Newbie to SSL, can't get it IMWS to start https

ekkah · January 15, 2017, 11:48:27 PM

Hi,

I'm trying to configure to only access IMWS via HTTPS on my windows 10 laptop.
I've created an SSL cert according to some half random found tutorial
http://help.interfaceware.com/v6/how-to-create-self-certified-ssl-certificate-and-publicprivate-key-files
put the created .pem file in the IMWS configuration, and I can see (using https://technet.microsoft.com/en-us/sysinternals/processmonitor) that IMatchWebService.exe is indeed opening the .pem file (and that IMatchWebServices\ssleay32.dll is also opened)
However, the IMWS fails to start the service - and I can't find any trace of SSL error in the IMATCH_WEBSERVICE_LOG.TXT

I'm not sure where and how to have the rsa key-pair used at cert creation available to the IMWS? Do I need to have some additional ssl-service installed/configured?

I've tried to chmod to proper priveliges as well using cygwin
-rwxrw-r--+ 1 hakan hakan 1870 Jan 14 12:22 cacert.pem
-rwx------+ 1 hakan hakan 3292 Jan 15 23:21 imaw
-rwxr--r--+ 1 hakan hakan 734 Jan 15 23:22 imaw.pub

I've also tried to use different ports like 443 and 8082 - the rule in Windows firewall however seems to accept all ports for IMWS so that should not be the issue.

Any ideas where I'm failing?

thanks
/Håkan

Mario · January 16, 2017, 09:02:41 AM

Switch to verbose logging in the "Advanced Options" tab in IMatch WebService Controller.
Then start again and look again at the log file. Note that the WebService log file is not in your TEMP folder but in the system TEMP folder. The controller shows the correct path. ZIP and attach the log file.

The certificate is handled by the web server library I use in IMWS. IMWS just hands it over. I don't process the certificate in my code or anything. I have successfully tested several self-signed certificates created using OpenSSL and they all work.

When my notes are correct I used this sequence (using the free OpenSSL toolkit) on Windows:

cd openssl/bin

set RANDFILE=C:\TEMP\1.rnd

openssl genrsa -des3 -out server.key 2048
openssl req -new -sha256 -key server.key -out server.csr
copy server.key server.key.orig
openssl rsa -in server.key.orig -out server.key

openssl x509 -req -sha256 -days 3650 -in server.csr -signkey server.key -out server.crt
copy server.crt server.pem
type server.key >> server.pem

del MACHINE.pem
ren server.pem MACHINE.pem

SHOW CERTIFICATE INFO

openssl x509 -noout -text -in server.crt

ekkah · January 25, 2017, 12:26:46 AM

Hi Mario,

I've attached these files:
IMATCH_WEBSERVICE_LOG_FAIL.TXT
# log from failing when trying to use .pem cert file
IMATCH_WEBSERVICE_LOG_OK.TXT
# log from a successful run - with only HTTP (i.e. no .pem file or SSL-port listed)
makecert2.bat
# .bat file used when creating cert (opensll if from an XAMPP-installation (v.3.2.2))
bat_log.txt
# output/input from makecert2.bat
server.crt
# created cert
server.pem
# actual cert. no worries about attached private key - it is only for test and will not be used in any kind of public production

as a note, I can use created cert in my xampp/apache installation

Mario · January 25, 2017, 10:19:29 AM

The certificate works here. No problems.
The browsers complain of course because the cert is not from an authorized issuer. But after accepting it IMWV works.

ekkah · January 25, 2017, 11:11:12 AM

Hi,

Ok, thanks for quick assessment. Good to know that the certificate seems to be ok.

However, I'm not able to start IMWS at all when pointing to a ssl-port; see attached screenshot of my ssl-configuration and error message when trying to start IMWS. I never reach the point where I can access IMWS via IMWV.
I'm running Windows 10 home on x64 platform.

I'll try to setup IMWS on another computer to reach my goal (to access IM externally, not necessarily on this particular laptop

)
Perhaps I'll also try to rebuild opensll (ssleay32.dll etc) in debugmode to be able to see if there is anything there failing

thanks/Håkan

Mario · January 25, 2017, 01:33:55 PM

Your log file tells me that there is a crash when starting the web server (processing your configuration file. But that does not happen on my systems.

Can you send me the

C:\ProgramData\photools.com\IMatchAnywhere\IMWS\imwsconfig.xml

when you have enabled SSL and configured your certificate?

The crash may be caused by the options processing in the web server and then every single character counts...

ekkah · January 25, 2017, 02:06:32 PM

Hi,

Please see attached

thanks
/Håkan

Mario · January 26, 2017, 08:00:33 AM

Your configuration file works without any problem here. I just changed the name of the database and the path for your SSL certifiate.

Is this maybe a security issue? Did you try to store the certificate in another folder?

ekkah · January 26, 2017, 03:17:31 PM

Hi,

I've tried to disable my antivirus, changed location/permission/etc of the cert file but still no luck.
Anyway, issue seems for sure to relate to my local installation and not the IMWS-software itself. I'll keep on elaborating, first trying on a different machine.
I'll post here if I make any progress.

thanks
/Håkan

Mario · January 26, 2017, 04:02:28 PM

The next IMA release (soon) has a new log file setting that allows you to log the error messages of the built-in web server. Maybe we're lucky and it logs something before crashing.
I have tried on several machines (W7 to W10) and I cannot repro the crash - not with your config file and certificate. No other reports about similar issues. Must be something really specific.