Page 1 of 1
[Solved] Using a custom SSL Certificate
Posted: Thu Feb 01, 2024 7:35 pm
by davsank
Hi everyone, there might be something in the Wiki I've missed, but I can't find how to enable https on the web interface.
I'm currently allowing access to the unimus web interface via a cloudflare zero-trust reverse tunnel which technically exposes my external address as https, but we will likely stop using this feature and I'd still like to encrypt the communication to the web interface.
I'm running on a linux server over which I have full control - I have a valid domain and a full certificate chain (currently in PKCS12 format but I can convert to whatever format is required).
How can I:
- Bind the unimus web server to a specific hostname (different from the system one)
- Force all connection to the server to be over https and reject http requests
Re: Using a custom SSL Certificate
Posted: Thu Feb 01, 2024 7:54 pm
by Tomas
davsank wrote: ↑Thu Feb 01, 2024 7:35 pm
How can I:
- Bind the unimus web server to a specific hostname (different from the system one)
- Force all connection to the server to be over https and reject http requests
Hi,
For binding to a specific address, you can use this article:
https://wiki.unimus.net/display/UNPUB/C ... nd+address
For HTTPS, we have an article on using a self-signed certificate here:
https://wiki.unimus.net/display/UNPUB/U ... igned+cert
Since you mentioned you have a CA-issued cert, there are a few differences. Assuming you have a pem-encoded certificate:
1) Convert PEM certificate files (.crt/.cer/.cert + .key) to PKCS12 format:
Code: Select all
openssl pkcs12 -export -in XXX.crt -inkey XXX.key -out XXX.p12 -name XXX
2) Import PKCS12 keystore into Java keystore (JKS):
Code: Select all
keytool -importkeystore -srckeystore XXX.p12 -srcstoretype pkcs12 -destkeystore XXX.keystore -deststoretype pkcs12 -alias XXX
The rest is the same as the self-signed article. Use the keystore in the /etc/default/unimus config file. Restart the Unimus service, and after startup Unimus will be accessible only over HTTPS.
Re: Using a custom SSL Certificate
Posted: Sun Feb 11, 2024 11:00 pm
by rustyjarz
Tomas wrote: ↑Thu Feb 01, 2024 7:54 pm
davsank wrote: ↑Thu Feb 01, 2024 7:35 pm
How can I:
- Bind the unimus web server to a specific hostname (different from the system one)
- Force all connection to the server to be over https and reject http requests
Hi,
For binding to a specific address, you can use this article:
https://wiki.unimus.net/display/UNPUB/C ... nd+address
For HTTPS, we have an article on using a self-signed certificate here:
https://wiki.unimus.net/display/UNPUB/U ... igned+cert
Since you mentioned you have a CA-issued cert, there are a few differences. Assuming you have a pem-encoded certificate:
1) Convert PEM certificate files (.crt/.cer/.cert + .key) to PKCS12 format:
Code: Select all
openssl pkcs12 -export -in XXX.crt -inkey XXX.key -out XXX.p12 -name XXX
2) Import PKCS12 keystore into Java keystore (JKS):
Code: Select all
keytool -importkeystore -srckeystore XXX.p12 -srcstoretype pkcs12 -destkeystore XXX.keystore -deststoretype pkcs12 -alias XXX
The rest is the same as the self-signed article. Use the keystore in the /etc/default/unimus config file. Restart the Unimus service, and after startup Unimus will be accessible only over HTTPS.
Hi Thoms,
I need to set this up on a Windows based system. Can you give me the config commands for Windows and any other differences please.
I've noticed in the confluence page
https://wiki.unimus.net/display/UNPUB/U ... igned+cert you're referencing jre8. I have both jre8 and jre11, and both have the keytool.exe in them, so I'm guessing it shouldn't matter which one is used?
Thanks.
