Hi
Just wondered if there was a quick way to change an existing OPSI server installation from using https to just http ?
We are seeing invalid certificate errors especially for the Kiosk mode and would like to remove it from the customer experience ?
Kind regards
Mark
changing server from https to http
Re: changing server from https to http
This link might be the answer though
wiki/userspace:zertifikats_import
Has anyone had any success with this approach ?
wiki/userspace:zertifikats_import
Has anyone had any success with this approach ?
- n.wenselowski
- Ex-uib-Team
- Beiträge: 3194
- Registriert: 04 Apr 2013, 12:15
Re: changing server from https to http
Hello Mark,
the problem is that the certificate on the client is not signed by a trusted authority.
The best solution is to provide the clients with a certificate that is signed by a known ca.
Running opsi without https is something we do not support and do not advise.
With kind regards
Niko
the problem is that the certificate on the client is not signed by a trusted authority.
The best solution is to provide the clients with a certificate that is signed by a known ca.
Running opsi without https is something we do not support and do not advise.
With kind regards
Niko
Code: Alles auswählen
import OPSI
- SisterOfMercy
- Beiträge: 1556
- Registriert: 22 Jun 2012, 19:18
Re: changing server from https to http
I do, but only the Mozilla Firefox part, because my users can bugger off when they want to use something else. It works, but you should combine it with this: wiki/userspace:mozilla_nssmarkbyrne hat geschrieben:wiki/userspace:zertifikats_import
Has anyone had any success with this approach ?
Otherwise the certificate is only valid for a _new_ profile, and you want to make the just generated certificate valid in all profiles.
Here is the code of the mozilla_nss package.
Code: Alles auswählen
; This sourcecode is owned by uib
; and published under the Terms of the General Public License.
; credits: http://www.opsi.org/en/credits/
; Copyright (c) uib gmbh (www.uib.de)
[Actions]
DefVar $dummy$
DefVar $PREF_FILE$
DefVar $preftype$
DefStringList $profiles$
DefVar $akt_profile_ini$
DefVar $akt_prefs_path$
DefVar $AppData$
DefVar $rel_prefs_path$
DefVar $mozilla_userpath$
DefVar $INST_OpsiclientdCertificateFile$
DefVar $INST_OpsiclientdDir$
if getMsVersionInfo >= "6"
set $AppData$ = "\AppData\Roaming"
else
comment "not supported OS"
endif
Set $preftype$ = "user_pref"
Set $PREF_FILE$ = "prefs.js"
Set $INST_OpsiclientdDir$ = "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd"
Set $INST_OpsiclientdCertificateFile$ = $INST_OpsiclientdDir$+"\opsiclientd.pem"
comment " Example for Mozilla Firefox"
; populate default db see section CertifikatMozillalösung
set $akt_prefs_path$ ="%ProgramFiles32Dir%\Mozilla Firefox\defaults\profile"
if ((NOT (FileExists($akt_prefs_path$+"\key3.db"))) OR (NOT (FileExists($akt_prefs_path$+"\cert8.db")))) OR (NOT (FileExists($akt_prefs_path$+"\secmod.db")))
;Files_copy_default_db
; https://developer.mozilla.org/en-US/docs/NSS_security_tools/certutil
; Creating New Security Databases
DosInAnIcon_createNewSecurityDatabase
endif
DosInAnIcon_certutil
Set $mozilla_userpath$ = "\Mozilla\Firefox"
comment "get user directories via dosbatch dir command"
Set $profiles$ = getOutStreamFromSection ('dosbatch_profiledir')
comment "loop over the result"
for $x$ in $profiles$ do sub_patch_prefs_file
comment " Example for Mozilla thunderbird"
; populate default db see section CertifikatMozillalösung
set $akt_prefs_path$ ="%ProgramFiles32Dir%\Mozilla Thunderbird\defaults\profile"
if ((NOT (FileExists($akt_prefs_path$+"\key3.db"))) OR (NOT (FileExists($akt_prefs_path$+"\cert8.db")))) OR (NOT (FileExists($akt_prefs_path$+"\secmod.db")))
;Files_copy_default_db
; https://developer.mozilla.org/en-US/docs/NSS_security_tools/certutil
; Creating New Security Databases
endif
DosInAnIcon_certutil
Set $mozilla_userpath$ = "\Thunderbird"
comment "get user directories via dosbatch dir command"
Set $profiles$ = getOutStreamFromSection ('dosbatch_profiledir')
comment "loop over the result"
for $x$ in $profiles$ do sub_patch_prefs_file
[comment " simple template for using mozilla nss tools "]
;http://www.mozilla.org/projects/security/pki/nss/tools/
;http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
[dosbatch_profiledir]
@echo off
dir "%ProfileDir%" /b
[sub_patch_prefs_file]
;Set $akt_profile_ini$ = "%ProfileDir%\"+"$x$"+$AppData$+"\Mozilla\Firefox\profiles.ini"
Set $akt_profile_ini$ = "%ProfileDir%\"+"$x$"+$AppData$+$mozilla_userpath$+"\profiles.ini"
if FileExists($akt_profile_ini$)
Set $rel_prefs_path$ = GetValueFromInifile($akt_profile_ini$,"Profile0","Path","")
; try to handle profiles.ini prefs_path absolut not relativ
; http://kb.mozillazine.org/Profiles.ini_file
; profiles.ini IsRelative=1 (true) IsRelative=0 (false) for example Path=D:\Mozilla\Firefox\Profiles\sheldon
Set $dummy$ = GetValueFromInifile($akt_profile_ini$,"Profile0","IsRelative","")
if ( $dummy$ = "1" )
comment "relativ path"
Set $akt_prefs_path$ = "%ProfileDir%\"+"$x$"+$AppData$+"\Mozilla\Firefox\"+$rel_prefs_path$
else
comment "absolut path"
Set $akt_prefs_path$ = $rel_prefs_path$
endif
if ((NOT (FileExists($akt_prefs_path$+"\key3.db"))) OR (NOT (FileExists($akt_prefs_path$+"\cert8.db")))) OR (NOT (FileExists($akt_prefs_path$+"\secmod.db")))
;Files_copy_default_db
DosInAnIcon_createNewSecurityDatabase
endif
DosInAnIcon_certutil
endif
[DosInAnIcon_createNewSecurityDatabase]
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -N -d "$akt_prefs_path$"
[DosInAnIcon_certutil]
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -d "$akt_prefs_path$"
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -A -n "certifikatOPSISERVER" -t "TC,TC,TC" -i %SCRIPTPATH%\opsiconfd.pem -d "$akt_prefs_path$"
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -A -n "certifikatOPSIclientd" -t "TC,TC,TC" -i "$INST_OpsiclientdCertificateFile$" -d "$akt_prefs_path$"
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -d "$akt_prefs_path$"
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -n "certifikatOPSISERVER" -d "$akt_prefs_path$"
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -n "certifikatOPSIclientd" -d "$akt_prefs_path$"
[Files_copy_default_db]
copy %SCRIPTPATH%\nss-3.12.4\db\*db "$akt_prefs_path$\"
[CertifikatMozillalösung]
https://mail.mozilla.org/pipermail/tb-enterprise/2011-September/000135.html
https://mail.mozilla.org/pipermail/tb-enterprise/2011-September/000139.html
I have noticed modutil with -create option will create a secmod.db,
cert8.db and key3.db (9?) files, unless you specify -nocertdb option.
I have put everything together in a few directories, and I have a thing which works. It's not a very recent version, but at least it works. If anybody wants I can put a .zip online somewhere with that directory.
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!