Certificates for IP Office and Application Server

[msuiter]

I have an IP Office 500 V2 on 9.1.6 and the Application Server running vmpro and onexportal.

I have been down several roads trying to get a fully valid certificate installed across the solution. I have a wildcard certificate and the private key that I can manipulate into whatever format that I want and import, which I have done for several applications in our stack, but I can't get it working for the entire IP Office solution. Our certificate is from namecheap, I think like a RapidSSL, issued to *.example.com.

When I attempt to import the certificate into the Application Server, it uses that certificate to try to generate additional certificates, so I end up with a certificate chain that is invalid, that goes root CA -> *.example.com -> appserver.example.com, which the *example.com certificate isn't valid for signing additional certificates and still generates errors in browsers.

I have some linux knowledge and have managed to get parts of the IPO solution to present a valid certificate by manually replacing the certificate .cer and .pem files in the filesystem of the Avaya Applications, but this isn't ideal, isn't reliable, and isn't working for all components.

Does anyone know what I need to do to get this certificate mess sorted out solution wide? Do I need to buy a specific type of certificate? The biggest thing I want is to be able to use Avaya Communicator for Web without having to install certificates, I just want an already valid and trusted certificate in place solution wide.

If anyone knows of a way to use let's encrypt certificates in the IP Office components, that would even be better but that is a dream goal, not a necessity.

 

[derfloh]

You don't want to use the certificate you bought as the CA certificate for the AppServer.

You have to connect to the server's security settings with Manager or WebManager and import the CA together with the key as PFX file.

 

[msuiter]

Right, that is the problem, when I try to import it it only applies to the Platform View (WebControl) not the We Manager (still uses an old certificate that I manually added last year), or the One-X Portal (uses a generic One-X Portal generated certificate.


Mid-way through writing this post, I got it to work by installing a completely new application server as a test.

I have been through this process before and it didn't work, but only on 9.0. After upgrading to 9.1 it still didn't work. Apparently a fresh 9.1 installation works correctly. If I install a fresh 9.1 App Server and import the certificate, it works as expected and applies to the one-x portal and web manager and webcontrol with no complaints from any of them. I have beat my head against the wall on this for way too long now. I have another Server Edition system that I manage that we are about to deploy some One-X Portal users that would benefit from proper certificates, and their cert import didn't work either. I guess I just need to nuke systems that weren't originally 9.1 for that to work properly.

 

[derfloh]

I think the internal used scripts to deploy the certificate into different applications don't work anymore after trying to deploy the cert manually in Linux root shell.

 

[John563]

It sounds like you are importing it on the 7071 page under settings > General > certificates, instead of on the web manager 7070 page at Security > certificates. Could you explain the exact steps you go through to import the cert?

 

[msuiter]

During the process I discovered the difference between the 2 pages. I have it fully working putting it in the correct page, but only after installing a fresh Application Server.

As far as the 7071 Settings>General>Certificates section, what do I need to do to use this to distribute a 3rd party Trusted certificate? Using the appserver/server edition as a CA with an externally trusted certificate would be amazing. Particular type of certificate I need to buy?

 

[John563]

Well, here's more questions than answers...

I have a 9.1.6 SE system that has a wild card cert in the trusted store. I cannot delete it, it just keeps showing back up. I've deleted it from Manager and the web interface, and no matter what, it keeps coming back. I wonder if this issue might shine some light on what's going on for you.

Did you at any point actually import the certificate as the CA cert on the 7071 page? If you go to that page and download the CA cert do you get a generic IPO generated one or the wild card cert? Did you go to that page and generate a new CA cert and did that work? Where I am going with this is I'm wondering if the cert ended up in the wrong place and the system can't properly get rid of it.

I decided to look into my wild card cert issue some more, so what I did is run some searches to find out where the cert is on the system.
grep -r "several characters of the key" /opt
grep -r "several characters of the key" /etc

I found it in /opt/Avaya/apache-tomcat/webapps/WebManagement/tmp/
It's file name is ".domain.com" I wonder if there is some disconnect because the * isn't part of the file name.

I also found it in /opt/vmpro/Certificate/
It's file name here was ca_1.pem I wonder what I was doing to have it end up in here...

I was curious if it ended up in a bundle in /etc/pki/tls/certs but doesn't look like it.

If you go into /opt/Avaya/certs/ do you find your wild card cert floating around in here? I don't know enough about where IPO stores all it's certs, but I'm guessing this is where the root cert is stored.

Does anyone out there know more about where a cert ends up based on where it was imported from?

I am also pretty curious about how RFC 5922 plays into this, or if it plays into this at all. From what I can tell, SIP shouldn't be allowed to use wild cards at all? Anyone have some knowledge they want to share about wild card certs and SIP on IPO?

 

[John563]

I dug a little deeper by importing some certs to see where they landed.

Better way to grep: fgrep --include=\*.{pem,crt} -r '/opt/' -e "MIIDNjCCAh6gAwIBAg" 2>/dev/null

Wild card cert imported as root cert:
/opt/ipoffice/system/primary/certificates/tcs/add/chain.pem
Maybe this is why the wild card keeps ending up back in my trusted certificate store?
/opt/Avaya/certs/ca/ca_1.pem
/opt/vmpro/Certificate/ca_1.pem

Generated new CA Cert:
Downloading the PEM gives me the new cert.
The wildcard cert is still in /opt/ipoffice/system/primary/certificates/tcs/add/
The wildcard cert is still in /opt/Avaya/certs/ca/
The root-ca.crt, key, and pem are all updated to the new cert in /opt/Avaya/certs/ca/

Normal certificate imported to identity cert on 7070:
/opt/Avaya/certs/server.pem
/opt/Avaya/certs/cert.pem
/opt/Avaya/oneXportal/9.1.603_19/apache-tomcat/conf/server.pem
/opt/vmpro/Certificate/server.pem
/opt/webcontrol/certificate/server.pem

Deleted the identity cert from 7070:
Did not actually get deleted. Is still the identity cert after waiting several minutes and reloading the web interface.
Rebooted and deleted it again. This time the web interface became unavailable for a couple of minutes, but when it came back this is still the identity cert.
Replaced the cert. Seemed to update properly everywhere.

CA certificate imported into the trusted certificate store on 7070 and rebooted:
/opt/Avaya/apache-tomcat/webapps/WebManagement/tmp/TestCA.pem

 

[TheSmash]

Hi guys,

Having some problems getting a 3rd Party SSL certificate working in SE for OneX. It's all installed but doesn't seem to work.

It's on a brand new install at 9.1.7. Wondering if any of you were able to find a sure fire way of getting this working correctly?

System goes live tomorrow so hoping to draw a line under this today if possible!

Thanks





ACSS (SME)