[Solved] Using a custom SSL Certificate

General discussion of anything Unimus
Post Reply
davsank
Posts: 2
Joined: Fri Jan 26, 2024 12:04 pm

Thu Feb 01, 2024 7:35 pm

Hi everyone, there might be something in the Wiki I've missed, but I can't find how to enable https on the web interface.

I'm currently allowing access to the unimus web interface via a cloudflare zero-trust reverse tunnel which technically exposes my external address as https, but we will likely stop using this feature and I'd still like to encrypt the communication to the web interface.

I'm running on a linux server over which I have full control - I have a valid domain and a full certificate chain (currently in PKCS12 format but I can convert to whatever format is required).

How can I:
  • Bind the unimus web server to a specific hostname (different from the system one)
  • Force all connection to the server to be over https and reject http requests
Top
User avatar
Tomas
Posts: 1308
Joined: Sat Jun 25, 2016 12:33 pm

Thu Feb 01, 2024 7:54 pm

davsank wrote:
Thu Feb 01, 2024 7:35 pm
 How can I:
  • Bind the unimus web server to a specific hostname (different from the system one)
  • Force all connection to the server to be over https and reject http requests
Hi,

For binding to a specific address, you can use this article: https://wiki.unimus.net/display/UNPUB/C ... nd+address
For HTTPS, we have an article on using a self-signed certificate here: https://wiki.unimus.net/display/UNPUB/U ... igned+cert

Since you mentioned you have a CA-issued cert, there are a few differences. Assuming you have a pem-encoded certificate:

1) Convert PEM certificate files (.crt/.cer/.cert + .key) to PKCS12 format:

Code: Select all

openssl pkcs12 -export -in XXX.crt -inkey XXX.key -out XXX.p12 -name XXX
2) Import PKCS12 keystore into Java keystore (JKS):

Code: Select all

keytool -importkeystore -srckeystore XXX.p12 -srcstoretype pkcs12 -destkeystore XXX.keystore -deststoretype pkcs12 -alias XXX
The rest is the same as the self-signed article. Use the keystore in the /etc/default/unimus config file. Restart the Unimus service, and after startup Unimus will be accessible only over HTTPS.
Top
rustyjarz
Posts: 17
Joined: Mon Aug 03, 2020 7:04 am

Sun Feb 11, 2024 11:00 pm

Tomas wrote:
Thu Feb 01, 2024 7:54 pm
davsank wrote:
Thu Feb 01, 2024 7:35 pm
 How can I:
  • Bind the unimus web server to a specific hostname (different from the system one)
  • Force all connection to the server to be over https and reject http requests
Hi,

For binding to a specific address, you can use this article: https://wiki.unimus.net/display/UNPUB/C ... nd+address
For HTTPS, we have an article on using a self-signed certificate here: https://wiki.unimus.net/display/UNPUB/U ... igned+cert

Since you mentioned you have a CA-issued cert, there are a few differences. Assuming you have a pem-encoded certificate:

1) Convert PEM certificate files (.crt/.cer/.cert + .key) to PKCS12 format:

Code: Select all

openssl pkcs12 -export -in XXX.crt -inkey XXX.key -out XXX.p12 -name XXX
2) Import PKCS12 keystore into Java keystore (JKS):

Code: Select all

keytool -importkeystore -srckeystore XXX.p12 -srcstoretype pkcs12 -destkeystore XXX.keystore -deststoretype pkcs12 -alias XXX
The rest is the same as the self-signed article. Use the keystore in the /etc/default/unimus config file. Restart the Unimus service, and after startup Unimus will be accessible only over HTTPS.
Hi Thoms,

I need to set this up on a Windows based system. Can you give me the config commands for Windows and any other differences please.

I've noticed in the confluence page https://wiki.unimus.net/display/UNPUB/U ... igned+cert you're referencing jre8. I have both jre8 and jre11, and both have the keytool.exe in them, so I'm guessing it shouldn't matter which one is used?

Thanks.
Top
User avatar
Tomas
Posts: 1308
Joined: Sat Jun 25, 2016 12:33 pm

Thu Feb 15, 2024 2:18 pm

rustyjarz wrote:
Sun Feb 11, 2024 11:00 pm
 Hi Thomas,

I need to set this up on a Windows based system. Can you give me the config commands for Windows and any other differences please.

