cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

self signed certificate

Fabrica_AE
MEGA Partner
MEGA Partner

Hi Community. 

We are trying to start an Instance in HOPEX V5, if we start the instance without the self signed certificate, the instance start and it continue running, but if we try to start a new instance using a self signed certificate, same properties and everything, only adding the certificate, then the instance fail quick. 

The certificate was created using IIS from windows server, we tried with 2 diff certificates and nothing works. What you think could be the problem? 

2 Replies

Hi,
I have similar issue where it seems that I have to change the Private internal SSL Certificate:

Scenario:

  • IIS server is hosting HOPEX static website on port 443 (https://HopexTest.hopex.com:443/Web360)
  • I am using port 444 for HAS (https://HopexTest.hopex.com:444)
  • It seems that I cannot use ARR/URL rewrite becuase it will always redirect to HAS page and static website will not be reached
  • If I don't use the ARR/URL rewrite, then client machine (user windows 10 machine) doesn't pick up the intrenal self-signed certificate and I get the below error

asimhassan_0-1637585970966.png

  • The static website has no issue (https://HopexTest.hopex.com:443/Web360)
  • Do I need to changre the "Private internal SSL" Certificate to the SSL "signed certificate" issued by the certification authority?

oguimard
Retired

Hello,

 

I am not sure to understand the full context of the problem. II will try anyway to help you find a solution. 

 

There are 2 SSL certificates for V5 :

  1. The public certificate : for HTTPS for the public address. For instance https://myserver.demomega.com . This SSL certificate will ensure secure communication between the web browser and IIS.
  2. The private internal certificate : for HTTPS communication between IIS and servers, and between each HAS servers of the farm among them.

 

SSL Architecture.png

 

Not sure which case you are talking about.

 

1. Public SSL Certificate

 

You must add this certificate on Windows of the IIS server.

  • Generate a signed certificate : for instance with a solution like let's encrypt. https://letsencrypt.org/ 
  • Go to the MMC Console and add your certificate
  • In IIS in the HTTPS 443 binding select your certificate

trustedCErtificateSSL.png

 IISSSLBinding.png

 

This certificate is not to be confused with the internal certificate. What you see in HAS or HAS Instance Manager is the internal certificate.

 

2. Private internal SSL Certificate

 

This certificate will be used for the communication between the servers (IIS and HAS).

 

It can be self-signed or signed should you organization required it.

 

Case 1 : Single HAS Server

 

If you have only 1 server HAS. Meaning you are not in a Cluster/Farms deployment. Use the default generated self-signed certificate.

When you create the instance :

  • Enable HTTPS
  • leave all the others fields empty

Hasdashboards.png

The certificate is generate and managed by HAS itself. Some file will be created in the installation folder (Default location:    C:\ProgramData\MEGA\Hopex Application Server\5000) and a certificated will be add in the trusted certificate of Windows.

SelfSigneGenerated.pngSelfSigneGenerated1.png

 

 This is the recommended option.

Case 2 : Multiple HAS Server / Cluster-Farm deployment

Each server of the farm must have in it's trusted Windows certificate the internal certificate (self-signed or signed).

 

Below is an example of the step you can follow. You may need to adjust the script to your constraints.

 

  • Execute the following script :

 

openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -config ca.cfg -extensions v3_ca -out rootCA.crt
openssl pkcs12 -export -out NomDuCertificat.pfx -inkey rootCA.key -in rootCA.crt

 

 

  • You may be prompted for a password. We recommend you to put one but it can be optional.
  • Import the certificate

importcertificate.png

 

 

 

 

 

importcertificate1.png

 

importcertificate2.pngimportcertificate3.png

 

Once Installed you have 2 options :

  1. The certificate is named Hopex Application Server (Dev only).pfx   In that  case HAS will find it automatically
  2. The certificate has another name and you need to reference.

 

To find the thumbprint double click on your certificate from the MMC console or from the file.

 

thumbprint.png

 

 

Depending on where you are in the scenario of installation the process might be different:

 

  • You are creating a new instance : provide either the Thumbprint of the certificate or the path of the location of the certificate.
  • You have an existing instance : stop the instance, edit the file settings.cfg  and add the section 

 

"certificate":"Thumbprint du certificat"

 

 

Troubleshooting

When you change the impersonification user to launch the processes this user might not have access to the certificate.

 

Go to the MMC console find the certificate and give the appropriate access rights.

 

If you are using an automatic HAS generated certificate you can delete it and restart the HAS instance. it will be recreated with the proper access rights.