Update Opal SSL certificate / SSH tunnel
50 views
Skip to first unread message
Tom Bishop
Dec 15, 2021, 8:20:50 AM12/15/21
to obiba...@googlegroups.com
Hi,
Here is our problem: The SSL certificate for one of our partners has expired. His IT department have configured his laptop so that he cannot visit sites with expired certificates. Therefore he cannot log into Opal UI to update the certificate.
However, he can set up an SSH tunnel to the server. He reports that he can get to the log in page through the tunnel but his credentials don't work ("Authentication failed"). Is it possible that the tunnel causes this, or is there something else going on?
Is there a way of updating the Opal SSL certificate from the command line? I couldn't see a Python command for that. Maybe the certificate can be placed in the file system without the UI?
Thanks
Tom
Yannick Marcon
Dec 15, 2021, 9:48:52 AM12/15/21
to obiba...@googlegroups.com
Hi,
It is hard to tell, but there are CSRF checks happening and cookies have their own constraint too so maybe the ssh tunnel does not work well with the UI.
There are no ready-to-use command line but you can try this one:
echo '{"alias":"https","keyType":"KEY_PAIR","privateImport":"<private key in PEM format>","publicImport":"<public key in PEM format>"}' | opal rest -o https://opal.example.org -u administrator -p xxxxxxx -ct application/json -m PUT /system/keystore
You should also consider using a reverse proxy, with letsencrypt it is quite straightforward to have a secure (and free) http server setup.
Regards
Yannick
--
You received this message because you are subscribed to the Google Groups "obiba-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to obiba-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/LO4P265MB3792F28771D4A89EF726F970B9769%40LO4P265MB3792.GBRP265.PROD.OUTLOOK.COM.
Tom Bishop
Dec 15, 2021, 10:05:41 AM12/15/21
to obiba...@googlegroups.com
Hi Yannick,
Great, thank you. We will give this a try and see if the reverse proxy can be set up.
Cheers,
Tom
From: obiba...@googlegroups.com <obiba...@googlegroups.com> on behalf of Yannick Marcon <yannick...@obiba.org>
Sent: Wednesday, December 15, 2021 2:48 PM
To: obiba...@googlegroups.com <obiba...@googlegroups.com>
Subject: Re: [OBiBa] Update Opal SSL certificate / SSH tunnel
Sent: Wednesday, December 15, 2021 2:48 PM
To: obiba...@googlegroups.com <obiba...@googlegroups.com>
Subject: Re: [OBiBa] Update Opal SSL certificate / SSH tunnel
To view this discussion on the web visit
https://groups.google.com/d/msgid/obiba-users/CAGrE6ov4p0ZxG%2BFAYOFepsJZ3sHN%3DeMt%2BtTRc_rtBH%2BwT4cbiw%40mail.gmail.com.
Ramin H.A.
Dec 15, 2021, 12:00:17 PM12/15/21
to obiba...@googlegroups.com
Hi Tom,
If you are using Apache and interested I can send you our Reverse Proxy setup.
Ramin
To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/LO4P265MB37926F009036E50C69F18B3AB9769%40LO4P265MB3792.GBRP265.PROD.OUTLOOK.COM.
Tom Bishop
Dec 15, 2021, 3:08:42 PM12/15/21
to obiba...@googlegroups.com
Hi Ramin,
Thanks for this kind offer. I will wait and see what the server owner decides to do.
Tom
From: obiba...@googlegroups.com <obiba...@googlegroups.com> on behalf of Ramin H.A. <rha...@maelstrom-research.org>
Sent: Wednesday, December 15, 2021 4:59 PM
Sent: Wednesday, December 15, 2021 4:59 PM
To view this discussion on the web visit
https://groups.google.com/d/msgid/obiba-users/CAMpqDgdV85zKrbXJA%3Dq%3D%3DjbAjODGgLmx9NKxtOkbGz79urBBtg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages