Richy
October 3, 2022, 12:17pm
1
Hello
I am trying to configure SSL on OpenVas Community Edition 22.4 using the method of
Without it working, I’ve read that most recommend using nginx to put the SSL layer in place, but I’d like to be able to do it directly in the app.
Can someone provide me with a guide on how to perform this procedure in the indicated version?
Are you getting some type of error? Check /var/log/gvm/gsad.log.
1 Like
Richy
October 4, 2022, 1:13pm
3
Hello.
The error is.
gsad main:MESSAGE:2022-10-04 13h11.46 utc:174498: Starting GSAD version 22.04.0
gsad main:CRITICAL:2022-10-04 13h11.46 utc:174499: main: start_https_daemon failed!
gsad main:MESSAGE:2022-10-04 13h11.46 utc:174503: Starting GSAD version 22.04.0
gsad main:CRITICAL:2022-10-04 13h11.46 utc:174504: main: start_https_daemon failed!
gsad main:MESSAGE:2022-10-04 13h11.46 utc:174507: Starting GSAD version 22.04.0
gsad main:CRITICAL:2022-10-04 13h11.46 utc:174508: main: start_https_daemon failed!
gsad main:MESSAGE:2022-10-04 13h11.47 utc:174513: Starting GSAD version 22.04.0
gsad main:CRITICAL:2022-10-04 13h11.47 utc:174514: main: start_https_daemon failed!
Thanks for you help.
Check the systemd file to make sure it starts as root, and then runs as user gvm after startup.
2 Likes
Richy
October 4, 2022, 1:57pm
5
My config file is:
[Unit]
Description=Greenbone Security Assistant daemon (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target gvmd.service
Wants=gvmd.service
[Service]
Type=forking
#User=gvm
#Group=gvm
RuntimeDirectory=gsad
RuntimeDirectoryMode=2775
PIDFile=/run/gsad/gsad.pid
#ExecStart=/usr/local/sbin/gsad --listen=127.0.0.1 --port=9392 --http-only
ExecStart=/usr/local/sbin/gsad --listen=0.0.0.0 --drop-privileges=gvm --port=443 --rport=80 -k /etc/gvm/server.key -c /etc/gvm/server.csr
Restart=always
TimeoutStopSec=10
[Install]
WantedBy=multi-user.target
Alias=greenbone-security-assistant.service
Your -c option is pointing to the .csr file. That is the certificate request and will not work. The Certificate file normally ends in .crt. Also make sure user gvm has read rights to the cert and key files.
2 Likes
Richy
October 4, 2022, 3:03pm
7
Generate from it .csr a .cer with the CA of the organization and with
openssl x509 -inform DER -in certificate.cer -out certificate.crt
a .crt, I changed it in the settings, but the error persists
Richy
October 4, 2022, 5:34pm
8
Change permissions to .crt and .key and service is ok.
No working external connection and yes working internal connection.
ss -utlpn is ok to 0.0.0.0:443
I don’t understand “no working external connection”. Can you https://yourserverip ?
Your firewall has to allow the inbound connection.
2 Likes
Richy
October 4, 2022, 7:04pm
10
Check the iptables view a PREROUTING rule to localhost to port 443 redirect 9392, delete te rule and openvas ssl working
Thanks for you help.
Greetings from Uruguay
2 Likes