I tried this and then the WebUI broke. I was able to fix it by removing the certs and restarting the BESRootServer service. Do you know what could cause the WebUI to no longer function after adding the certs?
1 Like
@jgallas can you maybe send us the logging information from the WebUI when things broke?
The logs that we are typically after can be found in:
C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\logs
Just give us everything you find there. (PM if you are sensitive to whatever data is there?)
C:\Program Files (x86)\BigFix Enterprise\BES Server\BESrelay.log is also a good thing to send our way.
I too am having prblems with the pvk (key) part of the Cert…
the .crt seems to be fine…
I extracted from the .pem … I tried the RSA and the non rsa (no password) versions… No go… I get a connection timed out and a syn_sent in netstat to the server…
rename the .pvk, restart the root server service and I can access the webui again but as an untrusted connection .
No errors in the etl.log but the service-app.log has this lot towards the end…
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Error (native)
at Object.createSecureContext (_tls_common.js:105:19)
at Server (_tls_wrap.js:605:25)
at new Server (https.js:36:14)
at Object.exports.createServer (https.js:56:10)
at BFProxy.createWebServer (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:433:22)
at new BFProxy (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:63:25)
at BFProxy (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:51:12)
at run (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\lib\server.js:110:13)
at C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\lib\server.js:105:7
Mon, 02 May 2016 15:38:49 GMT bf:appmonitor:error server.js process exited with code 1
Mon, 02 May 2016 15:38:50 GMT bf:appmonitor:debug Starting server.js process
Mon, 02 May 2016 15:38:52 GMT bf:appmonitor:debug Initializing with SAML configuration: false
Warning: connect.session() MemoryStore is not
designed for a production environment, as it will leak
memory, and will not scale past a single process.
C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\q\q.js:155
throw e;
^
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Error (native)
at Object.createSecureContext (_tls_common.js:105:19)
at Server (_tls_wrap.js:605:25)
at new Server (https.js:36:14)
at Object.exports.createServer (https.js:56:10)
at BFProxy.createWebServer (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:433:22)
at new BFProxy (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:63:25)
at BFProxy (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:51:12)
at run (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\lib\server.js:110:13)
at C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\lib\server.js:105:7
Mon, 02 May 2016 15:38:52 GMT bf:appmonitor:error server.js process exited with code 1
Mon, 02 May 2016 15:38:53 GMT bf:appmonitor:debug Starting server.js process@Pete_F: Hey late notice, but I recently had to do some signed cert replacement stuff and I ran into this exact PEM_read_bio:no start line bit in the service-app.log file too:
C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\q\q.js:155
throw e;
^
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Error (native)
at Object.createSecureContext (_tls_common.js:105:19)
at Server (_tls_wrap.js:605:25)
at new Server (https.js:36:14)
at Object.exports.createServer (https.js:56:10)
at BFProxy.createWebServer (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:433:22)
at new BFProxy (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:63:25)
at BFProxy (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:51:12)
at run (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\lib\server.js:110:13)
at C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\lib\server.js:105:7
I read a whole bunch about openssl until I looked at my old .pvk file and compared it to my new .pvk file and noticed that basically my new one didn’t have the header while my old one did…
So, my new key (initially broken) looked like:
SAIFmafeiancpaijefpIJEAm
...
...
-----END RSA PRIVATE KEY-----
And my old key looked like:
-----BEGIN RSA PRIVATE KEY-----
oiajeoifjoaijfoiejafoEIcan
...
...
-----END RSA PRIVATE KEY-----
Simply adding the BEGIN RSA PRIVATE KEY part to my broken key fixed this problem. Maybe that’s what you’re running into too?
-Dex
2 Likes
my PVK is missing begin and end… added it but still didn’t work
http://www-01.ibm.com/support/docview.wss?uid=swg21505848
that didnt work either
so far put the crt and pvk in the directory mentioned and we get
Unable to connect
Firefox can’t establish a connection to the server at bigfix.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
delete and restart besrootserver service
back to business
how easy was it in compliance and inventory? under management dropdown to server settings, click on replace and put the new certs there… that was it.
