Gsad ssl certificate

alessio · September 9, 2020, 4:19pm

Hi,
i setup the latest 20.08 release and want to put my own key and certificate with:
gsad --ssl-private-key=/path/ssl/private.pem

it says Oops, secure memory pool already initialized

i found out its just a warning and i can simply ignore it, however, i started my gsad service again, but i could not see any changes.

In /etc/default theres a file gsad which seems familiar for my use.
There i tried things like SSL_PRIVATE_KEY=/path/ssl/private.pem

But i did not work.
How can i solve it?

alessio · September 9, 2020, 6:53pm

ah, of course i did gsad --ssl-certificate=... too.

gsad --ssl-private-key=/path/ssl/private.pem was an example only

alessio · September 11, 2020, 11:48am

i tried several service files and several terms like GSA_SSL…, GSAD_SSL…
but nothings seems to work.

has anyone an idea in which directory/file i have to look?

alessio · September 13, 2020, 11:48am

This is my startup script:

[Unit]
Description=Greenbone Security Assistant (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target
Wants=gvmd.service

[Service]
Type=forking
PIDFile=/opt/gvm/var/run/gsad.pid
WorkingDirectory=/opt/gvm
ExecStart=/opt/gvm/sbin/gsad --drop-privileges=gvm -p 443 -k /opt/gvm/var/lib/gvm/private/CA/private.pem -c /opt/gvm/var/lib/gvm/private/CA/certificate.pem
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Should work this way?
But still i am getting a warning on https

Lukas · September 13, 2020, 12:51pm

Your path is not system-standard, i would configure your system more FHS complaint. Why are your storing the public and private key within a private directory ?
I do not know your permission model, but it might be broken that way.

alessio · September 13, 2020, 2:23pm

To be honest i only tried this directory because i was running out of options and saw sth similar here

I had my key and my certificate in /opt/gvm/ssl/ before

alessio · September 15, 2020, 12:59pm

I got the files under /opt/gvm/sbin/.. and changed it in my startup-scripts.
It still doesnt work. I dont understand why my certificate is not accepted. Is there sth i forgot?

alessio · September 15, 2020, 2:59pm

Btw is it enough to restart the gsad.service? I did not reboot the server yet

alessio · September 17, 2020, 10:11am

im not a fan of rebooting. did it, and it works just fine, no https warning