Issues with making a TLS connection

196 views
Skip to first unread message

Savinder Singh

unread,
Aug 25, 2016, 11:36:49 AM8/25/16
to Union Platform
Hi,

I had installed union server and created a whiteboard app and it was running fine until I had to make it run on an HTTPS page. I've tried everything listed on the documents however it just does not establish any connections. I find the information in documents very insufficient.

Can anyone help me out with running union server over TLS (with orbiter.secureConnect) method?

Thanks in advance

saul diaz

unread,
Jul 20, 2017, 6:33:23 PM7/20/17
to Union Platform
I got it working pretty much following the documentation 

I added to my union.xml

        <gateway id="SecureGateway" type="SecureTCP">
                <ip>put your ip</ip>
                <port>9443</port>
                <policy_file>policy.xml</policy_file>
                <keystore_file>/root/union.jks</keystore_file>
                <keystore_password>change it</keystore_password>
                <access_control_allow_origin>*</access_control_allow_origin>
        </gateway>
 

I created the union.jks using this cmds

keytool -genkeypair -keyalg rsa -keystore union.jks -storepass changeit-alias unionkeys
keytool -certreq -alias unionkeys -keystore union.jks -storepass changeit-file cert.csr

Imported the csr in my ssl certificate provider and got a p7b file back, using this cmd to import the same in the keyring.

keytool -import -trustcacerts -alias unionkeys -file server.p7b -keystore union.jks -storepass changeit

In my javascript

   // Connect to Union Server
   if (sProtocol == "http:") {
    orbiter.connect(hostName, 9100);
   } else {
    orbiter.secureConnect(hostName, 9443);    
   }

works perfect.

Toby

unread,
Feb 8, 2019, 6:34:10 PM2/8/19
to Union Platform
The above reply from Saul Diaz is very helpful - but I need some advice on one additional point:


>> Imported the csr in my ssl certificate provider and got a p7b file back, using this cmd to import the same in the keyring.

What does that mean? and how do you do it?

I have the following setup for using union:
[ Front end - normal website hosted by hosting company ] (they provide SSL certificates from Let's Encrypt ]
(The orbiter code to connect to Union comes from there.)

[ Back end - a VPS provided by a different company ] (this is where Union runs.

When logging on, a connection is made from the Front (or actually the user's computer) to the Back using Orbiter.

Using normal HTTP to load the html/javascript pages works fine.
Using HTTPS to do that doesn't work when you try to connect.
First it tries the websocket connection, which fails because it's not secure.
Then it tries (many times) an HTTP connection, which also fails but it's not clear the exact reason.

Presumably following the previously given instructions would work,
but where do I get a certificate, and how do I import it?

saul diaz

unread,
Feb 18, 2019, 8:59:57 PM2/18/19
to Union Platform
we use a different method right now. but you need to create a java keyring 

this should help you

Toby

unread,
Mar 26, 2019, 3:44:38 PM3/26/19
to Union Platform
I read the various documentation and to call it confusing would be a great understatement.
Congratulations to those who have got this to work.

So here is what I have tried:
Using "certbot" ( https://certbot.eff.org/ ) I generated a certificate from Let's Encrypt.

Then with an empty keystore, I imported it:
keytool -importcert -alias unionkeys -file [path-to-file]/fullchain.pem [ passwords ]

keytool -list produces this output:

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
unionkeys, Mar 26, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 14: [ more hex digits ]

I added this to union.xml

<gateway id="SecureGateway" type="SecureTCP">
                <ip> [IP ADDRESS OF THE SERVER] </ip>
                <port>9125</port>
                <policy_file>policy.xml</policy_file>
                <keystore_file>/home/USERID/.keystore</keystore_file>
                <keystore_password>PASSWORD</keystore_password>
                <access_control_allow_origin>*</access_control_allow_origin>
        </gateway>

Then I started Union Server, and tried to make a connection.

In the client console, there are these messages:
3/26/19 12:33:02.642 UTC-7 INFO:  [CONNECTION_MANAGER] New connection added. [SECURE_WEBSOCKET, requested host: backend.acrozilla.com, host: , port: 9125].  orbiter.js:8:11135
3/26/19 12:33:02.648 UTC-7 INFO:  [CONNECTION_MANAGER] New connection added. [SecureHTTPDirectConnection, requested host: backend.acrozilla.com, host: , port: 9125, send-delay: 300].  orbiter.js:8:11135
3/26/19 12:33:02.652 UTC-7 INFO:  [ORBITER] Connecting to Union...  orbiter.js:8:11135
3/26/19 12:33:02.654 UTC-7 DEBUG: [CONNECTION_MANAGER] Searching for most recent valid connection.  orbiter.js:8:11135
3/26/19 12:33:02.656 UTC-7 DEBUG: [SECURE_WEBSOCKET, requested host: NAME-OF_HOST, host: , port: 9125] Connection is valid because it has either never attempted to connect, or has not attempted to connect since its last successful connection.  orbiter.js:8:11135
3/26/19 12:33:02.660 UTC-7 INFO:  [CONNECTION_MANAGER] Attempting connection via [SECURE_WEBSOCKET, requested host: NAME-OF-HOST, host: , port: 9125]. (Connection 1 of 2. Attempt 1 since last successful connection).  orbiter.js:8:11135
3/26/19 12:33:02.668 UTC-7 INFO:  [SECURE_WEBSOCKET, requested host: NAME-OF_HOST, host: , port: 9125] No affinity address found for requested host [NAME-OF-HOST]. Using requested host for next connection attempt.  orbiter.js:8:11135
3/26/19 12:33:02.670 UTC-7 INFO:  [SECURE_WEBSOCKET, requested host: NAME-OF-HOST, host: NAME-OF-HOST, port: 9125] Attempting connection...  orbiter.js:8:11135
Firefox can’t establish a connection to the server at wss://NAME-OF-HOST:9125/.  orbiter.js:8:279730
3/26/19 12:33:03.108 UTC-7 DEBUG: [CONNECTION] [SECURE_WEBSOCKET, requested host: NAME-OF-HOST, host: NAME-OF-HOST, port: 9125] Deactivating...  orbiter.js:8:11135
3/26/19 12:33:03.110 UTC-7 INFO:  [MESSAGE_MANAGER] Removing registered message listeners.  orbiter.js:8:11135
3/26/19 12:33:03.114 UTC-7 WARN:  [CONNECTION_MANAGER] Connection failed for [SECURE_WEBSOCKET, requested host: NAME-OF-HOST, host: NAME-OF-HOST, port: 9125]. Status: [WebSocket onerror: Server closed connection before READY state was achieved.]

