External IP

sky_watcher

@mattfox The IP address is static IP address, thanks!

sky_watcher

@phildunlap It's a good example of IP adress :))

Whoa, are those nine and ten bit octets I see :P

I've looked at this link: https://help.infiniteautomation.com/installation-configuration/ and at SSL Settings it said something about keystore, but I couldn't find on my MangoES the keystore, any idea why?

Thanks!

phildunlap

Partly because the help page said "keystore.exe" when it should have said "keytool.exe" I would bet. The keytool command may already be on the path, so no need to navigate to the file. But, MangoES units do not come with a self-signed certificate in a keystore ready to go, so you need to generate it and then configure the SSL settings to point at that keystore.jks file.

sky_watcher

@phildunlap So this means that if I login with SSH and run this command: keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass changei -validity 365 -keysize 1024 than I can give the answer to the question from that help?

phildunlap

That command will create the keystore file, yes. Had some weird formatting though, so I edited your post. You may want to use a different storepass than "changei" (or omit that argument to have it ask for that, first)

CraigWeb

Hi @sky_watcher

Just for your information, browsers will not recognise a self signed certificate. your browser will give a warning saying the certificate is not trusted. Not the end of the world if the server is just for yourself. If you want the green lock on the URL you'll need to purchase a certificate from a registered CA.

MattFox

The other option is to use let's encrypt's certbot certificate authority. Install that on mango and validate with the dns option. @phildunlap is there not a way to import a signed cert into the Java SSL script that you are talking about?

Am also happy to show how to reverse proxy with Apache 2 for those who are interested...

sky_watcher

@phildunlap I executed that command and I made changes to env.properties file. But after reboot I couldn't connect to the web, so I restored back the env.properties file and now is working.

Those errors I got when I couldn't connect to the web:

And this one was in the ma.log file:

phildunlap

@mattfox

is there not a way to import a signed cert into the Java SSL script that you are talking about?

There is! Here's my little note scratches about how to do that... Step 0 is submit a CSR and get a certificate bundle back.

1. openssl pkcs12 -export -certfile server.ca-bundle -inkey server.key -in server.crt -name NAME -out keystore.p12 -passout pass:morethan6c

1a. cd to your jdk/bin folder

2. sudo ./keytool -importkeystore -destkeystore /path/to/keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -alias NAME -srcstorepass morethan6c
3. Enter destination keystore password: morethan6c

Now you have a keystore.jks file, 

4. copy this into your Mango/overrides/properties directory.
5. Edit your Mango/overrides/properties/env.properties file such that...

ssl.on=true
ssl.port=443
ssl.keystore.location=/path/to/Mango/overrides/properties/keystore.jks
ssl.keystore.password=morethan6characters

5a. Add the APLN script into the ext-enabled folder
6. Restart Mango
7. Success!

MattFox

Gent and a scholar, thanks!

phildunlap

@sky_watcher

Can you share your web.port and ssl.port from your env.properties? Have you tried clearing your browser cache?

The warning you shared suggests there isn't a jetty-alpn-agent.jar in the Mango/boot directory perhaps. Enabling ALPN takes advantage of HTTP/2 but you may need to move the enable-alph extension script from your Mango/bin/ext-available to Mango/bin/ext-enabled/ to get the benefits. SSL is required to be enabled, as well.

sky_watcher

@phildunlap web port is 8888 and ssl port is 8443.

Yes, I've cleared the cash.

sky_watcher

@phildunlap I moved enable-alph extension script to ext-enable folder, and also I made the SSL settings like before but I get the same errors and I couldn't navigate to the web page.