SSL Configuration

Richy · October 3, 2022, 12:17pm

Hello

I am trying to configure SSL on OpenVas Community Edition 22.4 using the method of

Without it working, I’ve read that most recommend using nginx to put the SSL layer in place, but I’d like to be able to do it directly in the app.

Can someone provide me with a guide on how to perform this procedure in the indicated version?

joebeasley · October 4, 2022, 12:36am

Are you getting some type of error? Check /var/log/gvm/gsad.log.

Richy · October 4, 2022, 1:13pm

Hello.
The error is.

gsad main:MESSAGE:2022-10-04 13h11.46 utc:174498: Starting GSAD version 22.04.0
gsad main:CRITICAL:2022-10-04 13h11.46 utc:174499: main: start_https_daemon failed!
gsad main:MESSAGE:2022-10-04 13h11.46 utc:174503: Starting GSAD version 22.04.0
gsad main:CRITICAL:2022-10-04 13h11.46 utc:174504: main: start_https_daemon failed!
gsad main:MESSAGE:2022-10-04 13h11.46 utc:174507: Starting GSAD version 22.04.0
gsad main:CRITICAL:2022-10-04 13h11.46 utc:174508: main: start_https_daemon failed!
gsad main:MESSAGE:2022-10-04 13h11.47 utc:174513: Starting GSAD version 22.04.0
gsad main:CRITICAL:2022-10-04 13h11.47 utc:174514: main: start_https_daemon failed!

Thanks for you help.

joebeasley · October 4, 2022, 1:49pm

Check the systemd file to make sure it starts as root, and then runs as user gvm after startup.

Richy · October 4, 2022, 1:57pm

My config file is:

[Unit]
Description=Greenbone Security Assistant daemon (gsad)
Documentation=man:gsad(8) https://www.greenbone.net
After=network.target gvmd.service
Wants=gvmd.service

[Service]
Type=forking
#User=gvm
#Group=gvm
RuntimeDirectory=gsad
RuntimeDirectoryMode=2775
PIDFile=/run/gsad/gsad.pid
#ExecStart=/usr/local/sbin/gsad --listen=127.0.0.1 --port=9392 --http-only

ExecStart=/usr/local/sbin/gsad --listen=0.0.0.0 --drop-privileges=gvm --port=443 --rport=80 -k /etc/gvm/server.key -c /etc/gvm/server.csr

Restart=always
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target
Alias=greenbone-security-assistant.service

joebeasley · October 4, 2022, 2:24pm

Your -c option is pointing to the .csr file. That is the certificate request and will not work. The Certificate file normally ends in .crt. Also make sure user gvm has read rights to the cert and key files.

Richy · October 4, 2022, 3:03pm

Generate from it .csr a .cer with the CA of the organization and with

openssl x509 -inform DER -in certificate.cer -out certificate.crt

a .crt, I changed it in the settings, but the error persists

Richy · October 4, 2022, 5:34pm

Change permissions to .crt and .key and service is ok.

No working external connection and yes working internal connection.

ss -utlpn is ok to 0.0.0.0:443

joebeasley · October 4, 2022, 6:59pm

I don’t understand “no working external connection”. Can you https://yourserverip ?

Your firewall has to allow the inbound connection.

Richy · October 4, 2022, 7:04pm

Check the iptables view a PREROUTING rule to localhost to port 443 redirect 9392, delete te rule and openvas ssl working

Thanks for you help.
Greetings from Uruguay