[Solved] Stuck at validating license

c0d3x · Tue Apr 09, 2024 11:41 am

Hi, im trying to install Unimus on a VM.
When it comes to validating the license key it fails.
Our Unimus Server connects via HTTP proxy. I have adjusted the configuration as in the quick guide.
I can reach https://licensing.unimus.net/status and it gives me an OK back.

The log gives the following error:
2024-04-09 13:23:11.084 INFO 2448 --- [SimpleAsyncTaskExecutor-2] u.s.b.w.s.LicenseKeyValidationWizardStep : Validating license key
2024-04-09 13:23:11.740 WARN 2448 --- [SimpleAsyncTaskExecutor-2] u.s.b.w.s.LicenseKeyValidationWizardStep : License key validation failed. Reason = Unable to establish SSL connection. unable to find valid certification path to requested target
2024-04-09 13:23:11.740 WARN 2448 --- [SimpleAsyncTaskExecutor-2] n.unimus.system.bootstrap.wizard.Wizard : Wizard failed. Reason = Unable to establish SSL connection. unable to find valid certification path to requested target. Wizard{running=true, finished=false, failed=true}

I checked and our firewall is not blocking any traffic.
Maybe someone can point me in the right direction.

Wed Apr 10, 2024 8:15 am

c0d3x wrote: ↑
Tue Apr 09, 2024 11:41 am
2024-04-09 13:23:11.740 WARN 2448 --- [SimpleAsyncTaskExecutor-2] u.s.b.w.s.LicenseKeyValidationWizardStep : License key validation failed. Reason = Unable to establish SSL connection. unable to find valid certification path to requested target

Hello, this error would suggest that either:
1) your proxy is not configured properly, and Unimus' HTTPS licensing request is being intercepted (walled garden)
2) your proxy is replacing HTTPS traffic certificate (HTTPS inspection / HTTPS MITM)

Would either of these be the case?

c0d3x · Thu Apr 11, 2024 6:23 am

That might be the reason.
Our proxy is indeed replacing the certificate.

DarkSideMilk · Thu Jun 05, 2025 3:59 pm

We are having this same issue and I'm a bit confused.
Should the nginix reverse proxy not be where the certificate is added?

i.e. the proxy config might look like this

Code: Select all

server {
    listen 80;
    server_name unimus.company.tld;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name unimus.company.tld;

    ssl_certificate     /etc/pki/tls/certs/wildcard.cer;
    ssl_certificate_key /etc/pki/tls/private/wildcard.key;


 location / {
        proxy_pass http://127.0.0.1:8085;
        proxy_redirect default;
        
        proxy_set_header Host              $host;
        proxy_set_header X-Forwarded-Host  $host:$server_port;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port  $server_port;
        proxy_set_header X-Forwarded-By    $server_addr:$server_port;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP         $remote_addr;

        proxy_http_version 1.1;

        proxy_set_header Connection $http_connection;
        proxy_set_header Upgrade    $http_upgrade;

        proxy_read_timeout 30m;
        proxy_send_timeout 30m;

        client_max_body_size 0;

        proxy_cache off;
        proxy_buffering off;
        proxy_request_buffering off;
    }

}

With the unimus config being

Code: Select all

-Xms256M -Xmx768M
-Djava.security.egd=file:/dev/./urandom
-Dserver.address=unimus.company.tld
-Dserver.port=8085

Do we need to still have the ssl configuration on the unimus tomcat/jetty side? I was under the impression that the proxy usually handles the certificate and that was the whole point of using a proxy?
I feel like I'm just misunderstanding something but I'm not finding any full configuration example type solutions in past forum posts or documentation. Any additional guidance would be greatly appreciated.

Fri Jun 06, 2025 1:07 am

DarkSideMilk wrote: ↑
Thu Jun 05, 2025 3:59 pm
...
Do we need to still have the ssl configuration on the unimus tomcat/jetty side? I was under the impression that the proxy usually handles the certificate and that was the whole point of using a proxy?
I feel like I'm just misunderstanding something but I'm not finding any full configuration example type solutions in past forum posts or documentation. Any additional guidance would be greatly appreciated.

Hi. The misunderstanding is likely between a forward proxy and reverse proxy.

Your post contains an nginx config for reverse proxy setup - when a client connects to Unimus, it goes to the reverse proxy (nginx) and that proxies connection between the client and Unimus. We do have official nginxg reverse proxy recommendation here.

The original post here was using a forward proxy - when Unimus tries to connect to the licensing server, there is a forward proxy that proxies the connection between Unimus and the licensing server. We also have official docs on how to run Unimus behind a forward proxy here.

So the different is incoming vs. outgoing connections from/to Unimus.