Re: Using a custom SSL Certificate
Posted: Thu Feb 15, 2024 2:18 pm
by Tomas
rustyjarz wrote: ↑Sun Feb 11, 2024 11:00 pm
Hi Thomas,
I need to set this up on a Windows based system. Can you give me the config commands for Windows and any other differences please.
I've noticed in the confluence page
https://wiki.unimus.net/display/UNPUB/U ... igned+cert you're referencing jre8. I have both jre8 and jre11, and both have the keytool.exe in them, so I'm guessing it shouldn't matter which one is used?
Thanks.
For Windows, the commands are the same, just using Windows paths / executables. The config file will be in "C:\ProgramData\Unimus". You can follow the instructions above, and the links from the Wiki.
If you have jre8, you can delete it actually. We migrated to jre11, so jre8 is a "leftover" of older versions. If you've been using Unimus for a while, and updating, this is expected and totally OK
Re: Using a custom SSL Certificate
Posted: Tue Feb 20, 2024 5:16 am
by rustyjarz
Thanks Thomas,
I did implement this, and post implementation I could not access the Unimus GUI either via HTTP or HTTPS. I raised a case with Unimus but have not had any updates, the support request ID is 4545-211-301-24.
Tomas wrote: ↑Thu Feb 15, 2024 2:18 pm
rustyjarz wrote: ↑Sun Feb 11, 2024 11:00 pm
Hi Thomas,
I need to set this up on a Windows based system. Can you give me the config commands for Windows and any other differences please.
I've noticed in the confluence page
https://wiki.unimus.net/display/UNPUB/U ... igned+cert you're referencing jre8. I have both jre8 and jre11, and both have the keytool.exe in them, so I'm guessing it shouldn't matter which one is used?
Thanks.
For Windows, the commands are the same, just using Windows paths / executables. The config file will be in "C:\ProgramData\Unimus". You can follow the instructions above, and the links from the Wiki.
If you have jre8, you can delete it actually. We migrated to jre11, so jre8 is a "leftover" of older versions. If you've been using Unimus for a while, and updating, this is expected and totally OK
Re: [Solved] Using a custom SSL Certificate
Posted: Thu Jun 26, 2025 7:09 am
by CSC
Hi Tomas,
as I have a CA-issued cert, I followed your steps but when I restart unimus service it ends up with this error.
Code: Select all
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1042)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171)
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:232)
... 26 common frames omitted
Caused by: java.lang.IllegalArgumentException: keystore password was incorrect
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:236)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332)
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1418)
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:665)
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1039)
... 28 common frames omitted
Caused by: java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source)
at java.base/java.security.KeyStore.load(Unknown Source)
at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:67)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:240)
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:237)
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:308)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
... 34 common frames omitted
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 43 common frames omitted
/etc/defaults/unimus
Code: Select all
-Dserver.ssl.key-store=/opt/unimus/my.keystore -Dserver.ssl.keyStoreType=PKCS12 -Dserver.ssl.keyAlias=myalias -Dserver.ssl.key-store-password='mypasswd'
If I validate the keystore file via keytool, it decrypts it with the password.
Code: Select all
root@unimus:/opt/unimus# keytool -v -list -alias myalias -keystore my.keystore
Enter keystore password:
Alias name: myalias
Creation date: Jun 25, 2025
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
The password for the keystore works with KeyStore Explorer as well.
I have no special chars in my password, what am I missing here?
Re: [Solved] Using a custom SSL Certificate
Posted: Fri Jun 27, 2025 3:20 pm
by Tommy.c
@CSC
Have you attempted to remove the double quotation marks surrounding your password? From my reading of the WiKi you should only need to use them if you are trying to use special characters. (Although I do notice that the documentation itself doesn't seem to be consistent.
If you are still having issues, we may need to do a support session with you to diagnose.
Re: [Solved] Using a custom SSL Certificate
Posted: Tue Jul 01, 2025 6:45 am
by CSC
Yes I've tried different variants, " ' no quotation marks. In the end I've installed nginx as ssl termination.