Configuring Xinet HTTPS Connections using Self-Signed Certificates

Overview

You have recently updated to 2021.5 and are struggling with handling the new Forced SSL requirements that were added in recent releases. You want to join Xinet WebNative and Portal using HTTPS, but you don't have an SSL certificate available. When using a self-signed certificate, you encounter issues with Portal not trusting it.

Within the ssl_error_log you may see the following error:

[php7:warn] [pid 34843] [client 192.168.1.114:50795] PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /usr/etc/portal/PORTAL/libs/PORTALADMIN.obj.php on line 463, referer: https://192.168.1.42/PORTALADMIN/index.php?siteEdit=true&SITEPATH=/var/www/html/M

Solution

The information below is provided as a courtesy for system admins experiencing trouble with self-signed certificates. Support for this process is limited and Xinet Support cannot assist with deviations in the OpenSSL or Apache configurations listed, as they are provided as-is.

Prerequisites

Xinet Server 2021.5 on CentOS 7
Xinet Portal 2021.5 running on CentOS 7 with SSL enabled. (via the Portal installer)

Configuring HTTPS in the Xinet Web Native Server

Log in to the Xinet Server through SSH and elevate privileges as root by running:
```
# sudo -i 
```
As root, install the mod_ssl module:
```
# yum -y install mod_ssl
```

Generate the Self-Signed certificates

Generate private key:
```
# openssl genrsa -out ca.key 2048
```
Generate CSR:
```
# openssl req -new -key ca.key -out ca.csr
```
1. Note: The COMMON NAME (CN) should match the Xinet Server hostname

Generate Self Signed Key:

# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

Copy the files to the correct locations

# cp ca.crt /etc/pki/tls/certs  
# cp ca.key /etc/pki/tls/private/ca.key 
# cp ca.csr /etc/pki/tls/private/ca.csr

Then we need to update the Apache SSL configuration file:
1. Open the Apache SSL configuration file in your preferred editor:
```
# vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf
```
2. Change the paths to match where the Key file is stored.
  1. If you've used the method above it will be:
  2. SSLCertificateFile /etc/pki/tls/certs/ca.crt
3. Then set the correct path for the Certificate Key File a few lines below.
  1. If you've followed the instructions above it is:
  2. SSLCertificateKeyFile /etc/pki/tls/private/ca.key
4. Quit and Save the file.
5. Restart Apache:
```
# service httpd restart
```

Configuring Portal to Trust the Self-Signed certificate

Log in to the Xinet Portal through SSH and elevate privileges as root:
```
# sudo -i
```
Forcing the Portal to trust the certificate
1. Locate the cert.pem file (Default CA Root certificate for CentOS7 is on /etc/pki/tls/cert.pem)
```
# locate cert.pem 
# find . -name cert.pem
```
2. Open the cert.pem in your preferred editor.
3. Copy the content of the ca.crt created in the Xinet Server and add it to the end of the cert.pem in the Portal Server.
4. Save and close the cert.pem
Make sure that you are able to connect from Portal to Server using the Xinet Server hostname.
1. You can verify the connectivity by pinging the Xinet Webnative Server from the Terminal of the Xinet Portal server:
```
# ping YourWebNativeServerHostname.localdomain
```
2. Note: If the above command does not reach the correct IP, you can test adding the Portal site as a line in the /etc/hosts file manually using the following format:
```
<ServerIP> <YourWebNativeServerHostname> <YourWebNativeServerHostname.localdomain>
```
Connect the PORTAL using the hostname.
1. From the WebNative Admin navigate to Portal > Add.
2. Enter the Portal Hostname within the URL Field

Additional External Resources

Testing

With the above configuration completed, verify that you can now access the WebNative and Portal sites using the HTTPS protocol.

Choose files or drag and drop files

Tags:

Was this article helpful?

Yes

Priyanka Bhotika
Posted

Comments

Please sign in to comment