Unable to start IMA with SSL

Started by mbowesman, July 02, 2017, 07:43:19 AM

Previous topic - Next topic

mbowesman

I read with interest a previous thread, https://www.photools.com/community/index.php?topic=6317.0 and I am also experiencing similar issues

I have a a commercially signed wildcard certificate and have created the pem file by concatenating the files in the following order

intermediate certificate
wildcard certificate
private key

I have also tried putting the private key first.  In both instances, openssl verify against the pem file is ok, but neither work in IMA.

In both instances when trying to use SSL, IMA fails to start, (full log to be attached), but the following extract appears to be the cause

07.02 14:39:42+    0 [0A8C] 02  I> IMatch Web Services starting...
07.02 14:39:42+    0 [0A8C] 00  E> Error starting web server: null context when constructing CivetServer. Possible problem binding to port.  'IMatchWebServicesCW.cpp(306)'


There is nothing running on port 443, but it doesn't appear to matter what port is used, so I suspect there may be a problem in handling the certificate, but am stumped.

I will upload logs later, including any findings from sysInternals.


mbowesman

At a complete loss.  I have created a self-signed certificate as per the other thread, and IMA still fails to launch with SSL configured, with the same error message (file server.pem attached)

I have changed the default port to empty (to force SSL), and attempted to start SSL on port 80, but it still fails - but we know the error message is wrong, as IMA successfully launches on port 80 without SSL.  I have attached new logs, but they don't seem to be much different from the logs provided earlier.

According to CivetServer, it does have some very specific requirements, for example it must have RSA in the start and end tags of the Private Certificate.  (https://github.com/civetweb/civetweb/blob/master/docs/OpenSSL.md)

Any suggestions on how we might be able to investigate this further ?

Mario

Sorry, no. I had never a problem with self-signed certificates and CivetWeb.
Using the steps detailed in the other post always worked.

Cannot bind to port usually means exactly that: The port is already bound by another application.
Do you perhaps use a virus checker which "hooks" into SSL? They are often a cause for problems...

-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook

mbowesman

Quote from: Mario on July 02, 2017, 12:58:41 PM

Cannot bind to port usually means exactly that: The port is already bound by another application.
Do you perhaps use a virus checker which "hooks" into SSL? They are often a cause for problems...

Unfortunately nothing is running on either port 80 or 443 and netstat -a confirms this.  If I launch IMA on port 80, it works fine.  If I try and launch IMA using SSL on port 80 (which works fine for non-SSL),443 or any other port it fails , so it is definately not a port in use issue.

Mario

Then your certificate is wrong. Double-check all steps, especially the machine name etc.
-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook

mbowesman

With respect, the certificate is not wrong, as it is used on multiple servers (web, email) with no issues at all, and also confirmed by openssl verify.   Even the test certificate/key pem file attached was generated by the commands you have provided in the other post (via copy/paste) with the exception of copy (cp) and type (cat) commands and setting RANDFILE

Being you have raised concerns about machine names, are you suggesting that the certificate/key must be generated from the server running IMWS ?  What about the use of wildcard certificates, is this supported ?

Mario

I don't know much about SSL certifcates. I just followed the instructions on the CivetWeb web site on how to create a SSL certificate that works with CivetWeb. I know that many IMatch Anywhere users use self-signed certificates successfully. If the certificate you have created causes a problem with CivetWeb, I cannot help, sorry.

You may contact the CivetWeb developers and send your certificate.
Or send me your certificate and when I can free some time I may step through the CivetWeb code and see what is wrong with your certificate.

Here are discussions related to CivetWeb and certificates:

https://github.com/civetweb/civetweb/issues?utf8=%E2%9C%93&q=certificate

Maybe this helps you figuring out the problem.
-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook

hro

You may want to consider an alternative approach.
I have successfully configured SSL on an Apache server and use that as a proxy server to IMA. Your requirements may be different but I use Apache for other websites and that seemed to be  a logical extension.

mbowesman

Quote from: Mario on July 03, 2017, 09:21:12 AM
I know that many IMatch Anywhere users use self-signed certificates successfully. If the certificate you have created causes a problem with CivetWeb, I cannot help, sorry.

Perhaps you need to make it clear to your users that you do not support the open source software that you use in your products, and also perhaps an acknowledgement ?

Quote from: Mario on July 03, 2017, 09:21:12 AM
Or send me your certificate and when I can free some time I may step through the CivetWeb code and see what is wrong with your certificate.

A copy of the self signed pem has been provided in an earlier post.

Quote from: Mario on July 03, 2017, 09:21:12 AM
Here are discussions related to CivetWeb and certificates:

https://github.com/civetweb/civetweb/issues?utf8=%E2%9C%93&q=certificate

Maybe this helps you figuring out the problem.

I will provide some feedback, but also looking to also install native civet server to test.


mbowesman

Quote from: hro on July 03, 2017, 10:00:06 AM
You may want to consider an alternative approach.
I have successfully configured SSL on an Apache server and use that as a proxy server to IMA. Your requirements may be different but I use Apache for other websites and that seemed to be  a logical extension.

It is something I have considered, and may be what I end up doing if I decide to pursue IMA, but right now I am evaluating IMA as a standalone solution

Mario

Quoteo your users that you do not support the open source software that you use in your products, and also perhaps an acknowledgement ?

I use several software products in my software. They are all acknowledged in the help and the About box. If you think I have forgotten to mention CivitWeb, let me know where and I will change that. I cannot support CivetWeb or SSL. Knowing lots about SSL is a profession. And since you are the very first and apparently only user who has problems with SSL and CivetWeb in IMatch, I have no back data to give you tips. For me, it always worked out of the box.
-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook

mbowesman

Quote from: Mario on July 03, 2017, 01:09:43 PM
Quoteo your users that you do not support the open source software that you use in your products, and also perhaps an acknowledgement ?

I use several software products in my software. They are all acknowledged in the help and the About box. If you think I have forgotten to mention CivitWeb, let me know where and I will change that. I cannot support CivetWeb or SSL. Knowing lots about SSL is a profession.

/photools.com/IMatchWebServices/imadoc/imwsack.html (the online help of IMA) makes no reference to CivetWeb.  No one is expecting you to support CivetWeb directly, but you do advertise you provide full support for your trial versions.  The fact you have chosen to embed CivetWeb inside IMA should make no difference to supporting IMA. 

Quote from: Mario on July 03, 2017, 01:09:43 PM
And since you are the very first and apparently only user who has problems with SSL and CivetWeb in IMatch, I have no back data to give you tips. For me, it always worked out of the box.

Definately not the first.  You haven't even provided any feedback as to whether the test pem I uploaded works for you, unlike what you did for the previous poster - refer to link in my fist post of the thread.

Mario

Quote/photools.com/IMatchWebServices/imadoc/imwsack.html (the online help of IMA) makes no reference to CivetWeb. 

Oops, sorry. Fixed for the next release. Too much going on in too many places. Only one Mario to do it all.
-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook

Mario

I have downloaded your PEM file, configured it in IMatch Anywhere.
No problems starting with that certificate. Except for the "unknown issuer" warning in the browser, works smooth as silk:

(Click to zoom)

-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook