Ignition V7.9.9.crashed

Moved an Ignition V7.9.9 install from a C: drive to a D: drive yesterday and now the Gateway has crashed and wont restart.
Tried to reinstall Ignition , but get message LIB folder is in use and can’t be deleted.

INFO | jvm 1 | 2018/08/30 16:31:25 | Iwrapper.log (450.4 KB)
[SRContext ] [20:31:25]: Ignition Gateway shutting down…

Wrapper Log attached, trouble started @ 16:31 EST today.

I’m not sure what you’re describing with the install. Was it a fresh 7.9.9 or an upgrade?

It looks like there’s something wrong with the KeyStore file used for SSL (webserver/ssl.key)?

Do you have SSL configured? Did you change anything?

Kevin,

this was a new install running for about 1 month. Customer gave me a VM with a limited C drive, so yesterday they asked me to move the install to a D drive. It ran for about 24 hours then crashed this afternoon and wont restart. Managed to reinstall ignition, but same error occurs.
Java 1.8.0_181 running on a VM with Windows 10

According to those logs you’re not running Java 8… they indicate it’s at least 9.

Make sure Java 8 is installed and maybe get the ssl.key file and send it to us (and move it out of the webserver directory).

This was a residual Java 10 that i just blew out and now trying to get the ignition.conf to point to the Java 8 install.

where would i find this key file?

in the webserver directory of wherever Ignition is installed.

Looks like D:\Program Files\Inductive Automation\Ignition\webserver\

Copy it out, send it to us, delete it, try starting the gateway again.

Okay,
done what you said and moved the file out of the directory and now the Gate Way starts. This client will want an explanation on what happened and how to prevent in the future as they just lost over 4 hours of validation data.

file attached, remove the .txt as the uploader will not accept a .key file

ssl.key.txt (6.2 KB)

Not to mention the support you guys give, is second to none.
Thanks

This KeyStore file appears to be corrupt. There’s no definitive answer I can see in the logs, but there’s a couple of hard JVM crashes during shutdown that might have something to do with it. There were nothing but errors happening in all kinds of weird places while you ran with Java 10 for a day or so.

OK, thanks Kevin.
The install was working fine on the C: drive. The issue occurred when I made the move from C: to D: and tried to move everything, including the JRE from C: to D:. There was a residual Java 10 install on C: that hung around and I made the D: install use Java 8. So i guess some how the Ignition install was discombobulated with 2 versions of Java running on two different drives.
That will be my angle with the customer to explain what happened.

thanks for your help

FWIW, I’ll log a bug report and we’ll make Ignition more resilient to this failure. The gateway would ideally soldier on in this case rather than crash and halt the startup process.

1 Like

Kevin
i just found out the customer had their IT department working on an SSL key for this install at the exact same time Ignition crashed. Coincidence?

Ha! I think you’re narrowing in on the root cause.

1 Like

I may need to get the customer to contact Tech Support. This is the email trail of them trying to install an SSL key using the instructions from Inductive Automation.

Hi Ian,

I have no other way but to handle the ssl key but to use keytool, we’ve tried with microsoft certificate store. I’ll have to generate a key again, with all the procedure below - but we’ll use our internal cert authority to register. Thus, will it be okay to place JDK on the D drive again? Would you like to work on this together today, or can I go ahead?

How to Install a Real SSL Certificate in Ignition
When you turn on SSL in Ignition, the web browser uses what is called a “self-signed” certificate. This gives you the encryption benefits of SSL, but it isn’t a ‘real’ certificate. This is why browser will display nasty warnings to users that they shouldn’t trust your website.
We are not able to ship a real certificate with Ignition because SSL certificates have to be purchased individually from a certificate authority.
This guide will show you how to purchase and install a real SSL certificate from a certificate authority and install it in Ignition.

  1. Install the JDK.
    There are some command-line tools you’ll need to use to create a certificate request and to install your certificate. These tools come with the Java Development Kit (JDK). Most likely you only have the Java Runtime Environment installed. Go to http://java.oracle.com and click on Java SE. Download the Java SE 6 JDK and install it.
  2. Open a command prompt
    Open a command prompt (Start > Run > cmd) and change directory into your JDK tools directory.
    [tt]cd C:\Program Files\Java\jdk1.6.0_24\bin[/tt]
  3. Create your keystore
    SSL certificates for Ignition are stored in a file called a keystore. You’ll need to create your own keystore file with a certificate in it before you can purchase the SSL certificate.
  1.   Enter the following command:
    

[tt]keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore C:\ssl.key[/tt]
(you can put the file wherever you want for now but it should be called “ssl.key”)
2. It will prompt you to enter a password. Use the password: [tt]ignition[/tt]
3. You will then be prompted for your “first and last name”. Do not actually use your first and last name. This value must be one of these for your Ignition Gateway:

  • Fully Qualified Domain Name (e.g. “secure.yourdomain.com”)
  • Public IP address (e.g. “202.144.8.10”)
  • Full Server Name of your internal server (e.g. “scadaserver”)
  • Private IP address (e.g. “192.168.0.1”)
  1.   It will then prompt you for information about your company. Input all data accurately, as the certificate authority will need to verify this information.
    
