logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
Sean  
#1 Posted : Wednesday, June 5, 2013 10:32:23 AM(UTC)
Sean


Rank: Administration

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 4/16/2010(UTC)
Posts: 441
Location: Raleigh

Thanks: 5 times
Was thanked: 38 time(s) in 33 post(s)
Quote:
Do you have any tips for settings up an SSL certificate on an Ubuntu install?

Currently, we are building a tool to assist with SSL over Linux, we hope to make this available very soon. I have created a basic outline describing the processand hopefully giving you some direction until we can automate this thing.

Basically, what you need to do is import the certificate and the private key using Mono’s httpcfg tool http://manpages.ubuntu.com/manpages/gutsy/man1/httpcfg.1.html.

The only problem is that httpcfg wants the private key in the Windows proprietary format .PVK, and we’ve had problems trying to get openssl to convert .PEMs into .PVKs. The one way we could get it to work was by downloading a PVK converter http://www.drh-consultancy.demon.co.uk/pvk.html for Windows. We had to convert the .PEM file to a .PVK on a Windows machine, and then copy it over to our Linux machine before httpcfg would work okay. So if you have a Windows machine available to you, I think this is an option.

Another tactic is to use a reverse proxy, as described by one of our customers here:
Quote:


  • I left the default port for the webUI on port 8040.
  • I then installed NGINX on my server and configured a reverse proxy set up with the SSL installed, using port 443 going to 127.0.0.1:8040. So it’s like HTTPS -> [NGINX -> 127.0.0.1:8040]
  • I also changed the relay port 80 (we only allow certain ports out)

My test set up is working perfectly, so we’re really happy so far.

Edited by user Wednesday, June 5, 2013 10:36:55 AM(UTC)  | Reason: Not specified

ScreenConnect Team

frankg  
#2 Posted : Wednesday, July 10, 2013 1:41:57 PM(UTC)
frankg


Rank: Member

Joined: 4/24/2013(UTC)
Posts: 27
Location: frankg

Here's my config if it helps anyone.

Code:

server {
listen 80;
server_name your.domain.com;
rewrite ^/(.*) https://your.domain.com permanent;
}

server {
    listen 443;
   ssl on; ssl_certificate /ssl_folder/your.domain.com.crt;
   ssl_certificate_key /ssl_folder/your.domain.com.key;
    server_name your.domain.com;
    location / {
        proxy_pass http://127.0.0.1:8040/;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_max_temp_file_size 0;
        client_max_body_size 50m;
        client_body_buffer_size 256k;
        proxy_connect_timeout 180;
        proxy_send_timeout 180;
        proxy_read_timeout 90;
        proxy_buffer_size 16k;
        proxy_buffers 4 64k;
        proxy_busy_buffers_size 128k;
        proxy_temp_file_write_size 128k;
    }
}





This config will automatically redirect http to https requests.

Also make sure you have 8040 blocked on your firewall as well so the server isn't accessible on that port.



npsupport  
#3 Posted : Sunday, October 13, 2013 1:53:20 PM(UTC)
npsupport


Rank: Newbie

Joined: 10/13/2013(UTC)
Posts: 2
Location: Southampton UK

frankg wrote:
Here's my config if it helps anyone.

Code:

server {
listen 80;
server_name your.domain.com;
rewrite ^/(.*) https://your.domain.com permanent;
}

server {
    listen 443;
   ssl on; ssl_certificate /ssl_folder/your.domain.com.crt;
   ssl_certificate_key /ssl_folder/your.domain.com.key;
    server_name your.domain.com;
    location / {
        proxy_pass http://127.0.0.1:8040/;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_max_temp_file_size 0;
        client_max_body_size 50m;
        client_body_buffer_size 256k;
        proxy_connect_timeout 180;
        proxy_send_timeout 180;
        proxy_read_timeout 90;
        proxy_buffer_size 16k;
        proxy_buffers 4 64k;
        proxy_busy_buffers_size 128k;
        proxy_temp_file_write_size 128k;
    }
}





This config will automatically redirect http to https requests.

Also make sure you have 8040 blocked on your firewall as well so the server isn't accessible on that port.



Sorry to seem dim but is this a config snippet for using reverse proxy?
bradyosborne  
#4 Posted : Thursday, November 7, 2013 1:09:54 AM(UTC)
bradyosborne


Rank: Newbie

Joined: 7/19/2012(UTC)
Posts: 5
Man
United States
Location: Tulsa, OK

Anybody had success configuring Apache to do this? I gave it a run but was not successful with it.
hanslitester  
#5 Posted : Thursday, October 15, 2015 9:00:14 AM(UTC)
hanslitester


Rank: Newbie

Joined: 10/15/2015(UTC)
Posts: 3

Hi,

Did anyone ever succeed with installation of an existing certificate on a linux maschine? I'm pulling my hairs for days now. It seems my certificate is not compatible with ScreenConnect. Maybe because it's a multidomain certificate.

The manuals I found are not describing my scenario: Having a certificate and no Windows maschine.

I tried to extract stuff using OpenSSL... but.

Any help is highly welcome.

Cheers!

Edit1: I tried that, but website won't show up: http://us.informatiweb.n...d-a-cer-certificate.html
Edit2: "443.cer and 443.pvk belong in the directory /opt/screenconnect/App_Runtime/etc/.mono/httplistener/"... this directory does not exist!!

Edited by user Thursday, October 15, 2015 11:32:13 AM(UTC)  | Reason: Not specified

Scott  
#6 Posted : Thursday, October 15, 2015 1:23:16 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
Quote:
Edit2: "443.cer and 443.pvk belong in the directory /opt/screenconnect/App_Runtime/etc/.mono/httplistener/"... this directory does not exist!!


I don't believe this directory exists by default but you can just create it and place the two certificate files inside.
ScreenConnect Team
hanslitester  
#7 Posted : Thursday, October 15, 2015 2:26:18 PM(UTC)
hanslitester


Rank: Newbie

Joined: 10/15/2015(UTC)
Posts: 3

Originally Posted by: Scott Go to Quoted Post
Quote:
Edit2: "443.cer and 443.pvk belong in the directory /opt/screenconnect/App_Runtime/etc/.mono/httplistener/"... this directory does not exist!!


I don't believe this directory exists by default but you can just create it and place the two certificate files inside.


Created folder, moved 443.cer and 443.pvk there. Not working. Question: I have SSL cert from SwissSign.com (server gold) for multidomain (i.e. 20 doms). Could it be possible that this can not work?
Scott  
#8 Posted : Thursday, October 15, 2015 5:03:04 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
I'm not sure, but I do know that we have quite a few people using a wildcard cert without any problem so I doubt that's the issue.

At this point I'd recommend reaching out to our Support team as someone would probably need to take a direct look.
ScreenConnect Team
hanslitester  
#9 Posted : Friday, October 16, 2015 8:40:58 AM(UTC)
hanslitester


Rank: Newbie

Joined: 10/15/2015(UTC)
Posts: 3

Originally Posted by: Scott Go to Quoted Post
I'm not sure, but I do know that we have quite a few people using a wildcard cert without any problem so I doubt that's the issue.

At this point I'd recommend reaching out to our Support team as someone would probably need to take a direct look.


Done that. My case is/was really strange:

1. If you got a multidomain certificate (delivered from CA as PKCS#12 container file) and you're using a Linux server running SC via Mono then:
2. Take the p12 file, extract private key (using OpenSSL 1.x)
3. Take the p12 file, extract certificate (using OpenSSL 1.x)
4. Convert private key to Microsoft PVK key file
5. Rename the .cer and .pvk to 443.cer and 443.pvk and upload it to the corresponding directory on the server
6. My chain file consists of 3 keys (the chain to the root cert). Use a text editor, split this file up into 3 files, convert them to DER (3 times), replace file-name with fingerprint (using again OpenSSL) accordingly and upload them again to the CA dir within SC
7. Tweak webconfig & restart SC

I needed a Linux machine in order to get conversions right.

Now there's still this old Mono issue about PoodleSSLv3, PoodleTLS attack, as well as the BEAST mitigation problem open. PoodleSSLv3 is possible to deactivate withing Mono.

Even the port 80 to 443 redirection works on 5.3 like a charm.

Thanks a lot!
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.