr Appliance Configuration" In the "Configuration Summary" ---> "Network" you should see "Secure HTTP Port 8443" Report back on your setting and I will see if I can help further.

Regards
John


I hope this helps.
John
0 Likes
sveld1 Absent Member.
Absent Member.

Re: SSL problem with officially sign cert

hellbeach;2295769 wrote:
Hello
I have a large FILR 1.0.1 install in place and we ordered a officially signed certificate for our server from Verisign, but I´m having problems installing the cert.
I followed the instruction in the manual:
https://www.novell.com/documentation/novell-filr1/filr1_inst/data/certificates.html#b14y7pwq

And after rebooting I used a service from symantec (https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp) to check if the installation was good but it reports 2 errors.
You can go in to the SSL-checker on the link above and type in our hostname filr.tirma.se to see the errors.

I have talked to Symantec about this and they were quite helpful but after looking around in the filr box through the console (as root) they determined that out system is not configured to run SSL and that is has to be setup to do this before we can get things working...

Linux is not my main expertise so I´m a bit lost on where to go from here, maybe some of you guys can help ?


For the cert you can use from the commandline of the filr box:

openssl genrsa -des3 -out server.key 2048, remember the password used!!
openssl req -new -key server.key -out server.csr (common name is dns name filr server)
openssl pkcs12 -export -inkey server.key -in mycertificate.crt -certfile intermediateCA.crt -certfile rootCA.crt -out mycert.pfx

From the vaadmin interface:
go to certificates, web application certificates
choose file -> import key pair
point to the generated mycert.pfx, enter the password used in the private key and click 'ok'
now the certificates are imported in the appliance, as a last step we need to activate it and restart filr.

To file Filr from port 443 instead of 8443 enable port redirecting in the appliance management console at port 9443. Go to Novell Filr Appliance Configuration> Network> Enable ' Port redirection'. This sets teh appliance up to redirect 443 internally to 8443. Also configure ' Reverse Proxy' and set the field ' host' to ' filr.tirma.se', this way all email messages will contain the right url information. Then also at this same page set ' Reverse proxy secure http port' to 443.

Best regards, Sebastiaan Veld If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...
0 Likes
hellbeach Absent Member.
Absent Member.

Re: SSL problem with officially sign cert

Thanks John and Sveld for trying to help.

Ok, if I´m going to try making this the manual way:
openssl pkcs12 -export -inkey server.key -in mycertificate.crt -certfile intermediateCA.crt -certfile rootCA.crt -out mycert.pfx

Where/how do I get rootCA.crt from ?
0 Likes
hellbeach Absent Member.
Absent Member.

Re: SSL problem with officially sign cert

oh, and by the way,
port redirecting and reverse proxy is turned on..
0 Likes
John_Gill
New Member.

Re: SSL problem with officially sign cert

I don't think you require the rootCA.crt. Essentially you "cat" or combine the following files: #cat server.key verisign.crt intermediate1.crt (intermediate2.crt) > mycert.pfx Then install the mycert.pfx into Filr. I then use a site called SSL Digital Certificate Authority - Encryption & Authentication to test your certificate installation. If there are issues, the site will help pinpoint the faulty certificate in the chain.

John
0 Likes
hellbeach Absent Member.
Absent Member.

Re: SSL problem with officially sign cert

The site you recommended for checking the SSL basically gives me the same error message; that there is something wrong with my intermediate certs.
Just to clearify, if I use filr web management, where should I install the intermediate certs:
1. Digital certificates -> JVM certificates
or
2. Digital certificates -> Web application certificates
0 Likes
John_Gill
New Member.

Re: SSL problem with officially sign cert

perhaps try switching the intermediate certificates or using only one intermediate certificate. I spent many hours trying to work out certificates installations, but I am still mostly confused :confused:
0 Likes
hellbeach Absent Member.
Absent Member.

Re: SSL problem with officially sign cert

I tried your tips: "Essentially you "cat" or combine the following files: #cat server.key verisign.crt intermediate1.crt (intermediate2.crt) > mycert.pfx Then install the mycert.pfx into Filr."

I still get the same error, I attached a screenshot of my cert management.
0 Likes
John_Gill
New Member.

Re: SSL problem with officially sign cert

Hi,

I tested your site filr.timra.se on port 443 and 80 and this is the error I received. The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.

So my suggestion is to "cat" the certificate again with a different intermediate certificate(s) combination. Check on the Verisign site, perhaps there is are different intermediate certificates for "apache". Sometimes you can fine a "bundle certificate" which is a collection of intermediate certificates.

Hope this helps 🙂
0 Likes
hellbeach Absent Member.
Absent Member.

Re: SSL problem with officially sign cert

I got it sorted using Svelds tip:
openssl genrsa -out server.key 2048 (I didn´t use des3 and I did´t put a password)
openssl req -new -key server.key -out server.csr (common name is dns name filr server)
openssl pkcs12 -export -inkey server.key -in mycertificate.crt -certfile intermediateCA.crt -out mycert.pfx (I used a intermediate bundle with intermediate and root cert)

Works like a charm, thank you !!

And to Novell: Your web interface sucks hairy balls ! You have cost me many hours ! Get your **** together !
0 Likes
sveld1 Absent Member.
Absent Member.

Re: SSL problem with officially sign cert

Good to hear, thx for letting us know it works for you.
Have a nice weekend:)

Best regards, Sebastiaan Veld If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.