Please Note This forum exists for community support for the Mango product family and the Radix IoT Platform. Although Radix IoT employees participate in this forum from time to time, there is no guarantee of a response to anything posted here, nor can Radix IoT, LLC guarantee the accuracy of any information expressed or conveyed. Specific project questions from customers with active support contracts are asked to send requests to support@radixiot.com.
External IP
-
Hi sky_watcher,
Thomas definitely gave good information if you're going to be hosting this as a website for a client. It definitely looks better for you if you are sending them to a human readable address and if your HTTPS has a valid certificate from a certificate authority.
123.456.789.25
Whoa, are those nine and ten bit octets I see :P
What Thomas's answer is omitting is that you can create a self signed certificate in a java keystore and start running Mango on HTTPS without doing all the things he rightly recommended. You can find instructions on creating a self signed keystore and setting Mango up to use it in the "SSL Settings" section of this help page: https://help.infiniteautomation.com/installation-configuration/
-
Another thing that was not mentioned that if this system is being hosted locally, sky_watcher would be best to ensure that the IP address assigned by their ISP is a static ip address, otherwise on the odd occasion when the router/modem connected is rebooted, it is possible that a new IP address obtained may have changed requiring an update on the DNS settings for the corresponding domain.
-
This post is deleted! -
@mattfox The IP address is static IP address, thanks!
-
@phildunlap It's a good example of IP adress :))
Whoa, are those nine and ten bit octets I see :P
I've looked at this link: https://help.infiniteautomation.com/installation-configuration/ and at SSL Settings it said something about keystore, but I couldn't find on my MangoES the keystore, any idea why?
Thanks!
-
Partly because the help page said "keystore.exe" when it should have said "keytool.exe" I would bet. The keytool command may already be on the path, so no need to navigate to the file. But, MangoES units do not come with a self-signed certificate in a keystore ready to go, so you need to generate it and then configure the SSL settings to point at that keystore.jks file.
-
@phildunlap So this means that if I login with SSH and run this command:
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass changei -validity 365 -keysize 1024than I can give the answer to the question from that help? -
That command will create the keystore file, yes. Had some weird formatting though, so I edited your post. You may want to use a different storepass than "changei" (or omit that argument to have it ask for that, first)
-
Hi @sky_watcher
Just for your information, browsers will not recognise a self signed certificate. your browser will give a warning saying the certificate is not trusted. Not the end of the world if the server is just for yourself. If you want the green lock on the URL you'll need to purchase a certificate from a registered CA.
-
The other option is to use let's encrypt's certbot certificate authority. Install that on mango and validate with the dns option. @phildunlap is there not a way to import a signed cert into the Java SSL script that you are talking about?
Am also happy to show how to reverse proxy with Apache 2 for those who are interested...
Do not follow where the path may lead; go instead where there is no path.
And leave a trail - Muriel Strode -
@phildunlap I executed that command and I made changes to env.properties file. But after reboot I couldn't connect to the web, so I restored back the env.properties file and now is working.
Those errors I got when I couldn't connect to the web:
And this one was in the ma.log file:
-
is there not a way to import a signed cert into the Java SSL script that you are talking about?
There is! Here's my little note scratches about how to do that... Step 0 is submit a CSR and get a certificate bundle back.
1. openssl pkcs12 -export -certfile server.ca-bundle -inkey server.key -in server.crt -name NAME -out keystore.p12 -passout pass:morethan6c 1a. cd to your jdk/bin folder 2. sudo ./keytool -importkeystore -destkeystore /path/to/keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -alias NAME -srcstorepass morethan6c 3. Enter destination keystore password: morethan6c Now you have a keystore.jks file, 4. copy this into your Mango/overrides/properties directory. 5. Edit your Mango/overrides/properties/env.properties file such that... ssl.on=true ssl.port=443 ssl.keystore.location=/path/to/Mango/overrides/properties/keystore.jks ssl.keystore.password=morethan6characters 5a. Add the APLN script into the ext-enabled folder 6. Restart Mango 7. Success! -
Gent and a scholar, thanks!
-
Can you share your web.port and ssl.port from your env.properties? Have you tried clearing your browser cache?
The warning you shared suggests there isn't a
jetty-alpn-agent.jarin the Mango/boot directory perhaps. Enabling ALPN takes advantage of HTTP/2 but you may need to move the enable-alph extension script from your Mango/bin/ext-available to Mango/bin/ext-enabled/ to get the benefits. SSL is required to be enabled, as well. -
@phildunlap web port is 8888 and ssl port is 8443.
Yes, I've cleared the cash.
-
@phildunlap I moved enable-alph extension script to ext-enable folder, and also I made the SSL settings like before but I get the same errors and I couldn't navigate to the web page.
