ssl_connect failed

[sarge]

Hello, i'am using domain name as a link in credential provider, and using custom certificate,

even if i add custom crt file with key when installing credential provider, i'm getting errot ssl_connect failed in log file...

then i remove from registry ca_file record and all starts to work normally,

well, my queston would be: tell me please is there any way to force credential provider to use custom certificate by default? maybe it can be done only via silent install? Or i should create GPO rule that will remove ca_file record?

[Yoann Traut (RCDevs)]

Hello, 

Custom certificate on WebADM and WAProxy are used for HTTPS 443 access (Admin and webApps accesses).

Web services like OpenOTP use a certificate issued by WebADM internal PKI which are webadm.crt and webadm.key located in /opt/webadm/pki/ folder. This certificate must NEVER be replaced by a certificate issued by another CA, else you will encounter issues. 

It is useless to do that because it do not increase the security. If you put a public trusted certificate here, then all certificates issued by that public CA could be presented to OpenOTP API and access will be allowed based on CA trust, which is finally less secure than using WebADM internal PKI because you have no control on certificate issued by public CAs.

If you would use certificate generated by another/your internal PKI for e.g, then you have to reconfigure WebADM as a subordinate of your internal CA and re-issue all certificates of all products already deployed where a certificate has been issued by WebADM PKI (Radiusd, LDProxy, WAProxy, WebADM, Spankey...) Else you will have issues. So I clearly discourage you to go that way as it doesn't involve any security improvement and there is lot of impacts behind. 

Here is a documentation to configure WebADM as a subordinate CA: 

https://docs.rcdevs.com/howtos/webadm_as_sub_ca/webadm_subordinate_ca/

The last WebADM versions prompt you now in the setup script, the possibility to configure WebADM as a Sub-CA : 

Setup WebADM as a Standalone CA (1) or Subordinate CA (2) ([1]/2)? To configure WebADM as a Subordinate CA, you need to copy your Sub-CA certificate and key as PEM format in /opt/webadm/pki/ca/ca.crt and /opt/webadm/pki/ca/ca.key 

https://docs.rcdevs.com/howtos/webadm_install/webadm_install/#configure-the-master-node--standalone-server

Regards 

[sarge]

Hello, thank you for information, will try to set up WebADM as Subordinate CA

[sarge]

Hello, i did everything by manual, and webadm works great, there is an other problem, to make credential provider to work normally i should use custom certificate with private key included (tried to use public key and getting error - unable to use private key). I checked webadm.log, but there is no error at all, is is like connection not even reaching server. Tell me please can it be something on cloudflare side, or maybe it is something to do with credential provider?

[Tarik Rachdani]

Hello,

if I understood your question correctly. You can publicly expose OpenOTP API through a reverse-proxy (WAProxy) : 

https://docs.rcdevs.com/howtos/waproxy/waproxy/#46-publishing-web-services

Or you can use the CP in offline mode (recommended).

Regards,

[sarge]

Hello, thank you for information, i did turn on publish from the start, i guess the problem was with cloudflare, for some reason cloudflare didn't wanted to pass trough connection from CP with certificate,

1i did silent instal without specifying .crt file, and everything started to work

[Yoann Traut (RCDevs)]

Hello, 

This is probably because cloudfare reverse proxy is your endpoint of CP communications and the certificate presented by cloudfare in not a certificate issued by WebADM PKI, then the SSL connection can not be negotiated. 

Regards

[sarge]

Hello, thanks for information, it was cloudflare's fault, without crt authorization works

[sarge]

Hi, still trying to use custom certificate to work with cloudflare reverse proxy

I've added custom cert to cloudflare, and made config on server so credential provider would get same certificate as cloudflare, still getting same error SSL_connect failed, can it be something with credential provider and CP not using needed certificate?

[sarge]

to be precise, i just want to replace self signed cert with mine, so i can bypass cloudflare and access server from credentiap provider

[Yoann Traut (RCDevs)]

Hello, 

The CP client certificate can not be a certificate not issued by WebADM. 

Other reverse proxy than our WAProxy can not be used to publish OpenOTP SOAP APIs without specific config done on the reverse proxy. 

Regards

[sarge]

Thank you for information, I will try next to configure reverse proxy or start waproxy

[sarge]

One more question, is WAproxy should work not only with web services but also with credential provider? Configured WAproxy, but CP installer says: "The installer was not able to fetch the server configuration. Please make sure the WebADM url is correct."  - I did enable Publish on WAProxy in authentication settings, so did for self-service,  and enabled publish_websrvs Yes. Self-service is OK, i can login and do stuff, but CP refuses to install

[Yoann Traut (RCDevs)]

Hello, 

Not sure the CP setup is implemented through waproxy, we will check. 
Generally, what customers are doing is the following : 

setup a DNS entry for MFA service (e.g. mfa.rcdevs.com) behind a load balancer which manage the failover for e.g.
Then, when you are in the LAN, the request is routed internally, when you are from WAN, the request is routed through internet and pass through  waproxy servers. The CP setup is generally performed in the LAN network. If it is not the case on your side, I can check with dev team if this could be implement as it is probably not a big change for us.

Regards

[sarge]

Hi, thank you for information,

company has many laptops, and employees often works out of office, in general, MFA needed for outside protection. So CP need to access mfa server from WAN. Bosses want to protect MFA server behind cloudflare reverse proxy to avoid possible DDoS attacks. Only one problem - cloudflare not passing CP's SSL connection to server. I tought that waproxy will solve this problem, but didn't work. Also with company certificate web services working great. I'll ask responsible person to review cloudflare settings, maybe he can do something to allow CP connections

[Yoann Traut (RCDevs)]

Hello, 

I checked and indeed the setup of the CP can not be performed through WAProxy. I will check with dev team if we could handle that scenario but can you give me more details on how your CP setups are performed exactly? Are you deploying CP on laptops though script or SCCM or in another way? An OpenOTP client certificate is mandatory to communicate with OpenOTP web service published on WAProxy, else the request will be drop by WAProxy.  

 

CloudFare will not be allowed to forward  requests to OpenOTP web service without providing the WAProxy HTTP headers as if it was a WAProxy. 

Use a company certificate for web service is not advised at all as it can break other integrations already performed like radius bridge, ldproxy...

If you want to use company certificates, webadm should be reconfigured as a subordinate certificate authority of your entreprise CA and certificates used for all integrations must be issued by WebADM subCA. 

Regards

[sarge]

Hello, thank you for information,

everything is in test stage yet, so i installing CP manually on one laptop entering everything manually except certificate - it's taken from server automatically