And in the server log there is this:

2019-03-26 14:33:01,317 INFO  - Gateway [SecureGateway] accepted a connection from [/MY IP ADDRESS:63410]
2019-03-26 14:33:01,320 DEBUG - Session Server[1](ssl...): Message received : HeapBuffer[pos=0 lim=199 cap=2048: 16 03 01 00 C2 01 00 00 BE 03 03 C3 4C AF CE 85...]
2019-03-26 14:33:01,320 DEBUG - Session Server[1](ssl...) Processing the received message
2019-03-26 14:33:01,320 DEBUG - Session Server[1](ssl...) processing the NEED_UNWRAP state
2019-03-26 14:33:01,321 DEBUG - Session Server[1](ssl...) processing the NEED_TASK state
2019-03-26 14:33:01,343 DEBUG - Session Server[1](ssl...) processing the NEED_WRAP state
2019-03-26 14:33:01,344 INFO  - Exception occurred in NIOHandler for gateway [SecureGateway] session [1]. This is almost always caused by the client resetting or forcibly closing the connection and does not indicate a fault condition on the server.
javax.net.ssl.SSLHandshakeException: SSL handshake failed.

Can anyone lead me through this thicket of terminology, error messages, and utter frustration?
or refer me to someone who can ?

Toby

unread,
Mar 27, 2019, 3:35:41 AM3/27/19
to Union Platform
VICTORY !!!

I finally managed to track down a process that worked.

It was here:
https://maximilian-boehm.com/en-gb/blog/create-a-java-keystore-jks-from-lets-encrypt-certificates-1884000/

Bless you,, maximilian-boehm, bless you!


Chris Christou

unread,
Feb 24, 2020, 5:10:21 AM2/24/20
to Union Platform

I've also been having issues migration our website and union server over to https, SSL/TLS protocol. But keep getting the following message in the browsers javascript Console. Wverything worked fine before over http.


Url:

https://www.youmeusdesign.com


Console Error message:

“WebSocket connection to 'wss://youmeusdesign.com:9443/' failed: WebSocket is closed before the connection is established.”


Here is our configuration:


1. Server

‪CentOS Linux, running Plesk 18.0.23, Apache



2. Keystore file


We've created a keystone file from Lets Encrypt Certificates. (fullchain.pem and privkey.pem files). Here are the commands:


openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out fullchain.p12 -name youmeusdesign


keytool -v -importkeystore -srckeystore fullchain.p12 -destkeystore keystore.jks -srcstoretype PKCS12 -srcstorepass password -deststorepass password


The keystore was created without errors and seems to be valid. The keystore.jks file was then saved into the same directory as union server.



3. Union.xml configuration


<gateways>

<gateway id="PrimaryGateway" type="TCP">

<ip>SERVER IP address</ip>

<port>8080</port>

<policy_file>policy.xml</policy_file>

<access_control_allow_origin>*</access_control_allow_origin>

        </gateway>

<gateway id="SecureGateway" type="SecureTCP">

<ip>SERVER IP address</ip>

<port>9443</port>

<policy_file>policy.xml</policy_file>

<keystore_file>keystore.jks</keystore_file>

<keystore_password>password</keystore_password>

<access_control_allow_origin>*</access_control_allow_origin>

</gateway>

</gateways>


4. policy.xml configuration


<cross-domain-policy>

<allow-access-from domain="*" to-ports="80,443,9100,9110,8080,9443" />

</cross-domain-policy>


I've tried everything but unsure what to try next. Could this have something to do with the certificate being a Lets Encrypt Certificate?




Toby

unread,
Mar 3, 2020, 3:29:06 PM3/3/20
to Union Platform


On Monday, February 24, 2020 at 2:10:21 AM UTC-8, Chris Christou wrote:

I've also been having issues migration our website and union server over to https, SSL/TLS protocol. But keep getting the following message in the browsers javascript Console. Wverything worked fine before over http.


2. Keystore file


We've created a keystone file from Lets Encrypt Certificates. (fullchain.pem and privkey.pem files). Here are the commands:


openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out fullchain.p12 -name youmeusdesign


keytool -v -importkeystore -srckeystore fullchain.p12 -destkeystore keystore.jks -srcstoretype PKCS12 -srcstorepass password -deststorepass password


The keystore was created without errors and seems to be valid. The keystore.jks file was then saved into the same directory as union server.


Try making this change:
- get rid of the keytool command and
- replace it with (no quotes, of course) "cp fullchain.p12 keystore.jks"

That's what I do and it works fine using Let's Encrypt Certificate.

(Also, I have -passout pass:YourChosenPassword
on the end of the openssl command, but I don't know if that's essential.)

Note also, you have restart Union in order for it to use a new keystore file,
as I found out the hard way when when I tried running continuously across a certificate expiration
(which had already been updated in the file).


Reply all
Reply to author
Forward
0 new messages