Sparx Systems Forum

Pro Cloud Server / Prolaborate / WebEA => PCS General Board => Topic started by: Modesto Vega on September 07, 2021, 07:28:28 pm

Title: Creating self-signed certificates for PCS
Post by: Modesto Vega on September 07, 2021, 07:28:28 pm
The following page https://sparxsystems.com/enterprise_architect_user_guide/14.0/model_repository/cloud_server_self_signed_ssl.html recommends using the OpenSSL toolkit to create self-signed certificates for ProCloud Server. However, it does not recommend what binaries to download for Windows Server 2016 and does not mention any other alternatives.

Does anybody have any suggestions?
Title: Re: Creating self-signed certificates for PCS
Post by: Eve on September 08, 2021, 08:14:40 am
OpenSSL because that's what we've provided instructions for. Any version of OpenSSL that runs on Windows Server 2016 will be pretty much equivalent.

If you're after alternatives, try typing "create self signed certificate using" into your preferred search engine and seeing what suggestions come up.
Title: Re: Creating self-signed certificates for PCS
Post by: Modesto Vega on September 08, 2021, 09:21:45 pm
OpenSSL because that's what we've provided instructions for. Any version of OpenSSL that runs on Windows Server 2016 will be pretty much equivalent.
I don't have a complain about the instructions. Looking at https://wiki.openssl.org/index.php/Binaries it is far from clear what binaries are 64-bit, compatible with Windows Server 2016 (or 2019), and with no external dependencies (possibly FireDaemon OpenSSL 1.1.1).

Having discussed this at length with our infrastructure team, we have abandoned self-certification as an option, it will result on errors.

 
Title: Re: Creating self-signed certificates for PCS
Post by: Modesto Vega on September 08, 2021, 11:42:44 pm
This is starting to get seriously annoying, after going down the Certificate Authority (CA) route, we just found that this page https://sparxsystems.com/enterprise_architect_user_guide/15.2/pro_cloud_server/cloud_server_ca.html is littered with OpenSSL references.

We have installed a certificate issued by a CA on the server. The request was created following the instructions on https://knowledge.digicert.com/solution/SO29005.html. The pem file was created following this instructions http://blog.shawnhyde.com/post/2020/02/12/how-to-generate-a-self-signed-pem-file-on-windows-using-iis.

In a nutshell, PCS is  unable to create secure server on soap ports 805 (https) and (https).

Is there a way to do without using OpenSSL?
Title: Re: Creating self-signed certificates for PCS
Post by: ddrakos on September 09, 2021, 11:13:29 pm
Hi,

maybe you should examine using Let's Encrypt certificates instead.

Kind Regards
Drakos
Title: Re: Creating self-signed certificates for PCS
Post by: Eve on September 10, 2021, 08:46:13 am
Yes, our examples for how to do things are based on OpenSSL. That's why it's recommended.

Any Windows binary for OpenSSL will do, as could OpenSSL on any platform. You can even uninstall it completely after you've generated a certificate.

If you want to use something other than OpenSSL, it just means that you need to find your own instructions to get the right certificates. I don't know what the right settings are to do it with IIS or any other cryptographic platform you could come up with.

If you look at your generated file, it needs to look like this.

Code: [Select]
-----BEGIN CERTIFICATE-----
Base64 string that you can share
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Base64 string that you shouldn't share
-----END RSA PRIVATE KEY-----
Title: Re: Creating self-signed certificates for PCS
Post by: Modesto Vega on September 11, 2021, 12:16:45 am
The certificate we were issued by our internal certifying authority is a cer file that looks like:
Code: [Select]
-----BEGIN CERTIFICATE-----
<...>
-----END CERTIFICATE-----

It does not contain the private key, which we have assumed it is stored on the server.

In order to obtain the private key, we have
.

If we do not specify the -nocerts parameter we end up with.
Code: [Select]
Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: <...>
    friendlyName: <...>
    Microsoft CSP Name: Microsoft Software Key Storage Provider
Key Attributes
    X509v3 Key Usage: 90
-----BEGIN ENCRYPTED PRIVATE KEY-----
<...>
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: ProCloud Server
subject=<...> = <...>, ST = <...>, L = <...>, O = <...>, OU = <...>, CN = <...>

issuer=DC = <...>, DC = <...>, CN = <...>

-----BEGIN CERTIFICATE-----
<...>
-----END CERTIFICATE-----

If we specify the -nocerts parameter we end up with
Code: [Select]
Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: <...>
    friendlyName: <...>
    Microsoft CSP Name: Microsoft Software Key Storage Provider
Key Attributes
    X509v3 Key Usage: 90
-----BEGIN ENCRYPTED PRIVATE KEY-----
<...>
-----END ENCRYPTED PRIVATE KEY-----

This does not appear to be an rsa key.

