alessio
September 9, 2020, 4:19pm
1
Hi,
i setup the latest 20.08 release and want to put my own key and certificate with:
gsad --ssl-private-key=/path/ssl/private.pem
it says Oops, secure memory pool already initialized
i found out its just a warning and i can simply ignore it, however, i started my gsad service again, but i could not see any changes.
In /etc/default
theres a file gsad
which seems familiar for my use.
There i tried things like SSL_PRIVATE_KEY=/path/ssl/private.pem
But i did not work.
How can i solve it?
1 Like
alessio
September 9, 2020, 6:53pm
2
ah, of course i did gsad --ssl-certificate=...
too.
gsad --ssl-private-key=/path/ssl/private.pem
was an example only
alessio
September 11, 2020, 11:48am
3
i tried several service files and several terms like GSA_SSL…, GSAD_SSL…
but nothings seems to work.
has anyone an idea in which directory/file i have to look?
alessio
September 13, 2020, 11:48am
4
This is my startup script:
[Unit]
Description=Greenbone Security Assistant (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target
Wants=gvmd.service
[Service]
Type=forking
PIDFile=/opt/gvm/var/run/gsad.pid
WorkingDirectory=/opt/gvm
ExecStart=/opt/gvm/sbin/gsad --drop-privileges=gvm -p 443 -k /opt/gvm/var/lib/gvm/private/CA/private.pem -c /opt/gvm/var/lib/gvm/private/CA/certificate.pem
Restart=on-failure
RestartSec=2min
KillMode=process
KillSignal=SIGINT
GuessMainPID=no
PrivateTmp=true
[Install]
WantedBy=multi-user.target
Should work this way?
But still i am getting a warning on https
Lukas
September 13, 2020, 12:51pm
5
Your path is not system-standard, i would configure your system more FHS complaint. Why are your storing the public and private key within a private directory ?
I do not know your permission model, but it might be broken that way.
alessio
September 13, 2020, 2:23pm
6
To be honest i only tried this directory because i was running out of options and saw sth similar here
Port 443 (https) is a privileged port; it can only be binded with root privileges. That’s the reason why you should run gsad via systemd. The process is then started as root to open the privileged port, and then drop it’s privileges to the normal user. Assuming the user gsad should run as is gvmd, you must have a gsad.service system file in your /etc/systemd/system directory.
The gsad.service should contain this:
[Unit]
Description=Job that runs the gsa daemon
Documentation=man:gsa
After=p…
I had my key and my certificate in /opt/gvm/ssl/
before
alessio
September 15, 2020, 12:59pm
7
I got the files under /opt/gvm/sbin/..
and changed it in my startup-scripts.
It still doesnt work. I dont understand why my certificate is not accepted. Is there sth i forgot?
alessio
September 15, 2020, 2:59pm
8
Btw is it enough to restart the gsad.service? I did not reboot the server yet
alessio
September 17, 2020, 10:11am
9
im not a fan of rebooting. did it, and it works just fine, no https warning