Webui SSL error

Usage and Config WebUI
1

I’ve installed the BigFix Root, webreports and WebUI (v10.0.1) on Win2016. Installation went fine for all 3 apps. I then installed an SSL cert (used the same .pem file) for the Root services and WebReports with a subject/fqdn of sample FQDN.domain (masthead points to FQDN_fake.domain but both are just a CNAME to the Win2016 server). From another machine I could hit https://fqdn.domain:52311/api and https://fqdn.domain:8083 (webreports) and both certs were good.

I then followed the steps to get the crt and pvk for the WebUI. At first when I viewed the crt the chain was broken but then I installed the missing Comodo certs and now when I view the crt it looks good. I placed the ssl.crt and ssl.pvk in “D:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI” but I keep getting these SSL errors in the WebUI service-wrapper.log

Fri, 04 Sep 2020 00:51:30 +0000 -- WebUI service version 10.0.1.41 starting
Fri, 04 Sep 2020 00:51:30 +0000 -- [WebUI] Begin adjusting File Ownership and Security Settings for D:\Program Files (x86)\BigFix Enterprise\BES WebUI
Fri, 04 Sep 2020 01:06:46 +0000 -- [WebUI] Finished adjusting File Ownership and Security Settings.
Fri, 04 Sep 2020 01:06:46 +0000 -- OpenSSL Initialized (Non-FIPS Mode)
Fri, 04 Sep 2020 01:06:46 +0000 -- Using OpenSSL crypto library libBEScrypto64 - OpenSSL 1.0.2u  20 Dec 2019
Fri, 04 Sep 2020 01:06:46 +0000 -- [WebUI] Failed to retrieve all sites info from Root Server: HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL: no alternative certificate subject name matches target host name '<FQDN.domain>'
Fri, 04 Sep 2020 01:06:46 +0000 -- [WebUI] Stopping WebUI service app
Fri, 04 Sep 2020 01:07:23 +0000 -- [WebUI] Failed to update service application: HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL: no alternative certificate subject name matches target host name '<FQDN.domain>'
Fri, 04 Sep 2020 01:07:46 +0000 -- [WebUI] Stopping WebUI service app

Client settings on server:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BigFix\EnterpriseClient\Settings\Client_WebUIAppEnv_PLATFORM_HOST / “value” = <FQDN.domain>

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BigFix\EnterpriseClient\Settings\Client_WebUI_AppServer_Hostname / “value” = <FQDN.domain>

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BigFix\EnterpriseClient\Settings\Client_WebUIAppEnv_WEB_CERT_FILE / “value” = D:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI\ssl.crt

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BigFix\EnterpriseClient\Settings\Client_WebUIAppEnv_WEB_KEY_FILE / “value” = D:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI\ssl.pvk

I’ve repeatedly restarted the BES Root and WebUI services and rebooted the server but I still get these errors. What am I missing?

2

I don’t know whether it’s required to have a Subject Alternative Name with the dns hostname entries in the certificate, but it is best practice to do so and I always generate my certs that way.

Google started leading the charge on that, maybe 4-5 years ago. I wouldn’t be surprised if OpenSSL does the same now too. That’s what the error message looks like to.me, but you probably should open a support ticket to check.

In addition to the Subject on your cert, does it also have SubjectAltName entries for your server?

3

The cert does have a SubjectAlternativeName of:

DNS Name=<FQDN.domain>

I’ve installed SSL certs in the past on WebUI without issue but the difference there was that the masthead FQDN was the same as the SSL cert FQDN. This time is different. I did create a ticket with support so we’ll see what they say.

1 Like
4

I uninstalled the BES WebUI and started over, this time it worked with the help of HCL but we can’t explain why.

  1. install webui
  2. add these regkeys to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BigFix\EnterpriseClient\Settings\Client
    _WebUIAppEnv_WEB_CERT_FILE (“value”= path to ssl.crt)
    _WebUIAppEnv_WEB_KEY_FILE (“value”= path to ssl.pvk)
  3. Don’t modify the value of the _WebUIAppEnv_PLATFORM_HOST key value. Leave it as the default value even if it doesn’t match the subject in your ssl.crt
  4. Restart WebUI service. View logging in D:\Program Files (x86)\BigFix Enterprise\BES WebUI\service-wrapper.log. It takes 15-20min after service start to finish application startup.
1 Like