Title: Re: Creating self-signed certificates for PCS
Post by: Modesto Vega on September 11, 2021, 12:49:13 am
Just a follow up. We got some progress; the issue was that we needed Convert Private Key to PKCS#1 Format. We did this by using the following command:

Code: [Select]
C:\OpenSSL-1.1\x64\bin\openssl pkcs12 -in <filename>.pfx -nodes -nocerts -password pass:<your password>| C:\OpenSSL-1.1\x64\bin\openssl rsa -out <out file name>.key
Followed by
Code: [Select]
copy /b <cer file name>.cer+<out file name (from previous step).key server.pem
The remaining issue is that we get the following security alert:
Quote
“The identity of this website or the integrity of the connection cannot be verified.
[…]
The name on the security certificate is invalid or does not match the name of the site.”
How do we correct this, if at all possible?
Title: Re: Creating self-signed certificates for PCS
Post by: qwerty on September 11, 2021, 06:35:53 am
You can't. That because it's self-signed. Purchase a certificate from a trusted provider and you will no longer see the message.

q.
Title: Re: Creating self-signed certificates for PCS
Post by: Eve on September 13, 2021, 03:44:38 pm
You can't. That because it's self-signed. Purchase a certificate from a trusted provider and you will no longer see the message.
Failing that, create an internal certificate authority and use that to sign the certificate. It's a substantially more complicated to set-up, but once you have you can use that authority for a number of different reasons and only need to add the one root certificate to configure trust for a variety of servers.
Title: Re: Creating self-signed certificates for PCS
Post by: qwerty on September 13, 2021, 05:51:10 pm
I never thought about that (since I did not have the need for it) but sounds interesting. https://stackoverflow.com/questions/4312904/browsers-and-certificate-store (https://stackoverflow.com/questions/4312904/browsers-and-certificate-store) explains it a bit.

q.
Title: Re: Creating self-signed certificates for PCS
Post by: Modesto Vega on September 13, 2021, 05:53:44 pm
You can't. That because it's self-signed. Purchase a certificate from a trusted provider and you will no longer see the message.

q.
I never thought about that (since I did not have the need for it) but sounds interesting. https://stackoverflow.com/questions/4312904/browsers-and-certificate-store (https://stackoverflow.com/questions/4312904/browsers-and-certificate-store) explains it a bit.

q.
qwerty, the certificate is not
1) a self-signed certificate,
2) has been issued by our internal certifying authority, and
3) is part of a certification chain - i.e., it is related to a root certificate.

You can't. That because it's self-signed. Purchase a certificate from a trusted provider and you will no longer see the message.
Failing that, create an internal certificate authority and use that to sign the certificate. It's a substantially more complicated to set-up, but once you have you can use that authority for a number of different reasons and only need to add the one root certificate to configure trust for a variety of servers.
Where are the instructions explaining how to set this up?
Title: Re: Creating self-signed certificates for PCS
Post by: Eve on September 15, 2021, 08:39:40 am
I never thought about that (since I did not have the need for it) but sounds interesting.
I found it fascinating. If I had the time I would try setting up an internal ACME server. (For those that don't know, that's the protocol that powers Let's Encrypt) I'd love to see PCS add support as an ACME client to help make certificates easier to set-up, maybe one day.

qwerty, the certificate is not
1) a self-signed certificate,
2) has been issued by our internal certifying authority, and
3) is part of a certification chain - i.e., it is related to a root certificate.
Where are the instructions explaining how to set this up?
If that's the case and you're still seeing the prompt for a bad certificate you need to make sure that root certificate is trusted. You've already shared the link that provides basic instructions for the places that may impact for the certificate stores most likely to impact Sparx software. https://sparxsystems.com/enterprise_architect_user_guide/15.2/pro_cloud_server/cloud_server_ca.html (https://sparxsystems.com/enterprise_architect_user_guide/15.2/pro_cloud_server/cloud_server_ca.html)
Title: Re: Creating self-signed certificates for PCS
Post by: Modesto Vega on September 18, 2021, 01:23:56 am
The next hurdle on the HTTPS configuration of PCS is as follows.