I've noticed in the confluence page https://wiki.unimus.net/display/UNPUB/U ... igned+cert you're referencing jre8. I have both jre8 and jre11, and both have the keytool.exe in them, so I'm guessing it shouldn't matter which one is used?

Thanks.
For Windows, the commands are the same, just using Windows paths / executables. The config file will be in "C:\ProgramData\Unimus". You can follow the instructions above, and the links from the Wiki.

If you have jre8, you can delete it actually. We migrated to jre11, so jre8 is a "leftover" of older versions. If you've been using Unimus for a while, and updating, this is expected and totally OK :)
Top
rustyjarz
Posts: 17
Joined: Mon Aug 03, 2020 7:04 am

Tue Feb 20, 2024 5:16 am

Thanks Thomas,

I did implement this, and post implementation I could not access the Unimus GUI either via HTTP or HTTPS. I raised a case with Unimus but have not had any updates, the support request ID is 4545-211-301-24.

Tomas wrote:
Thu Feb 15, 2024 2:18 pm
rustyjarz wrote:
Sun Feb 11, 2024 11:00 pm
 Hi Thomas,

I need to set this up on a Windows based system. Can you give me the config commands for Windows and any other differences please.

I've noticed in the confluence page https://wiki.unimus.net/display/UNPUB/U ... igned+cert you're referencing jre8. I have both jre8 and jre11, and both have the keytool.exe in them, so I'm guessing it shouldn't matter which one is used?

Thanks.
For Windows, the commands are the same, just using Windows paths / executables. The config file will be in "C:\ProgramData\Unimus". You can follow the instructions above, and the links from the Wiki.

If you have jre8, you can delete it actually. We migrated to jre11, so jre8 is a "leftover" of older versions. If you've been using Unimus for a while, and updating, this is expected and totally OK :)
Top
CSC
Posts: 2
Joined: Thu Jun 26, 2025 6:56 am

Thu Jun 26, 2025 7:09 am

Hi Tomas,

as I have a CA-issued cert, I followed your steps but when I restart unimus service it ends up with this error.

Code: Select all

Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1042)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
        at org.apache.catalina.core.StandardService.addConnector(StandardService.java:232)
        ... 26 common frames omitted
Caused by: java.lang.IllegalArgumentException: keystore password was incorrect
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:236)
        at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332)
        at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1418)
        at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:665)
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1039)
        ... 28 common frames omitted
Caused by: java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source)
        at java.base/java.security.KeyStore.load(Unknown Source)
        at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:67)
        at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:240)
        at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:237)
        at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:308)
        at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
        ... 34 common frames omitted
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 43 common frames omitted
/etc/defaults/unimus

Code: Select all

-Dserver.ssl.key-store=/opt/unimus/my.keystore -Dserver.ssl.keyStoreType=PKCS12 -Dserver.ssl.keyAlias=myalias -Dserver.ssl.key-store-password='mypasswd'
If I validate the keystore file via keytool, it decrypts it with the password.

Code: Select all

root@unimus:/opt/unimus# keytool -v -list -alias myalias -keystore my.keystore
Enter keystore password:
Alias name: myalias
Creation date: Jun 25, 2025
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
The password for the keystore works with KeyStore Explorer as well.
I have no special chars in my password, what am I missing here?
Top
Tommy.c
Posts: 17
Joined: Fri Jan 31, 2025 6:52 pm

Fri Jun 27, 2025 3:20 pm

@CSC

Have you attempted to remove the double quotation marks surrounding your password? From my reading of the WiKi you should only need to use them if you are trying to use special characters. (Although I do notice that the documentation itself doesn't seem to be consistent.

If you are still having issues, we may need to do a support session with you to diagnose.
Top
CSC
Posts: 2
Joined: Thu Jun 26, 2025 6:56 am

Tue Jul 01, 2025 6:45 am

Yes I've tried different variants, " ' no quotation marks. In the end I've installed nginx as ssl termination.
Top
Post Reply

Return to “General”