Set SSL Issue

Read 15411 times
Code: [Select]
[root@xxxxxxx~]# /usr/local/centovacast/sbin/setssl on /etc/apache2/ssl.key/server.key /etc/apache2/ssl.crt/server.crt
Enabling SSL ...
grep: /usr/local/centovacast/etc/web.d/cc-panel.conf: No such file or directory
Done.  Restart Centova Cast to apply changes.

After that command I'm getting new file in  /usr/local/centovacast/etc/web.d/cc-panel.conf.new (with 0 bytes)
I've changed filename to 'cc-panel.conf' and execute again 'setssl on' command but it have created another file named   cc-panel.conf.new'
Last Edit: December 05, 2012, 02:00:28 pm by Headshaker
grep: /usr/local/centovacast/etc/web.d/cc-panel.conf: No such file or directory
Hmm, that's really odd.  I checked this on a bunch of other server's we've upgraded and cc-panel.conf was created correctly on all of them.

Basically what happened is we needed to be able to overwrite etc/web.d/cc-interface.conf during upgrades, but that happens to be where the port/SSL/etc. settings are.. and obviously our clients weren't impressed that we were overwriting their settings after every upgrade. :)  So we moved those settings out into etc/cc-panel.conf in a recent build.  The upgrader should have done that for you but apparently didn't in your case.

You can try to do it yourself by hand if you like... basically the "listen" line, the "ssl_" lines, the "set $startpagedomain" line, and the "server_name" line just need to be copied from etc/web.d/cc-interface.conf into etc/cc-panel.conf, and then in etc/web.d/cc-interface.conf you remove those lines and replace them with "include cc-panel.conf;" right after the "server {" line.

Once that's done, the setssl command will work just fine.
Well, file was already there (/etc/cc-panel.conf) but new empty files where created in etc/web.d/.

I've got problem with runing CC in SSl mode. this is message after uncomenting lines in cc-panel.conf ->
Code: [Select]
# /etc/init.d/centovacast restart
Stopping Centova Cast: cc-ftpd (not running) cc-web (not running) cc-appserver (not running) cc-control (not running) cc-imaged (not running)
Starting Centova Cast: cc-control cc-appserver cc-web nginx: [emerg] invalid number of arguments in "ssl_certificate" directive in /usr/local/centovacast/etc/cc-panel.conf:43
- failed
cc-control

This is my cc-panel.conf file ->
Code: [Select]
# =============================================================================
#
# Centova Cast - Copyright 2010-2012, Centova Technologies Inc.
# Web Control Panel Configuration File
#
# =============================================================================
#
# WARNING:
# These settings normally should not need to be modified except as
# instructed by Centova Technologies.
#
# Problems caused as a result of modification of this file are not covered
# under your Centova Cast support agreement.  Should you require technical
# support as a result of modifying this file, it will be billed at Centova
# Technologies' hourly professional services rate.
#

# PORT NUMBER / INTERFACE

# if you prefer to use an alternate port for your Centova Cast web interface, change
# the port number below, but make sure you update MASTER_PORT in etc/cc-control.conf too
#
# to bind to a specific interface, use ip:port (eg: listen 10.2.3.4:2199) and
# update MASTER_ADDR in etc/cc-control.conf as well.
#listen 2199 default;


# SSL

# if you prefer to use SSL, comment out the above "listen 2199 default;" line, uncomment the
# next three (3) lines, and save your SSL certificate and private key as certificate.pem and
# private.key, respectively, under /usr/local/centovacst/etc/ssl/
listen 2199 default ssl;
ssl_certificate /usr/local/centovacast/etc/ssl/certificate.pem
ssl_certificate_key /usr/local/centovacast/etc/ssl/private.key


# HOSTNAMES

# if you wish to use start page urls in the format http://username.yourdomain.com (instead of the
# standard http://yourdomain.com/start/username) you can specify yourdomain.com here and configure
# wildcard dns for *.yourdomain.com to point to your Centova Cast web interface server's IP address
set $startpagedomain centovacast;

# you can specify the hostname for your web interface here, although it's usually not needed
server_name centovacast;

UPDATE

I've found fix for above, just add ' ; ' at the end of lines:
Code: [Select]
ssl_certificate /usr/local/centovacast/etc/ssl/certificate.pem;
ssl_certificate_key /usr/local/centovacast/etc/ssl/private.key;

but now I've got another error message :
Code: [Select]

Starting Centova Cast: cc-control cc-appserver cc-web nginx: [emerg] "listen" directive is not allowed here in /usr/local/centovacast/etc/web.d/cc-panel.conf:25
- failed
cc-control

I'm begginer in nginx :/


-------------------UPDATE 2--------------------------


For those who would like to run CC panel in SSL mode this is proper cc-panel.conf which You can copy and overwrite Yours:

Code: [Select]
# =============================================================================
#
# Centova Cast - Copyright 2010-2012, Centova Technologies Inc.
# Web Control Panel Configuration File
#
# =============================================================================
#
# WARNING:
# These settings normally should not need to be modified except as
# instructed by Centova Technologies.
#
# Problems caused as a result of modification of this file are not covered
# under your Centova Cast support agreement.  Should you require technical
# support as a result of modifying this file, it will be billed at Centova
# Technologies' hourly professional services rate.
#

# PORT NUMBER / INTERFACE

# if you prefer to use an alternate port for your Centova Cast web interface, change
# the port number below, but make sure you update MASTER_PORT in etc/cc-control.conf too
#
# to bind to a specific interface, use ip:port (eg: listen 10.2.3.4:2199) and
# update MASTER_ADDR in etc/cc-control.conf as well.
#listen 2199 default;


# SSL

# if you prefer to use SSL, comment out the above "listen 2199 default;" line, uncomment the
# next three (3) lines, and save your SSL certificate and private key as certificate.pem and
# private.key, respectively, under /usr/local/centovacst/etc/ssl/
listen 2199 ssl default;
ssl_certificate /usr/local/centovacast/etc/ssl/certificate.pem;
ssl_certificate_key /usr/local/centovacast/etc/ssl/private.key;


# HOSTNAMES

# if you wish to use start page urls in the format http://username.yourdomain.com (instead of the
# standard http://yourdomain.com/start/username) you can specify yourdomain.com here and configure
# wildcard dns for *.yourdomain.com to point to your Centova Cast web interface server's IP address
set $startpagedomain centovacast;

# you can specify the hostname for your web interface here, although it's usually not needed
server_name centovacast;
Last Edit: December 09, 2012, 05:59:15 am by Headshaker
Another thing is that very usefull will be make redirection from http to https if in SSL mode or from https to http if in normal mode.
I've found fix for above, just add ' ; ' at the end of lines:
Ahh damn -- the default example in cc-panel.conf was missing its semicolons.  Your fix was the correct one, and I've fixed it on our end too.  Also found another issue with the setssl script while looking into this as well -- thanks!

Starting Centova Cast: cc-control cc-appserver cc-web nginx: [emerg] "listen" directive is not allowed here in /usr/local/centovacast/etc/web.d/cc-panel.conf:25
I think you must have already figured this out since you posted your final configuration later on, but this means that your "include" directive in cc-interface.conf was placed in the wrong spot.  Probably my instructions weren't clear enough -- sorry -- but glad you figured it out in the end. :)

Another thing is that very usefull will be make redirection from http to https if in SSL mode or from https to http if in normal mode.
I was about to summarily inform you that this is impossible... but it turns out that nginx makes it PARTIALLY possible.  Love nginx. ;)

If you make a plain HTTP request when SSL is enabled, nginx *can* in fact be configured to tell the browser to switch to SSL mode.  Which is really quite slick.  I've added that for the next build (and incidentally, gaining the ability to make this type of change on our end is exactly why we split cc-panel.conf into its own file).

Unfortunately the reverse is NOT possible, and if you think about why, it makes sense.  Say you make an SSL connection to a plain HTTP port.  Your browser is designed to negotiate an SSL session before doing ANYTHING else... which means it's not going to accept anything but an SSL handshake from the server, so doing a plain-HTTP redirect at this point is impossible.  And completing the SSL handshake is impossible without an SSL certificate configured on the web server.  And if you don't have SSL enabled, obviously there isn't any SSL cert to use.  So in a nutshell, the browser itself makes this impossible, so we can't work around it on the server side.

That said, it's FAR more likely that people are going to be accidentally using an http:// link (thus needing to be redirected to https://)... few people are going to START by trying https:// by mistake.  So I think just implementing the former will catch the vast majority of mistakes.