We have installed a certificate issued by our certifying authority with
1) 2 CN entries in this order
Quote
CN=procloudserver.<fully qualified domain>
CN=<server name>.<fully qualified domain>

2) 2 DNS names on the Subject Alternative Name section, in this order
Quote
DNS Name=procloudserver.<fully qualified domain>
DNS Name=<server name>.<fully qualified domain>

When we navigate to <server name>.<fully qualified domain>,we still get an invalid certificate error, NET::ERR_CERT_COMMON_NAME_INVALID.

Is this error caused by the 1st CN entry not containing <server name>.<fully qualified domain>? Can ProCloud Server handle a certificate with 2 CNs and 2 DNS?
Title: Re: Creating self-signed certificates for PCS
Post by: Eve on September 20, 2021, 08:10:05 am
The good news is that PCS doesn't care what you put in there.

It can be done, but I don't know how to add alternate names in the ssl platform you're using to generate your certificates.
Title: Re: Creating self-signed certificates for PCS
Post by: steen.jensen on September 20, 2021, 08:37:56 am
After one year of trouble with PCS on Windows server & MS IIS  and certificates (Self signed & real certificate with trused root) and all other problems, we terminated the implementation activity and ditched both PCS and Prolaborate as useful products.
Those products are not mature enugh to be placed in ouer Enterprise datacenter together with 800 apps on 2000 servers serving about 55.000 users.
The Datacenter operational staff is laughing at the install and operating instruction, and is asking if this products are open source products with no active developers.... When I say that we have paid (5.500€)for this products, they just walk away laughing....
Title: Re: Creating self-signed certificates for PCS
Post by: qwerty on September 20, 2021, 08:46:34 am
I have to bookmark that. My customer (a large car manufacturer) is playing with the thought of going the PCS way. I never was fond of it (gut feeling).

q.
Title: Re: Creating self-signed certificates for PCS
Post by: Eve on September 20, 2021, 04:18:03 pm
I have to bookmark that. My customer (a large car manufacturer) is playing with the thought of going the PCS way. I never was fond of it (gut feeling).
So you're so desperate to confirm your gut feeling that you'll save a single negative comment in a forum?

Unfortunately, I don't know what issues steen experienced. I don't know if they are related to Prolaborate or PCS or if they ever contacted support about their issues.

Even if you feel like you don't need WebEA or Prolaborate, I would still strongly recommend having EA users connecting via PCS instead of a direct database connection.
Title: Re: Creating self-signed certificates for PCS
Post by: qwerty on September 20, 2021, 05:18:31 pm
Desparation is the wrong word. It's more confirmation that would fit. It's Sparx decision on how they make money. And it's the customers decision to give Sparx money for their products. Or not.

q.
Title: Re: Creating self-signed certificates for PCS
Post by: Modesto Vega on September 20, 2021, 06:07:12 pm
After one year of trouble with PCS on Windows server & MS IIS  and certificates (Self signed & real certificate with trused root) and all other problems, we terminated the implementation activity and ditched both PCS and Prolaborate as useful products.
Those products are not mature enugh to be placed in ouer Enterprise datacenter together with 800 apps on 2000 servers serving about 55.000 users.
The Datacenter operational staff is laughing at the install and operating instruction, and is asking if this products are open source products with no active developers.... When I say that we have paid (5.500€)for this products, they just walk away laughing....
Thank you Steen for confirming that we are not alone. Our experience so far with configuring PCS is not far from yours. The insistence that OpenSSL, an open source product, should be used for certification/self certification most likely contributes to creating the impression that PCS is an open source product with no active developers.


I would still strongly recommend having EA users connecting via PCS instead of a direct database connection.
Perhaps over HTTP. But as long as the only (poorly) documented option to configure PCS to handle HTTPS connections involves using OpenSSL and a PEM file, instead of an installed certificate, I don't think I can concur with that recommendation.

Please note that some Windows OpenSSL distributions are identified as malware and the security policies of many organisations are likely to prevent the use of OpenSSL.

