[Solved] Using a custom SSL Certificate

General discussion of anything Unimus
Post Reply
davsank
Posts: 2
Joined: Fri Jan 26, 2024 12:04 pm

Thu Feb 01, 2024 7:35 pm

Hi everyone, there might be something in the Wiki I've missed, but I can't find how to enable https on the web interface.

I'm currently allowing access to the unimus web interface via a cloudflare zero-trust reverse tunnel which technically exposes my external address as https, but we will likely stop using this feature and I'd still like to encrypt the communication to the web interface.

I'm running on a linux server over which I have full control - I have a valid domain and a full certificate chain (currently in PKCS12 format but I can convert to whatever format is required).

How can I:
  • Bind the unimus web server to a specific hostname (different from the system one)
  • Force all connection to the server to be over https and reject http requests
User avatar
Tomas
Posts: 1195
Joined: Sat Jun 25, 2016 12:33 pm

Thu Feb 01, 2024 7:54 pm

davsank wrote:
Thu Feb 01, 2024 7:35 pm
How can I:
  • Bind the unimus web server to a specific hostname (different from the system one)
  • Force all connection to the server to be over https and reject http requests
Hi,

For binding to a specific address, you can use this article: https://wiki.unimus.net/display/UNPUB/C ... nd+address
For HTTPS, we have an article on using a self-signed certificate here: https://wiki.unimus.net/display/UNPUB/U ... igned+cert

Since you mentioned you have a CA-issued cert, there are a few differences. Assuming you have a pem-encoded certificate:

1) Convert PEM certificate files (.crt/.cer/.cert + .key) to PKCS12 format:

Code: Select all

openssl pkcs12 -export -in XXX.crt -inkey XXX.key -out XXX.p12 -name XXX
2) Import PKCS12 keystore into Java keystore (JKS):

Code: Select all

keytool -importkeystore -srckeystore XXX.p12 -srcstoretype pkcs12 -destkeystore XXX.keystore -deststoretype pkcs12 -alias XXX
The rest is the same as the self-signed article. Use the keystore in the /etc/default/unimus config file. Restart the Unimus service, and after startup Unimus will be accessible only over HTTPS.
rustyjarz
Posts: 17
Joined: Mon Aug 03, 2020 7:04 am

Sun Feb 11, 2024 11:00 pm

Tomas wrote:
Thu Feb 01, 2024 7:54 pm
davsank wrote:
Thu Feb 01, 2024 7:35 pm
How can I:
  • Bind the unimus web server to a specific hostname (different from the system one)
  • Force all connection to the server to be over https and reject http requests
Hi,

For binding to a specific address, you can use this article: https://wiki.unimus.net/display/UNPUB/C ... nd+address
For HTTPS, we have an article on using a self-signed certificate here: https://wiki.unimus.net/display/UNPUB/U ... igned+cert

Since you mentioned you have a CA-issued cert, there are a few differences. Assuming you have a pem-encoded certificate:

1) Convert PEM certificate files (.crt/.cer/.cert + .key) to PKCS12 format:

Code: Select all

openssl pkcs12 -export -in XXX.crt -inkey XXX.key -out XXX.p12 -name XXX
2) Import PKCS12 keystore into Java keystore (JKS):

Code: Select all

keytool -importkeystore -srckeystore XXX.p12 -srcstoretype pkcs12 -destkeystore XXX.keystore -deststoretype pkcs12 -alias XXX
The rest is the same as the self-signed article. Use the keystore in the /etc/default/unimus config file. Restart the Unimus service, and after startup Unimus will be accessible only over HTTPS.
Hi Thoms,

I need to set this up on a Windows based system. Can you give me the config commands for Windows and any other differences please.

I've noticed in the confluence page https://wiki.unimus.net/display/UNPUB/U ... igned+cert you're referencing jre8. I have both jre8 and jre11, and both have the keytool.exe in them, so I'm guessing it shouldn't matter which one is used?

Thanks.
User avatar
Tomas
Posts: 1195
Joined: Sat Jun 25, 2016 12:33 pm

Thu Feb 15, 2024 2:18 pm

rustyjarz wrote:
Sun Feb 11, 2024 11:00 pm
Hi Thomas,

I need to set this up on a Windows based system. Can you give me the config commands for Windows and any other differences please.

I've noticed in the confluence page https://wiki.unimus.net/display/UNPUB/U ... igned+cert you're referencing jre8. I have both jre8 and jre11, and both have the keytool.exe in them, so I'm guessing it shouldn't matter which one is used?

Thanks.
For Windows, the commands are the same, just using Windows paths / executables. The config file will be in "C:\ProgramData\Unimus". You can follow the instructions above, and the links from the Wiki.

If you have jre8, you can delete it actually. We migrated to jre11, so jre8 is a "leftover" of older versions. If you've been using Unimus for a while, and updating, this is expected and totally OK :)
rustyjarz
Posts: 17
Joined: Mon Aug 03, 2020 7:04 am

Tue Feb 20, 2024 5:16 am

Thanks Thomas,

I did implement this, and post implementation I could not access the Unimus GUI either via HTTP or HTTPS. I raised a case with Unimus but have not had any updates, the support request ID is 4545-211-301-24.

Tomas wrote:
Thu Feb 15, 2024 2:18 pm
rustyjarz wrote:
Sun Feb 11, 2024 11:00 pm
Hi Thomas,

I need to set this up on a Windows based system. Can you give me the config commands for Windows and any other differences please.

I've noticed in the confluence page https://wiki.unimus.net/display/UNPUB/U ... igned+cert you're referencing jre8. I have both jre8 and jre11, and both have the keytool.exe in them, so I'm guessing it shouldn't matter which one is used?

Thanks.
For Windows, the commands are the same, just using Windows paths / executables. The config file will be in "C:\ProgramData\Unimus". You can follow the instructions above, and the links from the Wiki.

If you have jre8, you can delete it actually. We migrated to jre11, so jre8 is a "leftover" of older versions. If you've been using Unimus for a while, and updating, this is expected and totally OK :)
Post Reply