How to Use Netsh to Remove an Older Certificate Before Adding Another on a DDC

Use ” delete sslcert ”

This deletes SSL server certificate bindings and the corresponding client certificate policies for an IP address and port.

delete sslcert [ipport=]IP Address:port

Parameters

**[ipport=]**IP Address:port

Specifies the IPv4 or IPv6 address and port for which the SSL certificate bindings will be deleted.

Examples

delete sslcert ipport=1.1.1.1:443

delete sslcert ipport=0.0.0.0:443

delete sslcert ipport=[::]:443

Related:

  • No Related Posts

“Reverse Proxy” HTTP error code 421- Misdirected Request

I do not need a solution (just sharing information)

Starting from 6.7.4.105, the proxysg supports Server name Indication (SNI) in reverse proxy mode. Previously, SNI was supported for forward proxy only

SNI is used to indicate which hostname is being contacted by the browser at the beginning of the handshake process. This technology allows a server to serve several domains each with different SSL Certificates using the same IP address

The user will get HTTP error code 421 “Misdirected request” when trying to connect to HTTPs page and all the below conditions occur at the same time:

  1.     Having Several vhosts on the same server/IP
  2.     Having redirection between these vhosts
  3.     Using different SSL certificate with different domain for each vhost
  4.     Using HTTP/1.1 or HTTP/2 which reuse the same SSL connection for several consequential HTTP requests
  5.     HTTP client; which is the proxy in this case; set the SNI in SSL handshake.

Issue is mainly caused by complex configuration on server side as mentioned above, so customer must be informed to separate any vhosts that have redirection on different servers/IPs

As a workaround this issue can be solved by:
Disabling connection reuse on the proxy by setting http.server.persistence(no) for the vhost that response with HTTP redirection
For example, If domain1.com redirects to domain2.com; the below CPL script will be needed to not reuse the same SSL connection after redirection
<proxy>
  server_url.host=domain1.com http.server.persistence(no)
Noted that this workaround may cause high CPU/Memory utilization on customer servers if there’s a lot of connections on domain1.com as each single HTTP request has its SSL handshake

0

Related:

7023261: How to change secure port for WebAccess running on SLES12 for GW18.

This document (7023261) is provided subject to the disclaimer at the end of this document.

Environment


GroupWise 18

SUSE Linux Enterprise Server 12

Situation

In your LAN environment you would like to use different ports than default 80/443 for WebAccess.

Resolution

Since securing WebAccess running on Linux is about securing apache web server, changes to achieve that goal need to be done in few apache configuration files:
1. /etc/apache2/listen.conf file.
Here make sure that listen is set to 8080 and SSL listen port to 8443.
2. /etc/apache2/vhosts.d/vhost-ssl.conf
Set VirtualHost_default_ parameter to 8443
3. /etc/apache2/conf.d/rewrite.conf
Add a port number parameter to the last line, i.e. like:
RewriteRule ^/?(.*) https://%{SERVER_NAME}:8443/$1 [R,L]
Stop and restart apache web server to take effect of those changes.
Then if you hit:
http://<ip_web>:8080/gw
it gets redirected to:
https://<ip_web>:8443/gw/webacc
and you shall get a login page of WebAccess site.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7018748: Command “zypper ref” returns an HTTP 400 error in SUSE Manager 3.0 or 3.1 client.

Optionally instead of the above steps the following workaround can be used, which is to set http to unsafe by running:

echo “HttpProtocolOptions Unsafe” > /etc/apache2/conf.d/zypp-fix.conf

rcapache2 restart

Further information can be found here:

https://httpd.apache.org/docs/2.4/en/mod/core.html#httpprotocoloptions

Quoting an excerpt from the above link:

> Security risks of Unsafe

>

> Users are strongly cautioned against toggling the Unsafe mode of operation,

> particularly on outward-facing, publicly accessible server deployments.

> If an interface is required for faulty monitoring or other custom service

> consumers running on an intranet, users should toggle the Unsafe option only

> on a specific virtual host configured to service their internal private

> network

NOTE: The explained procedure will not help for clients that are not registered with SUSE Manager yet. Any such clients will need an update of zypper/yum, but that will not be possible as the clients don’t have any way to get updates.