Lastly, I hope Sparx Systems pays attention to the experiences of their your customers and learns from it.
Title: Re: Creating self-signed certificates for PCS
Post by: Modesto Vega on September 28, 2021, 03:31:47 am
After one year of trouble with PCS on Windows server & MS IIS  and certificates (Self signed & real certificate with trused root) and all other problems
We have been reviewing the situation and wanted to clarify a couple of things.
Lastly, the way this page, https://sparxsystems.com/enterprise_architect_user_guide/15.2/pro_cloud_server/cloud_server_ca.html, is worded in such that it screams self-certification, they are instructions to create a self-signed certificate with a self-signed root - i.e., the certifying authority. There is nothing in this page that explains the process of generating a request for a certificate that is part of a certificate chain and must be issued by a certifying authority external to the parties carrying out the installation of PCS.

I hope, perhaps in vain, the Sparx System could clarify how to generate a request for a certificate that is part of a certificate chain and must be issued by a certifying authority external to the parties carrying out the installation of PCS.
Title: Re: Creating self-signed certificates for PCS
Post by: Eve on September 28, 2021, 08:21:31 am
5. It is only the certificate for Server 1, the PCS server, that gives us errors.
6. The certificate for Server 1, the PCS server, had to be converted to a PEM format. One of the issues we have is that we do not know if the errors are the result of the conversion or something else
I'm going to assume that the problem is that the conversion is the problem.

It should look like this:
Code: [Select]
-----BEGIN CERTIFICATE-----
base64content
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
base64content
-----END RSA PRIVATE KEY-----
I suspect that you haven't exported the private key when converting the certificate, meaning the second section is empty.

Lastly, the way this page, https://sparxsystems.com/enterprise_architect_user_guide/15.2/pro_cloud_server/cloud_server_ca.html, is worded in such that it screams self-certification, they are instructions to create a self-signed certificate with a self-signed root - i.e., the certifying authority. There is nothing in this page that explains the process of generating a request for a certificate that is part of a certificate chain and must be issued by a certifying authority external to the parties carrying out the installation of PCS.

I hope, perhaps in vain, the Sparx System could clarify how to generate a request for a certificate that is part of a certificate chain and must be issued by a certifying authority external to the parties carrying out the installation of PCS.
The good news is the the certification chain is irrelevant to the request, and the process doesn't change at all. At most, you would see all of the counter signed certificates also appearing in the PEM file.

If your organization is already set-up with an appropriate certificate chain... You don't need the basic instructions that we have provided for people that don't have a clue about the process. Ask the people who give you certificates for a PEM encoded x.509 certificate and how to get your private key into that format.
Title: Re: Creating self-signed certificates for PCS
Post by: Modesto Vega on September 28, 2021, 05:59:22 pm
It should look like this:
Code: [Select]
-----BEGIN CERTIFICATE-----
base64content
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
base64content
-----END RSA PRIVATE KEY-----
I suspect that you haven't exported the private key when converting the certificate, meaning the second section is empty.
The private key was exported when converting the certificate. The 2nd section is not empty. The certificate looks exactly like described above. Furthermore, other than 2 web browsers throwing the same error, an inspection of the invalid certificate using a web browser does not reveal anything obviously wrong with it, this is a big part of the problem.

If your organization is already set-up with an appropriate certificate chain...
The certificate chain is already set-up and must be working because the certificate we are using for WebEA and WebConfig works fine and gives no errors. The difference is that it gets installed into IIS "as is" without any conversion. As you said, this could indicate that the conversion is the problem.

Ask the people who give you certificates for a PEM encoded x.509 certificate and how to get your private key into that format.
We are working on it but since we are doing this with no support from Sparx Systems, despite paying from it, it is proving more difficult than expected.

P.S.: The support desk has all the details but they are not very responsive.
Title: Re: Creating self-signed certificates for PCS
Post by: Eve on September 29, 2021, 02:41:27 pm
If you have the file server.pem with contents as described in the install directory that should be enough to get it going.

