Problem with using SSL connection (wss)

Petr

New Member
Hi. On my web-server i use SSL connection. So, when i have running your server and connect from web-interface phone (Phone.html), i have receive error, which says that connection to wss is refused. So, i must send to you logs and cond in zip?) And another problem, with importing intermediate certificate: in documentation it has .pem file extension, but i have .crt extension. What to do with this?
Additional:
In PDF documentation for admins (russian version) there is a trouble: many consol commands are cutted. In HTML version all ok.
 

Max

Administrator
Staff member
Try to set:
Code:
 <url_ws_server>wss://host:8443</url_ws_server>
in examples/flashphoner.xml (client-side)
wss - means secure websocket over SSL will be used
8443 - port
Test
Open this page in web browser: https://host:8443
If certificate is imported properly, this page should be empty and you should see certificate icon in the browser url string.
Then you can try to connect from Phone.html.
See Chrome Developer Console output and 'Network' tab for debug.
in documentation it has .pem file extension, but i have .crt extension. What to do with this?
Try to convert your .crt file to .pem using keytool
or just try to use your .crt files instead of .pem
 

Petr

New Member
So, i have tried to open https://host:8443 (yes, with my real address, not "host"). Don't have connect, but server is started (check for status).
And my questions:
1. Is there any params in config files, which i must inspect?
2. "Try to convert your .crt file to .pem using keytool" - how? Some like that:
keytool -import -keystore /usr/local/FlashphonerWebCallServer/conf/wss.jks -file intermediate.crt ?
 

Petr

New Member
No, don't help. In chrome : ERR_CONNECTION_REFUSED. And port 8443 is open (by lsof -i :8443). So, what may be a trouble? Or where in logs it will show information about erros with certificates?
 

Petr

New Member
By that:
telnet: connect to address <my_host>: Connection refused
But by lsof -i :8443:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 12345 root 61u IPv4 896188733 0t0 TCP *:pcsync-https (LISTEN)
 

Petr

New Member
No. And for test i terned him off. However, 8080 port is open and it works, but for 8443 is such problem.
 

Max

Administrator
Staff member
Most likely it is a certificate issue.
Try to replace wss.jks file with one of Web Call Server installation archive.
Then stop/start server and try https://host:8443
If it works correct, import your certificates again using the keytool and stop/start server again.
You can also send us your actual wss.jks and its password by email. We can check its certificate content by keytool.
 

Petr

New Member
So, it'certs. I make first steps for setting wss.jks from original archive. And it works. Also and telnet variant too)
Which files do you need and for what e-mail?
 

Max

Administrator
Staff member
When you are using the keytool, you import your SSL certificates and keys into the wss.jks (java key store for websocket SSL).
So try to import your certificates into wss.jks from scratch and restart WCS server.
If it does not help, you can send your certificates to logs@flashphoner.com we will try to import it on our testing server. If it went well we will describe our steps.
 

Max

Administrator
Staff member
We have successfully imported your certificates and tested wss connection.
It works for us.
Please follow the instruction below.
'mydomain' is domain name of your server.

1. Remove self-signed certificate from the keystore
Code:
keytool -delete -alias selfsigned -keystore /usr/local/FlashphonerWebCallServer/conf/wss.jks
2. Create a new keystore based on the certificate and private key
Code:
openssl pkcs12 -export -in mydomain_root.crt -inkey mydomain.key -out mydomain.p12 -name "mydomain"
3. Import the newly created keystore into existing wss.jks
Code:
keytool -importkeystore -srckeystore mydomain.p12 -srcstoretype PKCS12 -destkeystore /usr/local/FlashphonerWebCallServer/conf/wss.jks
Enter destination keystore password:
Enter source keystore password:
Entry for alias mydomain successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
4. Import intermediary certificate into the wss.jks keystore
Code:
keytool -import -keystore /usr/local/FlashphonerWebCallServer/conf/wss.jks -file intermediate.pem -alias ca-root
Trust this certificate? [no]:  yes
Certificate was added to keystore
5. Restart WCS server.
Code:
cd /usr/local/FlashphonerWebCallServer/bin
./webcallserver restart
6. Use wss://mydomain:8443 as connection WSS URL.
 

Max

Administrator
Staff member
We tested it on a VPS Xen server, Amazon EC2, Digitalocean virtiual servers, vmware, and other virtual environments.
We didn't test it with OpenVZ as I know.
By the way, did you install Oracle JDK? Maybe it would help to fix the issue.
 
Top