  2.   Lastly, it will ask you for the password for alias . Press RETURN to use the same password as the keystore file.
    
  1. Generate a Certificate Signing Request
    At this point, you have a keystore file named “ssl.key” at the root of your C:\ drive (or wherever you specified it to be in step 3a )
    In your command prompt window, enter this command:
    [tt]keytool -certreq -alias tomcat -file C:\csr.txt -keystore C:\ssl.key[/tt]
    It will prompt you for the keystore password (ignition)

You now have a certificate request file at [tt]C:\csr.txt[/tt]
5) Buy the SSL certificate
Now you need to get your SSL certificate signed by a certificate authority. When you go to a certificate authority (Verisign, Thawte, Comodo, etc), they’ll ask for your CSR, which is the csr.txt file that you created in step 4. Typically they’ll ask you to paste your CSR into their web form. Open csr.txt in notepad, and copy-and-paste it into the certificate authority’s form.
If prompted what software generated the CSR, choose Tomcat or Java

After the certificate authority has processed your payment and reviewed your CSR, they will send you your certificate via email.
6) Install the SSL certificate
After your SSL certificate has been emailed to you, you will want to follow the instructions provided for installing the certificate into a Java keystore. Your certificate authority will provide these instructions. The following is the procedure for installing a Comodo SSL certificate, provided as an example:

  1.   Extract the certificate files that were emailed to you, in this example they were extracted to C:\cert
    
  2.   Install the root certificate with the following command:
    

[tt]keytool -import -trustcacerts -alias root -file C:\cert\AddTrustExternalCARoot.crt -keystore C:\ssl.key[/tt]
3. Install the COMODO intermediate certificate:
[tt]keytool -import -trustcacerts -alias INTER -file C:\cert\COMODOHigh-AssuranceSecureServerCA.crt -keystore C:\ssl.key[/tt]
4. Install your server’s certificate:
[tt]keytool -import -trustcacerts -alias tomcat -file C:\cert\192_168_1_7.crt -keystore C:\ssl.key[/tt]
7) Replace Ignition’s default keystore
You now have a keystore file at C:\ssl.key that holds your SSL certificate. The certificate alias is “tomcat” and the password is “ignition”. You can now replace the keystore file that ships with Ignition with your file. Make a backup of the file at
[tt]C:\Program Files\Inductive Automation\Ignition\tomcat\ssl.key[/tt]
and replace it with your keystore file. You will need to restart the Ignition service after replacing this file.
Make sure your SSL port is allowed through your server’s firewall. The default SSL port is 8043, and can be changed to the standard SSL port (443) through the Gateway Control Utilitiy (GCU).


From: Hugo Shebbeare
Sent: Friday, August 31, 2018 8:58 AM
To: Christine Laprise; Eric Lapointe; Pascal Vallette
Subject: Re: Issue with Dcpspeview server

To Ian ( please fwd Christine):

Just fyi, because we’re crossing paths a bit here - Late yesterday, since asked the other week, I restarted work on the SSL key and used Java jdk keytool on c, so I think you should be okay to continue with using the new D drive install (jre).
We’re in a bit of a catch 22 because we have to use the keytool to replace the ignition default ssl key with ours, and the latest export csr I handed over to Éric yesterday with corrections to org unit, etc details.
I am afraid it was me who broken the server yesterday after another key attempt, but it looks okay now thanks to you. However, we are still pending ssl key replacement.
One step of the cert import did work, so far, at least, which is the root (or our *.agropur.com cert)

C:\Program Files\Java\jdk-10.0.2\bin>keytool -import -trustcacerts -alias root -file C:\Users\admhushebbe\Documents\rootexport.cer -keystore C:\temp\sslfromjdk.key
Enter keystore password:
Owner: CN=*.agropur.com, O=Agropur Cooperative, L=Granby, ST=Quebec, C=CA
Issuer: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 6f167293433651da6fad29147404a6a
Valid from: Mon Dec 19 19:00:00 EST 2016 until: Thu Mar 19 08:00:00 EDT 2020
Certificate fingerprints:
SHA1: 92:58:B3:8E:70:84:F6:85:4A:C7:33:A2:E4:B2:B4:90:D9:A5:4E:12
SHA256: 60:F5:BF:97:9E:3C:29:08:44:98:0C:F4:A7:24:98:AE:3C:BE:ED:F1:69:5E:60:6D:2B:C4:EE:CB:15:6B:00:99
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
… certificate imported successfully.

Look forward to resolving this together with you :slight_smile:

Hugo Shebbeare
438 498 5832