What error do you get in the log file when you start?
Title: Re: Creating self-signed certificates for PCS
Post by: Modesto Vega on September 29, 2021, 06:19:00 pm
We can see several instances of the following lines in PCS logs:

Code: [Select]
[TRACE]:   Thread 11  Soap Listener started
[DEBUG]:   Thread 11  Client connected from ::ffff:xx.xxx.xx.xx
[DEBUG]: [::ffff:xx.xxx.xx.xx] SOAP 1.1 fault: SOAP-ENV:Server [no subcode]
"SSL_ERROR_SSL
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown"
Detail: SSL_accept() failed in soap_ssl_accept()

We only get this messages by setting the logging level to TRACE.

Both the web browser and Sparx EA give an invalid certificate error, invalid common name, when using the URL over HTTPS. PCS returns the certificate to the web browser and when we inspect it we cannot see anything obviously wrong with it. At least one of the 2 common names matches the URL.


[Edit]
P.S.: Forgot to add that PCS does create a secure server ports 443 and 805 and can bind and listen on both ports.

Code: [Select]
[DEBUG]:   Thread 7  Created secure server on soap port 443 (https)
[DEBUG]:   Thread 7  ATTEMPT Bind and listen on soap port 443
[SYSTEM]:  Thread 7  SUCCESS Bound and listening on soap port 443 (https)
[DEBUG]:   Thread 6  Created secure server on soap port 805 (https)
[DEBUG]:   Thread 6  ATTEMPT Bind and listen on soap port 805
[SYSTEM]:  Thread 6  SUCCESS Bound and listening on soap port 805 (https)

In terms of timelines, these lines appear before the errors above.
Title: Re: Creating self-signed certificates for PCS
Post by: timoc on September 29, 2021, 08:45:42 pm
Just a +1 on the pain it takes to setup PCS, even more so with HTTPS. Even with the documentation supplied there is googling and trial and error. This is especially true when you come at it from the EA documentation side, when using PCS for RAS functionality.
Title: Re: Creating self-signed certificates for PCS
Post by: Eve on September 30, 2021, 09:12:05 am
[SYSTEM]:  Thread 7  SUCCESS Bound and listening on soap port 443 (https)
[SYSTEM]:  Thread 6  SUCCESS Bound and listening on soap port 805 (https)
There is no problem with your server certificate as far as PCS is concerned. That effectively means every attempt at help to this point has been going  in the wrong direction.

Both the web browser and Sparx EA give an invalid certificate error, invalid common name, when using the URL over HTTPS. PCS returns the certificate to the web browser and when we inspect it we cannot see anything obviously wrong with it. At least one of the 2 common names matches the URL.
I'm pretty sure multiple common names in a certificate aren't something you can rely on. What you need is "subject alternate name". I know how to create that using an OpenSSL certificate request, but I don't know if certificate requests are different for different SSL tools.

LDAP request (https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/add-san-to-secure-ldap-certificate)

In OpenSSL you need a request like this:
Code: [Select]
[ req ]
default_bits       = 2048
default_keyfile    = serverkey.pem
distinguished_name = server_distinguished_name
req_extensions     = server_req_extensions
string_mask        = utf8only

[ server_distinguished_name ]

omitted

[ server_req_extensions ]

subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

[ alternate_names ]

DNS.1  = servername
DNS.2  = servername.domain.local
IP.1     = omitted
IP.2     = omitted

Title: Re: Creating self-signed certificates for PCS
Post by: Modesto Vega on October 01, 2021, 11:00:23 pm
Code: [Select]
[ req ]
default_bits       = 2048
default_keyfile    = serverkey.pem
distinguished_name = server_distinguished_name
req_extensions     = server_req_extensions
string_mask        = utf8only

[ server_distinguished_name ]

omitted #########

[ server_req_extensions ]

subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

[ alternate_names ]

DNS.1  = servername
DNS.2  = servername.domain.local
IP.1     = omitted #########
IP.2     = omitted #########

Thanks Eve, in the OpenSSL certificate request configuration file what are you trying to convey with the word "omitted"?
Title: Re: Creating self-signed certificates for PCS
Post by: Eve on October 04, 2021, 08:41:37 am
Sorry, that is where the commonName is specified. The rest of it comes down to the location of the config I copied.

