Let's Encrypt certbot (certbot certonly --webroot -w /var/www/html) generated a good cert but broke GLUU

By: Philip Dalrymple user 22 Oct 2019 at 11:58 a.m. CDT

4 Responses
Philip Dalrymple gravatar
I installed 4.0 beta (first time sandbox install) and after waiting for it to get started I looks like it worked well (still need to learn how to use GLUU but got the interface and was able to create a new user who had admin rights) But of course it was a self signed cert for the web site so I logged on to the container: sudo gluu-serverd login did a yum install python-certbot-apache and then did a certbot --apache This had an error in that a port 80 virt host was not present. I have a process (ansible playbook) that I use to install Let's Encrypt on a NON chroot VM so I copied the virt host file and tried again, this time it still failed so I removed the /etc/letsencrypt directory and seeing as how apache was running did a certbot certonly --webroot -w /var/www/html which worked like a charm. I checked that I could update the cert and set my standard cron on root to keep the cert up to date. When I edited https_gluu.conf to add #SSLCertificateFile /etc/certs/httpd.crt #SSLCertificateKeyFile /etc/certs/httpd.key SSLCertificateFile /etc/letsencrypt/live/<MY FQDN>/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/<MY FQDN>/privkey.pem The root page (at https://<MY FQDN> had the right certification BUT GLUU did an OPPS. (not even login. I am VERY new to GLUU (and this is the first time I have seen this kind of container) so I am not sure what I am doing wrong. I can blow away the VM and start again without problem. Given that Let's Encrypt is such an easy setup it might be a good idea to have that as an install option.
CentOS 7.0
closed

Answers

By Philip Dalrymple user 25 Oct 2019 at 9:15 a.m. CDT

Copy
Philip Dalrymple gravatar
This is a Centos based system not Ubnutu I jsut change the /etc/httpd/conf.d/ssl.conf and as I expected the GLUU site is still using the self signed certs Gluu uses "/etc/httpd/conf.d/https_gluu.conf with a <VirtualHost *:443> DocumentRoot "/var/www/html/" ServerName gluu-prs9.mdtsoft.com:443 LogLevel warn SSLEngine on SSLProtocol -all +TLSv1.1 +TLSv1.2 SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK SSLCertificateFile /etc/certs/httpd.crt SSLCertificateKeyFile /etc/certs/httpd.key I am going to try again putting my certs in for the ....File lines in the above

By Philip Dalrymple user 25 Oct 2019 at 10 a.m. CDT

Copy
Philip Dalrymple gravatar
OK this is getting to be a problem Now after trying my certs (know to be good) again I can't even put an exception in in FIrefox, I now get: Firefox detected a potential security threat and did not continue to gluu-prs9.mdtsoft.com because this website requires a secure connection. gluu-prs9.mdtsoft.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site. gluu-prs9.mdtsoft.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT View Certificate

By Aliaksandr Samuseu staff 04 Nov 2019 at 10:40 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Philip. I see you opened another ticket [here](https://support.gluu.org/installation/7622/how-do-i-install-cert-on-the-chroot-version-of-gluu/#at53450) which seems to be effectively on the same issue. I'm closing this one for now, let's use the other one for further discussion.

Post an answer