logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
candeo  
#1 Posted : Sunday, July 13, 2014 11:03:40 PM(UTC)
candeo


Rank: Member

Joined: 6/23/2014(UTC)
Posts: 11
Poland

Thanks: 2 times
Hello.
Today i was playing with free SSL certificate from startssl.com.

I set my server to listen on port 1443 .. and everything works perfect (i mean connecting from Windows IE, Chrome, Mac Safari and Ipad app.. with firefox, there's actually some troubles with chain certs.. but not important for me)
Unfortunatelly android client doesn't work.
It immediately closes the connection, just when i press 'connect as guest' or 'connect as host' button.

I didn't try to set normal 443 port (no time and the android phone wasn't mine..so..)

Scott  
#2 Posted : Tuesday, July 15, 2014 4:00:34 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
Can you connect to your site via your phone's internet browser normally? If you can login and see your Host page via Chrome or any other android internet browser, joining a session should prompt you to use the ScreenConnect app and approving the message will let the app take over.
ScreenConnect Team
thanks 1 user thanked Scott for this useful post.
candeo on 7/15/2014(UTC)
candeo  
#3 Posted : Tuesday, July 15, 2014 4:19:32 PM(UTC)
candeo


Rank: Member

Joined: 6/23/2014(UTC)
Posts: 11
Poland

Thanks: 2 times
Thanks Scott! I'm so dumb.. of course..
I checked it on my son's phone.. and using chrome, it yells about bad quality certificate.. or something... if i accept it and try to join a session.. everything goes fine.

My fault. I'll get better quality (i mean 'paid') ssl certificate soon.
Paul Moore  
#4 Posted : Tuesday, July 15, 2014 5:19:06 PM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
There's nothing wrong with StartSSL certs. If you're getting errors, that's down to misconfiguration not the 'quality' of the cert.

You've either put the certs in the wrong order, or you have unnecessary roots/chains which break some browsers.

If you can post the error or the URL, it'll be easier to diagnose.

Cheers :)
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
candeo  
#5 Posted : Monday, July 21, 2014 5:33:56 PM(UTC)
candeo


Rank: Member

Joined: 6/23/2014(UTC)
Posts: 11
Poland

Thanks: 2 times
Thank you Cresona for your reply.

First of all, here's what i did.
I didn't make any ngnix or apache redirections, nor use any of ScreenConnect SSL scripts, i just simply:
- "bought" a free cert from StartSSL
- decrypted and converted private key related with that cert with pvktool under windows
- changed filenames of cert and key to 1443.cer and 1443.pvk
- created httplistener directory in an appropriate place (/opt/screenconnect/App_Runtime/etc/.mono/httplistener) under my linux server
- ... and put there 1443.cer and 1443.pvk files
- changed WebServerListenUri in web.config (<add key="WebServerListenUri" value="https://+:1443/">
- restarted the SC service

Everything (except Firefox and native SC android app) works like a charm.

Of course, there is a problem with root and intermediate certs, but as long as developers do not resolve this 'Mono does not currently support a certificate chain and will ignore any intermediate certificates' issue, there's not much we can do.

For now, i'm happy, because i can manually trust the site under android native browser, join a session and ScreenConnect Client works.
Also, i can ignore Firefox warning, and everything works.

All other browsers works fine. (well.. i didn't test the exotic ones)

Now i only keep my fingers crossed for great ScreenConnect developers and I believe, they will overcome that mono webserver problem.

Thanks again and have a nice day.

candeo  
#6 Posted : Wednesday, July 23, 2014 1:59:33 AM(UTC)
candeo


Rank: Member

Joined: 6/23/2014(UTC)
Posts: 11
Poland

Thanks: 2 times
Originally Posted by: candeo Go to Quoted Post
Now i only keep my fingers crossed for great ScreenConnect developers and I believe, they will overcome that mono webserver problem.