Code: [Select]
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default = omitted

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = omitted

localityName         = Locality Name (eg, city)
localityName_default = omitted

organizationName            = Organization Name (eg, company)
organizationName_default    = omitted

commonName           = Common Name (e.g. server FQDN or YOUR name)
commonName_default   = primaryservername

emailAddress         = Email Address
emailAddress_default = omitted
Title: Re: Creating self-signed certificates for PCS
Post by: Modesto Vega on October 08, 2021, 12:38:20 am
Using OpenSSL (with a configuration file specific to the certificate) to generate the CSR solved our PCS certification issues. This is most likely because they were no conversion steps.

My conclusions are:

1) For PCS, if certificates have to be issued by a certifying authority, it is best to generate the CSR request using OpenSSL. It is not a recommendation, it is the only way to do it.
2) Sparx Systems could greatly improve how PCS uses certificates
3) Sparx Systems could vastly improve the documentation by
   a) covering other certification processes not involving, and
   b) vastly improving this page https://sparxsystems.com/enterprise_architect_user_guide/15.2/pro_cloud_server/cloud_server_ca.html.
Title: Re: Creating self-signed certificates for PCS
Post by: Eve on October 08, 2021, 09:27:32 am
1) For PCS, if certificates have to be issued by a certifying authority, it is best to generate the CSR request using OpenSSL. It is not a recommendation, it is the only way to do it.
That would be an insane deficiency for every other TLS/SSL library if that was the case.

But I'm glad you've got it working.
Title: Re: Creating self-signed certificates for PCS
Post by: Modesto Vega on October 11, 2021, 07:01:37 pm
1) For PCS, if certificates have to be issued by a certifying authority, it is best to generate the CSR request using OpenSSL. It is not a recommendation, it is the only way to do it.
That would be an insane deficiency for every other TLS/SSL library if that was the case.

But I'm glad you've got it working.
I agree, it is insane that the only practical way (please notice the emphasis) to get PCS configured to use https is by using OpenSSL to generate the requests or to generate self-signed certificates. This is why Sparx Systems needs to either improve the documentation or their product offering.

P.S.: There could be other ways to get PCS configured over https but since they are undocumented, it is essentially a painful trial and error process.
Title: Re: Creating self-signed certificates for PCS
Post by: timoc on November 06, 2021, 03:52:48 am
[SYSTEM]:  Thread 7  SUCCESS Bound and listening on soap port 443 (https)
[SYSTEM]:  Thread 6  SUCCESS Bound and listening on soap port 805 (https)
There is no problem with your server certificate as far as PCS is concerned. That effectively means every attempt at help to this point has been going  in the wrong direction.

I am seeing is this (with PCS 5.x Beta)
Quote
2021-11-05 16:26:45 [DEBUG]:   Thread 5  Created secure server on soap port 1805 (https)
2021-11-05 16:26:45 [DEBUG]:   Thread 5  ATTEMPT Bind and listen on soap port 1805
2021-11-05 16:26:45 [DEBUG]:   Thread 5  WARNING Failed to bind and listen on soap port 1805
2021-11-05 16:26:45 [SYSTEM]:  Thread 5  No longer listening on soap port 1805.

So, just to be clear - if you do not get a SUCCESS message for bind, then there is a problem with the certificate provided in the server.pem?

If so, That is not at all obvious from the trace level log information, or documentation. If not, then how do i diagnose this problem?
Title: Re: Creating self-signed certificates for PCS
Post by: Eve on November 08, 2021, 08:25:01 am
No. It could fail for any number of reasons.

I'd try changing the config so that port isn't secure. If it still fails it's nothing to do with the certificate.

The next thing that comes to mind is anything else listening on port 1805 on your system?
Title: Re: Creating self-signed certificates for PCS
Post by: timoc on November 10, 2021, 04:40:07 am
No. It could fail for any number of reasons.

I'd try changing the config so that port isn't secure. If it still fails it's nothing to do with the certificate.

The next thing that comes to mind is anything else listening on port 1805 on your system?
PCS4 logs an error when it tries to bind to an allocated port, i expect PCS5 to do the same.
Turns out it is not ssl related. Created a new thread for the specifics.


Title: Re: Creating self-signed certificates for PCS
Post by: ddrakos on November 28, 2021, 08:36:24 pm
Hi,

I think that lego commad line client could help you to automate certificate issuing.

https://docs.gsd.pl/ssl/letsencrypt/

Another option could be https://certifytheweb.com/

I have been using these tools with PCS, WebEA (Apache) and Prolaborate (IIS) for about 4 years.

Regards
Drakos