I just went through the process of setting up SSL for the WebUI and also ran into issues, but eventually got it to work. One thing that was annoying is while I was having issues, the WebUI wouldn’t work at all and didn’t provide any feedback. It would have been nice if while it was misconfigured it fell back to self signed certs. RE: @jgallas
I used a Let’s Encrypt client to create the SSL certificates. Let’s Encrypt provides free Domain Validation certs.
After going through the process, I got 3 files:
- ca_bundle.crt
- certificate.crt
- private.key
I combined ca_bundle.crt and certificate.crt into ssl.crt
I renamed private.key to ssl.pvt
I put both files into the default location on my windows root server: C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI
If it was a stand alone WebUI server, then the default location should be: C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI
Because I am on platform 9.5.2.56 I then had to restart the BESRootServer service instead of the BESWebUI service.
This did not work. I found errors, Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch, in the WebUI log here: C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\logs\service-app.log
The error messages were happening like once a minute. I made many changes, but nothing stopped the errors. Eventually I realized that I had to restart the service every time I made changes to the ssl files in order for the WebUI to pick up the changes.
One of the issues turned out to be that I didn’t combine the .crt files properly. The site specific cert needs to be first within ssl.crt followed by the next cert in the signing chain and so on all the way up to the highest in the chain.
My working ssl.crt looks like this:
-----BEGIN CERTIFICATE-----
<<base64 string from certificate.crt>>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<<base64 string from ca_bundle.crt>>
-----END CERTIFICATE-----
My working ssl.pvt looks like this:
-----BEGIN PRIVATE KEY-----
<<base64 string from private.key>>
-----END PRIVATE KEY-----
It seems that BEGIN RSA PRIVATE KEY isn’t required and BEGIN PRIVATE KEY is sufficient, as long as it is a valid key.
This relevance should provide the issue date of the SSL cert:
invalid befores of pem encoded certificates of files "ssl.crt" of folders "C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI"
- https://bigfix.me/analysis/details/2994825
- Working to detect and remove the eDellRoot malicious Root Certificate
Related:
- https://www.ibm.com/support/knowledgecenter/en/SSTK87_9.5.0/com.ibm.bigfix.webui.doc/WebUI/Admin_Guide/c_ssl_certificates_9.5.3_and_above.html
- http://www-01.ibm.com/support/docview.wss?uid=swg21505848
- https://www.digitalocean.com/community/questions/ssl-library-error-185073780-key-values-mismatch
- https://letsencrypt.org/docs/client-options/
- https://community.letsencrypt.org/t/dns-provider-not-allowing-txt-records-to-be-submitted-correctly-letsencrypt-validation-doesnt-pass/31201/5
- https://github.com/do-know/Crypt-LE/issues/11
- https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation
- https://dan.enigmabridge.com/powering-simplicity-of-certbot-and-letsencrypt-domain-verification/