Hello, So i have followed and reviewed the documenmtation and outline of the steps to enable HTTPS TLS encryption on Greebone Community Contrainers and have gone through the steps of requesting and acquiring a Legit Server Certificate from Entrust / which i have saved in a folder /home/gvm/.ssl along with the key as respectively
servercert.pem
server-privatekey.pem
in that folder. /home/gvm/.ssl/
… note servercert.pem does not include the intermediary or root CA cert data.
Notable details , as per recommended best practice at my place of work these keys were paid uising Elliptical Curve ECDA , rather than RSA algorythms. Hopefully thats not an issue. Both files are in a folder and have permissions that should be accessible by anyone who would be running docker compose.
However, the servercert.pem contains only the cert data for the hostmachine itself, and omits the intermediary and root entrust certs.
I recall when I configured Greenbone to use LDAPS for authentication it wanted the cert.pem file to include the servercert block and the Intermediary CAs cert datablock , one after the other ( but i forget if the order for the file was server first then intermediary CA , or intermediary CA first then main server? in any case right now it just contains the actual servers ECDA certificate file which entrust provided in exchange for the .cfg .csr file , and the pivate leyi also made along the way but obviously havent shared thast with anyone :
What am I missing :
Here is the relevant section of my docker-compose.yml and the behaviour on page load:
gsa:
image: greenbone/gsa:stable
restart: on-failure
environment:
- GSAD_ARGS=--http-sts --gnutls-priorities=SECURE256:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
ports:
- 443:443
volumes:
# Move the private key into the container replace <username> with parent directory that the cert files are in.
- /home/gvm/.ssl/serverkey.pem:/var/lib/gvm/private/CA/serverkey.pem
# Move the certificate into the container replace <username> with parent directory the cert files are in.
- /home/gvm/.ssl/servercert.pem:/var/lib/gvm/CA/servercert.pem
- gvmd_socket_vol:/run/gvmd
depends_on:
- gvmd
RESULTS IN…
**FIREFOX ERROR: **
Secure Connection Failed
An error occurred during a connection to [HOSTNAME REDACTED]. PR_END_OF_FILE_ERROR
Could it be that i just have to paste in and append or prepend the server.pem file with the intermediary CAs cert data as well, and if so does it g o before the servers cert data in the same pem file, or at the bottom of thel file into the server.pem file and restart it ? I’m lost. any help would be much oobliged.I"m assuming i i dont also have to include the root entrust cert?
A final clue in my investigation … i went search the file / folder system for the destination for the certs as per the yaml and the path /var/lib/gvm/CA/ does not appear to exist on the machine at all even to root see addendum
Thanks in an advance & Also: PLS HELP!
cheers
Bobby
this is the list of the contents of /var/lib on the main server. should i be specifying a specific container some how, if so how, cause i read this like tits look ing to copy it into the gvm/CA folder under /var/lib and finds the path invalid
[root@SERVER lib]# ls -hal
total 12K
drwxr-xr-x. 41 root root 4.0K Jun 22 15:10 .
drwxr-xr-x. 20 root root 4.0K Jan 19 2024 ..
drwxr-xr-x. 2 root root 169 Jul 26 06:59 alternatives
drwxr-xr-x. 3 root root 4.0K Jul 26 06:58 authselect
drwxr-xr-x. 3 root root 18 Jan 19 2024 bluetooth
drwxr-x--- 4 caddy caddy 34 May 24 00:17 caddy
drwxr-x---. 2 chrony chrony 19 Aug 13 18:53 chrony
drwx--x--x 10 root root 311 Jun 26 06:36 containerd
drwxr-xr-x. 3 root root 93 Aug 13 06:08 dnf
drwx--x--- 12 root root 171 Aug 2 13:02 docker
drwxr-xr-x. 2 root root 6 May 16 2022 fprint
drwxr-xr-x. 2 root root 6 May 16 2022 games
drwxr-xr-x. 2 root root 6 Apr 7 18:06 initramfs
drwxr-xr-x. 2 root root 6 Aug 6 08:28 kdump
drwxr-xr-x. 2 root root 6 Apr 20 2023 kpatch
drwxr-xr-x. 2 root root 30 Aug 13 00:00 logrotate
drwxr-xr-x. 2 root root 6 May 16 2022 misc
drwxr-x---. 2 root slocate 24 Aug 13 00:00 mlocate
drwxr-xr-x. 4 root root 63 Aug 2 13:00 net-snmp
drwx------. 2 root root 171 Aug 2 13:02 NetworkManager
drwxrwx--- 3 nginx root 17 May 15 12:56 nginx
drwxr-xr-x. 2 root root 6 May 9 2023 os-prober
drwx------. 3 postgres postgres 47 Mar 26 16:28 pgsql
drwxr-xr-x. 2 root root 27 Jan 19 2024 plymouth
drwxr-x---. 3 root polkitd 28 Jan 19 2024 polkit-1
drwx------. 2 root root 6 Jan 19 2024 private
drwxr-x---. 2 redis redis 22 Mar 26 16:28 redis
drwxr-xr-x. 2 root root 91 Apr 6 01:50 rpm
drwxr-xr-x. 3 root root 20 Feb 15 13:16 rpm-state
drwx------. 2 root root 29 Aug 13 19:38 rsyslog
drwxr-xr-x. 4 root root 33 Jun 11 19:42 samba
drwxr-xr-x. 5 root root 46 Apr 7 12:08 selinux
drwxr-xr-x. 2 root root 6 Apr 20 10:06 smartmontools
drwxr-xr-x. 10 root root 120 Jul 23 21:04 sss
drwxr-xr-x. 7 root root 98 Jul 23 14:46 systemd
drwxr-xr-x. 3 root root 31 Feb 15 13:16 texmf
drwxr-xr-x. 3 root root 20 Jan 19 2024 tpm2-tss
drwxr-xr-x. 2 root root 6 Apr 23 03:08 tuned
drwxr-xr-x. 2 unbound unbound 30 Mar 26 16:28 unbound
drwxr-xr-x. 3 root root 20 Feb 9 2024 vmware
drwxr-xr-x. 3 root root 23 Jan 19 2024 xfsdump
ROOT@serverlib]# pwd
/var/lib