Issue renewing SSL certificate on OPAL server

[Kenneth Davids]

Hi ,

I have tried to renew the SSL certificate for OPAL using the Admin page.

After entering the required private and public key I restarted the OPAL server.

Something is wrong now - I am no longer able to use HTTPS and so cannot get to the Admin page to try again.

The message in Firefox when I try to open OPAL using HTTPS:

Secure Connection Failed
An error occurred during a connection to <our OPAL URL:port> . Peer’s certificate has an invalid signature.

( <our OPAL URL:port>  added by me - the URL is valid)

I also tried to reopen port 8080 in the OPAL.Config file and use HTTP to get to het UI. This allows me a connection to OPAL but logging in seems to timeout (?)

Is there a specific location on the server where I can check and/or replace the SSL certificate ?   If there is none - how would i go about fixing this issue ?

Best regards,
Kenneth

[Yannick Marcon]

Hi,

If HTTP is not responding, it is probably because of a firewall rule on your network; otherwise, please provide the error message from the log.

Then you should access opal from the localhost and run this command:

opal rest -o http://localhost:8080 -u <admin user name> -p <admin user password> -m DELETE /system/keystore/https

and restart opal, it will recreate a default self-signed key pair.

This being said, it is recommended to not expose opal directly on the network and to use a reverse proxy instead (such as apache2 or nginx or traefik etc.): these have much more features for network things (protocols, ciphers, certificates, redirect etc.) and are more up to date with security aspects.

Regards

Yannick

--
You received this message because you are subscribed to the Google Groups "obiba-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to obiba-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/9ec0aec4-422e-4f31-bdd1-34cba281a1a3n%40googlegroups.com.

[Kenneth Davids]

Thanks Yannick, 

Reverting back to the selfsigned certificate worked out for reenabling HTTPS  -- our new certificate is now in place    :) 
All the real networking stuff will be handled by our infra boys... 

Thanks again!

Best regards,
Kenneth

Op woensdag 21 augustus 2024 om 09:07:52 UTC+2 schreef Yannick Marcon:

[Kenneth Davids]

hi Yannick,

this  morning I noticed Agate and MICA also not using the new SSL certificate.

I got Agate to work by importing the private and public key info , like I did in OPAL.

However MICA won't let me into the  /#admin/admin/general screen when I logon as an administrator.
For a very brief moment the form/page is there and then it goes to the "Error page!" showing only :  Bad Request (400)

In the mica2 log I see lines like :

2024-08-22 15:52:41,300 WARN  org.obiba.mica.micaConfig.service.MicaConfigService - Someone tried to use an invalid key [486dcf174xxxxxxxxxxx43aec84f6d]
2024-08-22 15:52:41,305 WARN  org.obiba.mica.web.rest.IllegalArgumentExceptionMapper - IllegalArgumentException caught in IllegalArgumentExceptionMapper
java.lang.IllegalArgumentException: Given key is invalid

what is the issue here and how can i get to the General settings screen ?

thanks in advance,
Kenneth

Op woensdag 21 augustus 2024 om 11:39:12 UTC+2 schreef Kenneth Davids: