Configure HTTPS in SCM 2.8
167 views
Skip to first unread message
mrs...@gmail.com
Nov 3, 2020, 5:02:33 AM11/3/20
to scmmanager
we have been running scm since 1.2 or something and now migrating to 2.8. But I am having trouble configuring HTTPS.
I followed the guide and looked at our 1.6 setup. But the scm-server cannot start with the defined changes according to the guide.
- The Keystore.jks file is reused from the old server can can be read with keytool.
- Permissions on files are changed to scm:scm
Any help is appreciated.
Our server-config.xml looks like this
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<!--
Exclude SSLv3 to avoid POODLE vulnerability.
-->
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv2Hello</Item>
<Item>SSLv3</Item>
</Array>
</Set>
</New>
</Arg>
<Set name="Port">443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="keystore"><SystemProperty name="basedir" default="." />/conf/keystore.jks</Set>
<Set name="password"> WouldYouLikeToKnow </Set>
<Set name="keyPassword"> WouldYouLikeToKnow </Set>
<Set name="truststore"><SystemProperty name="basedir" default="." />/conf/keystore.jks</Set>
<Set name="trustPassword">WouldYouLikeToKnow</Set>
</New>
</Arg>
</Call>
The syslog reports the following:
ov 3 09:51:47 Server-Name scm-server[1452]: Exception in thread "main" java.lang.ExceptionInInitializerError
Nov 3 09:51:47 Server-Name scm-server[1452]: Caused by: sonia.scm.server.ScmServerException: error during server configuration
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at sonia.scm.server.ScmServer.<init>(ScmServer.java:74)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at sonia.scm.server.ScmServerDaemon.<clinit>(ScmServerDaemon.java:41)
Nov 3 09:51:47 Server-Name scm-server[1452]: Caused by: java.lang.ClassNotFoundException: org.eclipse.jetty.server.ssl.SslSelectChannelConnector
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at org.eclipse.jetty.util.Loader.loadClass(Loader.java:64)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.newObj(XmlConfiguration.java:1006)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.itemValue(XmlConfiguration.java:1540)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.value(XmlConfiguration.java:1441)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.access$700(XmlConfiguration.java:395)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration$Args.<init>(XmlConfiguration.java:1699)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration$Args.<init>(XmlConfiguration.java:1686)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.call(XmlConfiguration.java:942)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:515)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at org.eclipse.jetty.xml.XmlConfiguration$JettyXmlConfiguration.configure(XmlConfiguration.java:431)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at org.eclipse.jetty.xml.XmlConfiguration.configure(XmlConfiguration.java:364)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011at sonia.scm.server.ScmServer.<init>(ScmServer.java:70)
Nov 3 09:51:47 Server-Name scm-server[1452]: #011... 1 more
Nov 3 09:51:47 Server-Name systemd[1]: scm-server.service: Main process exited, code=exited, status=1/FAILURE
Nov 3 09:51:47 Server-Name systemd[1]: scm-server.service: Failed with result 'exit-code'.
Nov 3 09:51:47 Server-Name systemd[1]: scm-server.service: Scheduled restart job, restart counter is at 5.
Nov 3 09:51:47 Server-Name systemd[1]: Stopped SCM-Manager Server.
Nov 3 09:51:47 Server-Name systemd[1]: scm-server.service: Start request repeated too quickly.
Nov 3 09:51:47 Server-Name systemd[1]: scm-server.service: Failed with result 'exit-code'.
Nov 3 09:51:47 Server-Name systemd[1]: Failed to start SCM-Manager Server.
Rene Pfeuffer
Nov 3, 2020, 5:28:09 AM11/3/20
to scmmanager
Hi,
sorry, our comments in the server-config are outdated. Please follow the guide on our website (https://www.scm-manager.org/docs/2.8.x/en/administration/scm-server/). This should be up to date.
Regards
René
mrs...@gmail.com
Nov 3, 2020, 8:27:25 AM11/3/20
to scmmanager
Hi.
unfortunately this was not enough.. I still get the error in google : this site cant be reached. HOSTNAME refused to connect..
Syslog now have a little more...
Nov 3 13:23:30 Server-Name systemd[1]: scm-server.service: Main process exited, code=exited, status=1/FAILURE
Nov 3 13:23:30 Server-Name systemd[1]: scm-server.service: Failed with result 'exit-code'.
Nov 3 13:23:30 Server-Name systemd[1]: scm-server.service: Scheduled restart job, restart counter is at 5.
Nov 3 13:23:30 Server-Name systemd[1]: Stopped SCM-Manager Server.
Nov 3 13:23:30 Server-Name systemd[1]: scm-server.service: Start request repeated too quickly.
Nov 3 13:23:30 Server-Name systemd[1]: scm-server.service: Failed with result 'exit-code'.
Nov 3 13:23:30 Server-Name systemd[1]: Failed to start SCM-Manager Server.
Nov 3 14:17:01 Server-Name CRON[3293]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Nov 3 14:20:12 Server-Name systemd[1]: Started SCM-Manager Server.
Nov 3 14:20:12 Server-Name scm-server[3327]: 2020-11-03 14:20:12.782:INFO::main: Logging initialized @136ms to org.eclipse.jetty.util.log.StdErrLog
Nov 3 14:20:13 Server-Name scm-server[3327]: 2020-11-03 14:20:13.220:INFO:oejs.Server:main: jetty-9.4.33.v20201020; built: 2020-10-20T23:39:24.803Z; git: 1be68755656cef678b79a2ef1c2ebbca99e25420; jvm 11.0.9+11-Ubuntu-0ubuntu1.20.04
Nov 3 14:20:14 Server-Name scm-server[3327]: 2020-11-03 14:20:14.479:INFO:oejw.StandardDescriptorProcessor:main: NO JSP Support for /scm, did not find org.eclipse.jetty.jsp.JettyJspServlet
Nov 3 14:20:14 Server-Name scm-server[3327]: 2020-11-03 14:20:14.494:INFO:oejs.session:main: DefaultSessionIdManager workerName=node0
Nov 3 14:20:14 Server-Name scm-server[3327]: 2020-11-03 14:20:14.495:INFO:oejs.session:main: No SessionScavenger set, using defaults
Nov 3 14:20:14 Server-Name scm-server[3327]: 2020-11-03 14:20:14.506:INFO:oejs.session:main: node0 Scavenging every 600000ms
Nov 3 14:20:16 Server-Name scm-server[3327]: WARNING: An illegal reflective access operation has occurred
Nov 3 14:20:16 Server-Name scm-server[3327]: WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$1 (file:/var/cache/scm/work/webapp/webapp/WEB-INF/lib/guice-4.2.3.jar) to method java.lang.ClassLoader.defineClass>
Nov 3 14:20:16 Server-Name scm-server[3327]: WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$1
Nov 3 14:20:16 Server-Name scm-server[3327]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
Nov 3 14:20:16 Server-Name scm-server[3327]: WARNING: All illegal access operations will be denied in a future release
Nov 3 14:20:18 Server-Name scm-server[3327]: Nov 03, 2020 2:20:18 PM com.google.inject.servlet.GuiceFilter setPipeline
Nov 3 14:20:18 Server-Name scm-server[3327]: WARNING: Multiple Servlet injectors detected. This is a warning indicating that you have more than one GuiceFilter running in your web application. If this is deliberate, you may safely ignore this messag>
Nov 3 14:20:19 Server-Name scm-server[3327]: 2020-11-03 14:20:19.867:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@ee96866{SCM-Manager 2.8.0,/scm,file:///var/cache/scm/work/webapp/webapp/,AVAILABLE}{/opt/scm-server/var/webapp/scm-web>
Nov 3 14:20:19 Server-Name scm-server[3327]: 2020-11-03 14:20:19.875:INFO:oejw.StandardDescriptorProcessor:main: NO JSP Support for /, did not find org.eclipse.jetty.jsp.JettyJspServlet
Nov 3 14:20:19 Server-Name scm-server[3327]: 2020-11-03 14:20:19.881:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@3719360c{/,[file:///opt/scm-server/var/webapp/docroot/],AVAILABLE}
Nov 3 14:20:19 Server-Name scm-server[3327]: Exception in thread "main" sonia.scm.server.ScmServerException: could not initialize server
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at sonia.scm.server.ScmServer.init(ScmServer.java:135)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at sonia.scm.server.ScmServer.run(ScmServer.java:91)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at sonia.scm.server.ScmServerDaemon.main(ScmServerDaemon.java:53)
Nov 3 14:20:19 Server-Name scm-server[3327]: Caused by: java.net.SocketException: Permission denied
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at java.base/sun.nio.ch.Net.bind0(Native Method)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at java.base/sun.nio.ch.Net.bind(Net.java:455)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at java.base/sun.nio.ch.Net.bind(Net.java:447)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at java.base/sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:227)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at java.base/sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:80)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:345)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at org.eclipse.jetty.server.ServerConnector.open(ServerConnector.java:310)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:80)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at org.eclipse.jetty.server.Server.doStart(Server.java:401)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
Nov 3 14:20:19 Server-Name scm-server[3327]: #011at sonia.scm.server.ScmServer.init(ScmServer.java:130)
Message has been deleted
mrs...@gmail.com
Nov 3, 2020, 8:49:46 AM11/3/20
to scmmanager
ahh, wait, it does work if I use port 8443. For some reason I cannot use port 443, even though I specified this port in the server-config.xml file.
Rene Pfeuffer
Nov 3, 2020, 11:46:02 AM11/3/20
to scmma...@googlegroups.com
Do you have the correct permissions to bind to port 443? Is another server running on this port, already?
--
You received this message because you are subscribed to the Google Groups "scmmanager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scmmanager+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/scmmanager/f863309b-4982-43ab-9af5-3398b7877532n%40googlegroups.com.
Best Regards
René Pfeuffer
| // Cloudogu GmbH // Brabandtstr. 9-10 | 38100 Braunschweig - Germany |
| // Phone: | +49. 531. 2 35 28-63 |
| // Fax: | +49. 531. 2 35 28-19 |
| // Web: | cloudogu.com |
| // Managing Director: T. Friedrich, T. Grosser, T. Paliga // Register Court: Braunschweig | Commercial Register Braunschweig HRB 204974 |
----------------------------------------------------------------------
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system.
----------------------------------------------------------------------
mrs...@gmail.com
Nov 4, 2020, 5:11:52 AM11/4/20
to scmmanager
Does not look like it..
systemd-r 648 systemd-resolve 13u IPv4 40588 0t0 TCP 127.0.0.53:53 (LISTEN)
sshd 982 root 3u IPv4 45845 0t0 TCP *:22 (LISTEN)
sshd 982 root 4u IPv6 45856 0t0 TCP *:22 (LISTEN)
smbd 1958 root 33u IPv6 95434 0t0 TCP *:445 (LISTEN)
smbd 1958 root 34u IPv6 95435 0t0 TCP *:139 (LISTEN)
smbd 1958 root 35u IPv4 95436 0t0 TCP *:445 (LISTEN)
smbd 1958 root 36u IPv4 95437 0t0 TCP *:139 (LISTEN)
java 3692 scm 128u IPv6 102875 0t0 TCP *:8443 (LISTEN)
By permission to bind to port 443, I am not sure what you mean.
Rene Pfeuffer
Nov 4, 2020, 5:38:47 AM11/4/20
to scmma...@googlegroups.com
Ports below 1024 can be opened only by root (so all other processes in your list are run by root). So the user scm cannot bind to port 80 nor port 443.
In most cases one uses a reverse proxy if the process itself should not be run by root.
To view this discussion on the web visit https://groups.google.com/d/msgid/scmmanager/6fa92bb1-a5a3-4302-ab9f-10d3018ad80bn%40googlegroups.com.
mrs...@gmail.com
Nov 4, 2020, 6:03:28 AM11/4/20
to scmmanager
ok thanks, guess I will have to leave it at 8443 and make our users understand they need to change all their links etc.. as the old server uses 443 without problems also with scm running the process.
Rene Pfeuffer
Nov 4, 2020, 9:20:47 AM11/4/20
to scmmanager
That doesn't sound good. Can you tell us how you start SCM-Manager? Do you use our DEB or RPM package or do you start is manually?
mrs...@gmail.com
Nov 5, 2020, 5:13:41 AM11/5/20
to scmmanager
SCM-server was installed with DEB.
Anyway I found another solution with iptables and redirect 443 to 8443. seems to work in a webbrowser. Will have our engineers test it later from mercurial/ HG.
Rene Pfeuffer
Nov 6, 2020, 3:20:15 PM11/6/20
to scmmanager
Glad you made it work. My colleague gave me a hint how to configure it correctly: You have to add an additional service for sysdemd. See this short introduction: https://stbuehler.de/blog/article/2017/06/23/systemd__allow_normal_process_to_bind_to_privileged_port.html
Reply all
Reply to author
Forward
0 new messages