In order to bypass this problem, recreate bootstrap repository with command “mgr-create-bootstrap-repo”. The command “mgr-bootstrap” (after another maintenance update) now makes sure of that when it generates the bootstrap script. However, it means that all the bootstrap scripts will need to be regenerated to include this change (after the package spacewalk-cert-tools has been updated to version 2.5.1.9-20.1 or higher).

Related:

Atmos: How to enable S3 virtual host style bucket?

Article Number: 497044Article Version: 3 Article Type: How To



Atmos

Atmos Software with Atmos Hardware

Atmos Software Virtual Edition

You can address an S3 bucket in these ways:

User-added image

For the virtual host style bucket, the following host names are supported by default:

• s3.amazonaws.com

• localhost

• localhost.localdomain



To enable the virtual host style bucket for additional host names, the DomainNames key in the Atmos S3 configuration file must include the additional host names.

Get current setting and save to a temp file:

# configmgr.py -g S3 -n $HOSTNAME -f s3.cfg.dump

Edit the file with host name

# vi s3.cfg.dump

{

“cfg”: {

“DomainNames”: “NONE“,

“IOBufferSize”: “32768”

}

}



Update the current setting with edited file

# configmgr.py -s S3 -n $HOSTNAME -f s3.cfg.dump

Confirm the setting updated

# grep DomainNames /etc/maui/mauis3_cfg.xml

<!– entry key=”DomainNames” value=”%DOMAIN_NAMES%”/ –>

<entry key=”DomainNames” value=”NONE”/>

Repeat the change for all nodes.

Related:

7022540: Webaccess not working after install GroupWise 18 Connection Refused

SLES11 SSL

1.Create a self-signed cert using SLES11’s script

1.cd /usr/share/doc/packages/apache2

2../mkcert.sh make –no-print-directory/usr/bin/openssl /usr/sbin/custom

3.Enter information when pertinent and usedefaults for settings

2.The above script should place thecerts in the appropriate directories /etc/apache2/ssl.crt or ssl.key

3.Enable SSL with following commands:

1.a2enmod ssl

2.a2enflag SSL (take note ofcapitalization)

4.Create a vhost-ssl.conf file from thevhost-ssl.template file in /etc/apache2/vhosts.d/

1. cd /etc/apache2/vhosts.d

2. cp vhost-ssl.template vhost-ssl.conf

3. Edit the new vhost-ssl.conf file and change/verify the directorypaths for the crt and key files

5.Check Firewall

1.Make sure if the firewall is active that theport 443 and 80 is open

SLES12 SSL

1.Create a Self-Signed my cert using OpenSSL

1.sudo openssl req -new > new.cert.csr

2.follow prompts

3.sudo openssl rsa -in privkey.pem -outnew.cert.key

4.sudo openssl x509 -in new.cert.csr -outnew.cert.cert -req -signkey new.cert.key-days 365

2.Move the .crt and .key file to the appropriate locations

1.sudo cp new.cert.cert/etc/apache2/ssl.crt/server.crt

2.sudo cp new.cert.key/etc/apache2/ssl.key/server.key

3.Enable SSL with following commands:

1.a2enmod ssl

2.a2enflag SSL (take note ofcapitalization)

4.Create a vhost-ssl.conf file from the vhost-ssl.template file in /etc/apache2/vhosts.d/

1. cd /etc/apache2/vhosts.d

2. cp vhost-ssl.template vhost-ssl.conf

3. Edit the new vhost-ssl.conf file and change/verify the directory paths for the crt and key files.

Finally, make sure if the firewall is active that the port 443 and 80 is open

Restart apache and tomcat and webaccess should now work as expected.

Helpful Links:

https://www.suse.com/documentation/sles-12/book_sle_admin/data/sec_apache2_ssl.html#

https://www.suse.com/documentation/sles11/book_sle_admin/data/sec_apache2_ssl.html#

Related: