Archive for the ‘SSL’ Category

This article describes how to use an existing SSL for use with Stash. The process involves converting the certificate using OpenSSL, importing it into the Java keystore, and then updating the Stash configuration to utilize it.

1. First you will need to arrange your certificate in a .pem file. Open Notepad and copy/paste the certificate, key, intermediate certificate, and root certificate in the following format:
—–BEGIN RSA PRIVATE KEY—–
Private key for yourdomain.com
—–END RSA PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
SSL for yourdomain.com
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Intermediate certificate from the issuing authority
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Root certificate from the issuing authority
—–END CERTIFICATE—–

2. Save the file as “yourdomain.pem”.

3. Open a command prompt and navigate to where you saved the .pem file. Then run the following command:

openssl pkcs12 -export -in yourdomain.pem > yourdomain.p12

Note: This requires OpenSSL to be installed. If necessary this can be downloaded here.

4. Copy the new .p12 file to the server if it is not already there. Then open a command prompt and run the following to import the certificate into the keystore:

keytool -importkeystore -srckeystore yourdomain.p12 -destkeystore server.jks -srcstoretype pkcs12

You will be prompted for two passwords. Make sure to enter the same password for both and make note of this for later. If keytool is not recognized as a valid command you will have to change directories to the Java JRE bin directory.

5. Edit the Server.xml file located in the “conf” directory of your Stash installation directory. Anywhere before the ending tab enter the following:

<Connector port="8443"
maxHttpHeaderSize="8192"
SSLEnabled="true"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
useBodyEncodingForURI="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="C:\server.jks"
keystorePass="MyPassword"
sslProtocol="TLS" />

You may need to update the following values depending on your setup:
keystoreFile: This is the full path to the .jks keystore file.
keystorePass: This is the import password you used during step # 4.

I did not do any tweaking of the values listed above. They were simply taken from Atlassian’s guide Securing Stash with Tomcat using SSL.

6. Restart the Stash service and test by navigating to the following URL:
https://yourdomain.com:8443

I received this error when trying to complete a certificate request in IIS:
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

This turned out to be a permissions issue with the following folder
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Ensure that the “Administrators” group has full control and the “Everyone” group has the following permissions on this folder only:
List folder / read data
Read attributes
Read extended attributes
Create files /write data
Create folders / append data
Write attributes
Write extended attributes
Read permissions

First you will need to create a .pem file which contains your key, certificate, and any intermediate/root certificates.

1. Open your preferred text editor and copy/paste your certificates in the following order:
Private key
SSL for your domain
Intermediate
Root

The format of your .pem file should look like this:

—–BEGIN RSA PRIVATE KEY—–
Private Key
—–END RSA PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
SSL for your domain
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Intermediate Certificate
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Root Certificate
—–END CERTIFICATE—–

Note: If your certificate is in PFX format you will need to split this into the separate certificate and key files. Search for a PFX splitter if needed as there are many tools out there for this.

2. Save your file with a .pem extension.

3. Login to the Coyote Point web interface and select the specific HTTPS cluster on the left.

4. Click the Security tab.

5. Browse to the .pem file created earlier and then click the upload button.

6. Here you should see the details for all certificates in the .pem file. Make sure you see the actual SSL for your domain along with any intermediate/root certificates.

7. Scroll down to the bottom of this window and hit continue.

8. Make sure to test the HTTPS connection to confirm the certificate is working properly.

Sometimes when using a wildcard SSL or Unified Communications Certificate (UCC) it is necessary to add multiple https host headers for a single IP. Unfortunately the IIS 7 GUI does not allow you to set a host header on a https binding however this can be achieved using the “appcmd” command.

1. First bind the certificate to one site as normal by adding the https binding through the IIS GUI.

2. Open a command prompt and navigate to C:\Windows\System32\Inetsrv\ using the command below:

cd C:\Windows\System32\Inetsrv\

3. Enter the following command to manually set the binding bearing in mind the notes below:

appcmd set site /site.name:"SiteNameInIIS" /+bindings.[protocol='https',bindingInformation='IP.Add.re.ss:443:www.example.com']

Make sure to change the following values on the command above accordingly:

SiteNameInIIS: The site name exactly how it appears in IIS. For instance “example.com”.

IP.Add.re.ss: The IP used by the site.

www.example.com: The desired hostname. Note in most cases there will be one for www and non-www.

Example command:

appcmd set site /site.name:"example.com" /+bindings.[protocol='https',bindingInformation='1.2.3.4:443:www.example.com']

Running the appcmd command from a batch file:

To make this process easier you can use the batch file below. This will prompt you for the site name, IP, and host header value and then make the appropriate host header change.

Save the code as something like “addsslbinding.bat” and then call it from a command prompt by entering the name of the file (ie. “addsslbinding”).


@echo off
echo Enter site name in IIS:
set /p SiteName=
echo Enter IP address:
set /p IP=
echo Enter host header value (ie. www.domain.com):
set /p HostHeader=
C:\Windows\System32\Inetsrv\appcmd set site /site.name:"%SiteName%" /+bindings.[protocol='https',bindingInformation='%IP%:443:%HostHeader%']

Example:

Sometimes when working with an untrusted third party root certificate Windows will automatically delete it. If Windows finds a discrepancy with an intermediate certificate on the server it will check it against their own list of approved SSL’s. If it does not match windows will remove it and log the following in the application log:

Event ID: 4108
Successful auto delete of third-party root certificate

To disable this feature and keep your root certificate installed you can do the following:
1. Click Start -> Run -> “gpedit.msc” -> OK
2. Double click Administrative Templates -> System -> Internet Communication Management -> click Internet Communication settings

3. Double click “Turn off Automatic Root Certificates Update” -> click Disabled -> OK

1. Click “Install a SSL Certificate and Setup the Domain” under SSL/TLS on the left hand side. Alternatively you can use the find feature to locate “SSL”.

SSL install in WHM

SSL install in WHM

2. Paste the certificate details in the top text box and then click a blank area on the page. CPanel will auto fill information based off the certificate text such as the domain and username.

Note: If the IP address is shared by multiple domains you will need to set the username to “nobody”.

3. If the key field was auto-filled in, just delete it and paste the matching key.

4. Paste the intermediate or CA file in the last text box.

5. Finally hit the Submit button located towards the top of the page.

6. Test navigating to the domain securely via a browser.

SSL failing after install?

Recently some SSL installs have been failing, despite being installed correctly. If this seems like the case check the httpd.conf file for something similar to:


ServerName 185331-3.185331.com
DocumentRoot /usr/local/apache/htdocs

Comment out these lines, restart Apache, and test the SSL. If it is now working make sure to run the distiller so this change is not overwritten next time cPanel is updated:

/usr/local/cpanel/bin/apache_conf_distiller –update –main

You can regenerate the httpd.conf file to verify this was distilled properly:

/scripts/rebuildhttpdconf

Sometimes you will need to install an SSL and the person who ordered it sends in an encrypted key. Here is an example of an encrypted key:

—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F6FB1EFE755F8C56
BLAHBBLAHBLAHBLAHBBLAHBLAHBLAHBBLAHBLAH
BLAHBBLAHBLAHBLAHBBLAHBLAHBLAHBBLAHBLAH
—–END RSA PRIVATE KEY—–

In a Linux environment OpenSSL provides an easy way to un-encrypt this:

openssl rsa -in server.key.secure -out server.key

Make sure to replace “server.key.secure” with the filename of your encrypted key, and “server.key” with whatever you want the un-encrypted filename to be. If you are prompted for a passphrase whoever made the key specified one. Unfortunately you will not be able to decrypt the key without the correct passphrase.