Well, They actually did it, so please ignore my previous post, because now everything (Mozilla, Android app, Safari and iOS apps, Chrome, IE>=7 and Opera) is working correctly.

Now - the question - How?

Below is simple tutorial, how i've enabled fully operational SSL support on Linux.


What you need
  • First of all, you need a certificate with private key connected with it.
    Every certificate authority provides tutorial how to buy cert, so just follow the instruction while ordering a cert, and everything should be ok.
  • You also need openssl package, to get some cert fingerprints, and PVK package to convert your private key into form recognized by mono
  • Last thing - intermediate certificate. After certificate purchasing - check your cert provider homepage for manuals, how to get their intermediate cert file.


Cert formats
  • Make sure, you have all files (certificate, private key, and intermediate cert downloaded later) in PEM format, which look something like this:

    your private key:
    Code:
    
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-256-CBC,A479C6593FC9D38754A1822BE7402A45
    
    XjSRzEeMovVt7jtqgtw8p8vfiorb38PMW3tVo1ao2ajQVO1BSv/gXR5U1dOLuB4r
    yPQdfbwSfmcc8nkH06lU2a45SENVvUlWeesPh9rsmDuVY0fdNgC9MTDzabRiJW6x
    Zfom1cDds8QJRJ4FIFTNJhRPwXEKZFP03XCULj4PwBEXMQ7eIWwN3m268kEhe03x
    ...
    ...
    ...
    Kt5jCR35u587j6vvzQwXvR7MWCH+3NtSJ2qIHufFWB2b5jH7K7rDFHoouQtkKjsh
    XYbb74BM0PHINfeoOB9Uo++I/8Ng16JwUMniNDQiAcRNzv0jAAnrKCLzQM8J5b8X
    -----END RSA PRIVATE KEY-----

    your cert:
    Code:
    
    -----BEGIN CERTIFICATE-----
    MIIGZDCCBUygAwIBAgIDEZQtMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
    TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
    YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
    ...
    ...
    ...
    SMnj3KWYEK2bDKxUdfmXy2jPVhQyAmMqXpLWvCjZzGs0OlS20mR96L6rnhBtorKy
    bACfOrmJqx4=
    -----END CERTIFICATE-----

    intermediate certificate:
    Code:
    
    -----BEGIN CERTIFICATE-----
    MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
    MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
    Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
    ...
    ...
    ...
    p/EiO/h94pDQehn7Skzj0n1fSoMD7SfWI55rjbRZotnvbIIp3XUZPD9MEI3vu3Un
    0q6Dp6jOW6c=
    -----END CERTIFICATE-----



Key conversion
Whether under Linux or Windows, use the PVK tool to convert your key to .pvk format
Code:
pvk.exe -topvk -nocrypt -in your_priv_key.pem -out 443.pvk


Intermediate file preparation
You have to rename the intermediate cert file into proper form.
First check fingerprint of the cert
Code:

openssl x509 -fingerprint -noout -in intermediate_cert_file.pem | awk -F= '{gsub(":","") ; print $2}'

That will give you something like this:
F691FC87EFB3135354225A10E127E911D1C7F8CF
Now, rename int_cer_file.pem to tbp-F691FC87EFB3135354225A10E127E911D1C7F8CF.cer
Use proper hex string, you got earlier of course.

File structure

  • Create (if does not exist) App_Runtime/etc/.mono/httplistener in your ScreenConnect directory
  • Rename your cert file into 443.cer and put it in httplistener
  • Also, put there 443.pvk file created earlier
  • Thumbprint file (tbp-(40-characters-hex-string).cer) goes to App_Runtime/etc/.mono/certs/CA


Web.config
As you probably know, you must change WebServerListenUri in web.config file to something like this:
<add key="WebServerListenUri" value="https://+:443/">

Restart ScreenConnect service
and that will do the trick

Testing
go to http://www.sslshopper.com/ssl-checker.html and look for errors




Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.