Installing SSL on Linux (Ubuntu)

Hi,
I’ve got an SSL certificate in .pfx format, and I want to install it on Ubuntu. The instructions on the ignition website are for Windows, how would I go about this?

Thanks,

Andrew

Hi @Andrew.Zebic -

How did you obtain the SSL certificate that you want to install? Is it signed by a Certificate Authority? Or is this your own self-signed certificate?

Hi jspecht
It was produced from GoDaddy

Hi @Andrew.Zebic -

Ok so it seems like you have a CA-signed SSL certificate (correct me if I am wrong). Does your .pfx file contain the private key, CA-signed server certificate, any intermediary CA certificates, and the root CA certificate? You will need all of these items in order to set up the key store Ignition uses to enable SSL.

Hi @jspecht
How can I check the pfx file for whether it has these? Unlike .crt files with clear sections, opening with a text editor is unreadable.

Hi @Andrew.Zebic -

You can use openssl command line tools to inspect the contents of your .pfx file. I had luck with this (which enumerated the private key and certs in PEM format):

openssl pkcs12 -info -in certs.pfx

There are probably many other tools which aid in inspecting a .pfx file. A quick google search will help you there.

Alternatively, you could check if there is a way to download the individual certs from godaddy in PEM format.

1 Like

Hi @jspecht,
I used the command specified, and it seems like the file has all the information you have specified earlier. How would you proceed to install it from here?

Hi @Andrew.Zebic -

Assuming the .pfx has the entire certificate chain in order from server cert to intermediary ca cert(s) to root ca cert and the private key intact, you should be able to convert it to a Java key store using Java’s keytool command line tool like so:

keytool -importkeystore -srckeystore certs.pfx -srcstoretype pkcs12 -destkeystore ssl.key -deststoretype JKS

The keystore password must be set to ignition in order for the gateway to read the keystore. The gateway also expects the alias to be tomcat. You can check that the alias is correct by running the following on the new ssl.key keystore you just created:

keytool -list -v -keystore ssl.key

You should get output which starts off something like this:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: May 15, 2019

If the alias is something other than tomcat (let’s say it is foo), then you will need to change it like so:

keytool -changealias -keystore ssl.key -alias foo

You will then be prompted to change it (to tomcat).

Once you are sure that the alias is set to tomcat, move the ssl.key file to your $IGNITION/webserver directory and restart the gateway. Everything should be setup now.

We are aware that setting up CA-signed SSL certs is painful. We have a more user-friendly feature in the pipeline to help with this process.

1 Like

Here’s where the main issue has been for me: upon the prompt to enter the source keystore password, the response that I have been getting is that the source keystore password is incorrect. Neither the “ignition”, the default “changeit” nor the password provided by IT who supplied me with the certificate are correct. I know that the IT password has worked for a general certificate installation in my Windows machine, so they haven’t supplied me with the incorrect password. I have followed the instruction on https://docs.inductiveautomation.com/display/DOC/Requiring+SSL to create the key, so I’m at a bit of a loss here. Is there any common issues that cause this, or default passwords that I have been missing?

Hi @jspecht,
I’ve tried using a crt certificate instead and have had more success in getting all the files processed. Could I just ask where to place the keystore file within linux, since the previous link specifies a tomcat folder in windows that I can’t find in Ubuntu

Hi @Andrew.Zebic -

Once you have the java key store setup correctly, move it to $IGNITION/webserver with file name ssl.key where $IGNITION is the directory where your gateway is installed. Restart the gateway and you should be good to go.

Hi @jspecht
That’s what I’ve done and the certificate isn’t being registered. I will rename the keystore file to the ignition default just to be sure, however is there anything else that can be done to fix this? It’s as if the certificate isn’t being looked at at all.

Hi @Andrew.Zebic -

The java key store must be located at $IGNITION/webserver/ssl.key for it to work

Are you seeing any exceptions in the gateway logs?

Are you able to connect to the gateway using https?
If so, what certificate is showing in your browser when connected through https?
If not, what error are you experiencing?

The java key is named ssl.key in that section. I am referring to the key generated: tomcat.keystore, and renaming it to metro-keystore. I have just tried that also though, and updon doing this the gateway cannot restart.
I am able to connect to the gateway using https, however only when an exception is added for the site.
I am seeing many exceptions, primarily E:DefaultExceptionMapper recording “unexpected exception when handling another exception: Header was already written to response!” Repeated several times over.

In regards to the certificate, the certificate is showing with correct details, however I have just looked at the certificate information on firefox and it is saying that it “could not verify this certificate because the issuer is unknown”

In Chrome on my Windows machine, when navigating to the site the certificate details are: “The CA root certificate details are not trusted. To enable trust, install the certificate in the trust root certification authorities store.”

Hi @Andrew.Zebic -

Sounds like either your key store is not setup correctly or you have a root CA which has not yet been trusted by your browser or OS.

Which certificate authority are you using?

Have you double checked the following:

  1. There exists a java key store at $IGNITION/webserver/ssl.key
  2. The key store has password ignition
  3. There exists one entry with alias tomcat
  4. The entry with alias tomcat has a private key protected by password ignition
  5. The entry with alias tomcat has a certificate chain in order starting with the server cert, followed by any intermediary ca certs, ending with the root ca cert
  6. The private key and the public key in the server cert form a valid key pair

If you double checked the above, and it is still not working, I would call into support so they could take a closer look at what’s going on.

Hi @jspecht,

Alright, so going through each, we are using GoDaddy for our CA, and for each member:

  1. There exists two keystore files in this subfolder: one auto-generated by Ignition called metro-keystore and another that I have put in called tomcat.keystore as per instructions.
  2. The keystore has been using the password ignition during installation

I am unsure how to check 3-6 currently, and will go through and find out today about this. I have been following the instructions for GoDaddy installations using the instructions at:
https://au.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239
I have followed instructions 1 to 3 in the section “To install your SSL in Tomcat”.

Thank you for the assistance so far.

Have you thought of just using a reverse proxy? I have used nginx in the past for purchased ssl certs, or you can use Caddy or Traefik, and use ACME certs. Using a reverse proxy would also allow you to update certs without having to restart Ignition.

@jspecht
I was looking at the certificate and I have found that the certificate is listed as being self-signed. I am trying to work out how this occurred, since I followed all the steps on the Ignition guide as they were written. I will work this out and let you know what has happened after I find out how this is occurring.