would be so much easier if they enabled this for WEBREPORTS and WEBUI…
Got it to work: -
openssl req -new -newkey rsa:2048 -nodes -out ssl.csr -keyout ssl.key -subj "/C=US/ST=Virginia/L=McLean/O=CDM/OU=Information Technology/CN=BigFix"
saved 2 files ssl.csr and ssl.key
send ssl.csr to CA to get ssl.cer
make copy of ssl.key and rename to ssl.pvk
make copy of ssl.cer and rename to ssl.crt
stop besrootserver service on BigFix root server
copy ssl.crt and ssl.pvk to "\Program Files (x86)\BigFix Enterprise\BES Server\WebUI"
start besrootserver service on BigFix root server
open browser and type in link to https://bigfix for accessing WEBUI
** if your cert is issued from enterprise CA you are able to add DNS names to aliases being used to access the WEBUI: - common examples of accessing the web link are as follows
https://BigFix
https://bigfixserver
https://webui
https://BigFix.MyDomain.com
https://BigFixserver.MyDomain.com
https://WEBUI.MyDomain.com
NOTE* while requesting this cert make request to add subject alternate names (DNS) names to this cert by adding this to the “Additional Attributes:” section of the cert generating process
san:DNS=WebUI.MyDomain.com&DNS=BigFix.MyDomain.com&DNS=BigFixServer.MyDomain.com&DNS=WEBUI&DNS=BigFix
**this is so any of the names listed here can be used in the web browser to resolve as a valid cert.
2 Likes
Is there any updated documentation on this for WebUI 9.5.3? What exists doesn’t even match the path. I have WebUI installed on its own system (not the BES) server and I have a path:
C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI
Is that were the cert files go?
Below is what I have from Entrust.
As it is, I’m unsure which files to rename and without knowing the correct path to place them in will make it even more difficult to figure this out.
1 Like
Hi Alexa 
you do have to rename the file from *.key to ssl.pvk and *.cer to ssl.crt
copy ssl.crt and ssl.pvk to "\Program Files (x86)\BigFix Enterprise\BES Server\WebUI"
parameter "workDir" = "{if exists setting whose (name of it = "_WebUIAppEnv_WebUI_DIR") of client then value of setting "_WebUIAppEnv_WebUI_DIR" of client else if windows of operating system then pathname of program files x32 folder &"\BigFix Enterprise\BES WebUI" else "/var/opt/BESWebUI"}"
So if the “workDir” does not exist it looks in 'program files x32 folder &“\BigFix Enterprise\BES WebUI” ’
So this is where the fixlet points things.
_WebUIAppEnv_WORK_DIR = C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI\sites
I don’t think the certs go there either. I’ll figure it out.
I’ve placed them in the directories below, restarted both BES Root Server service on the BES and BES WebUI on the WebUI server and none work:
C:\Program Files (x86)\BigFix Enterprise\BES WebUI
C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI
C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI\sites (the two certs disappear when placed here after the service starts).
Perhaps I have to added Cert locations in the Properties of the WebUI server, as you do with the Web Reports certs? Without instructions, I’m shooting in the dark.
I’ve opened a PMR with IBM and will post results if I hear from them with a resolve. Installing a cert is such an advanced process!
The directory structures are mirrored between local and remote installations, so C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI becomes C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI
The instructions are as I mentioned earlier in this post:
If you have done this, and it isn’t working, then your files are not properly formatted or do not contain the proper data. Based on the file list you posted, you will need to open your .crt files in notepad or some other text editor, and copy the intermediate certs and root cert below the server cert, so they are all in one file. Make sure you include all the --------BEGIN CERTIFICATE----------- and -----------END CERTIFICATE----------- headers/footers just as they are in each cert.
The one thing I don’t see is your .key or .pvk file. It is probably included in your .p7b file, and will have to be extracted using OpenSSL or something similar.
So the correct directory for the certs is: C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI
I did use OpenSSL and I have those files. The ssl.key has -----BEGIN RSA PRIVATE KEY----- / -----END RSA PRIVATE KEY----- so I can change those to -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- if that makes a difference.
Being WebUI is on a separate server, does the Gather Service still have to be restarted for the certs to take affect? If not, which service is best to try new certs? Finally, is there any logging I can use to see what cert may be having an issue or if they are even being seen?
2 Likes
The solution is:
For ssl.pvk follow the process [> here] (http://www.ibm.com/support/knowledgecenter/SS6MCG_9.5.0/com.ibm.bigfix.doc/Platform/Web_Reports/c_creating_a_certificate_signing_request.html), taking the nopwdkey.pem and renaming to ssl.pvk.
For ssl.crt using the 3rd party cert files screenshot earlier in this thread, paste in plain text the three files below in order to make ssl.crt.
ServerCertificate.cert
Intermediate1.cert
Intermediate2.cert
Please both in \WebUI\ directory and restart the WebUI service.
2 Likes
Hi @AlexaVonTess,
I know I’m late to the party but I wanted to thank you for your post specifying the correct location for the WebUI Signed Certificates. The guide I was using was for 9.5.2.56 and was pointing me toC:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI instead of the location you mentioned. After spending almost a week going in circles, moving the files to your location did the trick :). After many hours of googling I only found this and another forum post regarding using a 3rd Party certificate.
1 Like
I just went through the process of setting up SSL for the WebUI and also ran into issues, but eventually got it to work. One thing that was annoying is while I was having issues, the WebUI wouldn’t work at all and didn’t provide any feedback. It would have been nice if while it was misconfigured it fell back to self signed certs. RE: @jgallas
I used a Let’s Encrypt client to create the SSL certificates. Let’s Encrypt provides free Domain Validation certs.
After going through the process, I got 3 files:
- ca_bundle.crt
- certificate.crt
- private.key
I combined ca_bundle.crt and certificate.crt into ssl.crt
I renamed private.key to ssl.pvt
I put both files into the default location on my windows root server: C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI
If it was a stand alone WebUI server, then the default location should be: C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI
Because I am on platform 9.5.2.56 I then had to restart the BESRootServer service instead of the BESWebUI service.
This did not work. I found errors, Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch, in the WebUI log here: C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\logs\service-app.log
The error messages were happening like once a minute. I made many changes, but nothing stopped the errors. Eventually I realized that I had to restart the service every time I made changes to the ssl files in order for the WebUI to pick up the changes.
One of the issues turned out to be that I didn’t combine the .crt files properly. The site specific cert needs to be first within ssl.crt followed by the next cert in the signing chain and so on all the way up to the highest in the chain.
My working ssl.crt looks like this:
-----BEGIN CERTIFICATE-----
<<base64 string from certificate.crt>>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<<base64 string from ca_bundle.crt>>
-----END CERTIFICATE-----
My working ssl.pvt looks like this:
-----BEGIN PRIVATE KEY-----
<<base64 string from private.key>>
-----END PRIVATE KEY-----
It seems that BEGIN RSA PRIVATE KEY isn’t required and BEGIN PRIVATE KEY is sufficient, as long as it is a valid key.
This relevance should provide the issue date of the SSL cert:
invalid befores of pem encoded certificates of files "ssl.crt" of folders "C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI"
- https://bigfix.me/analysis/details/2994825
- Working to detect and remove the eDellRoot malicious Root Certificate
Related:
- https://www.ibm.com/support/knowledgecenter/en/SSTK87_9.5.0/com.ibm.bigfix.webui.doc/WebUI/Admin_Guide/c_ssl_certificates_9.5.3_and_above.html
- http://www-01.ibm.com/support/docview.wss?uid=swg21505848
- https://www.digitalocean.com/community/questions/ssl-library-error-185073780-key-values-mismatch
- https://letsencrypt.org/docs/client-options/
- https://community.letsencrypt.org/t/dns-provider-not-allowing-txt-records-to-be-submitted-correctly-letsencrypt-validation-doesnt-pass/31201/5
- https://github.com/do-know/Crypt-LE/issues/11
- https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation
- https://dan.enigmabridge.com/powering-simplicity-of-certbot-and-letsencrypt-domain-verification/
5 Likes
Looks like you did a good analysis of the process, James. Odd how IBM has three BigFix web apps (web reports, web console, and BFI) and all are different; the web console being the most difficult.
My web console is on a dedicated VM, not the BES, so that made things a little different with regards to service restart requirements and cert location.
1 Like
The documentation is a bit lacking as to all of the specifics. I’m hoping to get that addressed.
This is an issue that the paths are a bit different depending on standalone vs separate webui and the service you need to restart is dependent upon the platform version in use. Then there is added complexity in the case of using Red Hat instead of Windows, so figuring out the best ways to document all of that is an issue, and then also documenting troubleshooting steps.