Seite 1 von 1

changing server from https to http

Verfasst: 08 Dez 2014, 16:10
von markbyrne
Hi
Just wondered if there was a quick way to change an existing OPSI server installation from using https to just http ?
We are seeing invalid certificate errors especially for the Kiosk mode and would like to remove it from the customer experience ?

Kind regards
Mark

Re: changing server from https to http

Verfasst: 08 Dez 2014, 17:14
von markbyrne
This link might be the answer though

wiki/userspace:zertifikats_import

Has anyone had any success with this approach ?

Re: changing server from https to http

Verfasst: 09 Dez 2014, 10:38
von n.wenselowski
Hello Mark,

the problem is that the certificate on the client is not signed by a trusted authority.
The best solution is to provide the clients with a certificate that is signed by a known ca.

Running opsi without https is something we do not support and do not advise.


With kind regards

Niko

Re: changing server from https to http

Verfasst: 12 Dez 2014, 21:21
von SisterOfMercy
markbyrne hat geschrieben:wiki/userspace:zertifikats_import
Has anyone had any success with this approach ?
I do, but only the Mozilla Firefox part, because my users can bugger off when they want to use something else. It works, but you should combine it with this: wiki/userspace:mozilla_nss
Otherwise the certificate is only valid for a _new_ profile, and you want to make the just generated certificate valid in all profiles.

Here is the code of the mozilla_nss package.

Code: Alles auswählen

; This sourcecode is owned by uib
; and published under the Terms of the General Public License.
; credits: http://www.opsi.org/en/credits/
; Copyright (c) uib gmbh (www.uib.de)

[Actions]
DefVar $dummy$
DefVar $PREF_FILE$
DefVar $preftype$
DefStringList $profiles$
DefVar $akt_profile_ini$
DefVar $akt_prefs_path$
DefVar $AppData$
DefVar $rel_prefs_path$
DefVar $mozilla_userpath$ 
DefVar $INST_OpsiclientdCertificateFile$
DefVar $INST_OpsiclientdDir$

if getMsVersionInfo >= "6"
          set $AppData$ = "\AppData\Roaming"
else
	comment "not supported OS"
endif

Set $preftype$ = "user_pref"
Set $PREF_FILE$ = "prefs.js"

Set $INST_OpsiclientdDir$  = "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd"
Set $INST_OpsiclientdCertificateFile$ = $INST_OpsiclientdDir$+"\opsiclientd.pem"

comment " Example for Mozilla Firefox"
; populate default db see section CertifikatMozillalösung
set $akt_prefs_path$ ="%ProgramFiles32Dir%\Mozilla Firefox\defaults\profile"

if ((NOT (FileExists($akt_prefs_path$+"\key3.db")))     OR  (NOT (FileExists($akt_prefs_path$+"\cert8.db")))) OR (NOT (FileExists($akt_prefs_path$+"\secmod.db")))
        	;Files_copy_default_db
		; https://developer.mozilla.org/en-US/docs/NSS_security_tools/certutil
		; Creating New Security Databases
		 
		DosInAnIcon_createNewSecurityDatabase
endif

DosInAnIcon_certutil

Set $mozilla_userpath$ = "\Mozilla\Firefox"
comment "get user directories via dosbatch dir command"
Set $profiles$ = getOutStreamFromSection ('dosbatch_profiledir')
comment "loop over the result"
for $x$ in $profiles$ do sub_patch_prefs_file

comment " Example for Mozilla thunderbird"
; populate default db see section CertifikatMozillalösung
set $akt_prefs_path$ ="%ProgramFiles32Dir%\Mozilla Thunderbird\defaults\profile"

if ((NOT (FileExists($akt_prefs_path$+"\key3.db")))     OR  (NOT (FileExists($akt_prefs_path$+"\cert8.db")))) OR (NOT (FileExists($akt_prefs_path$+"\secmod.db")))
        	;Files_copy_default_db
		; https://developer.mozilla.org/en-US/docs/NSS_security_tools/certutil
		; Creating New Security Databases
		 
endif

DosInAnIcon_certutil

Set $mozilla_userpath$ = "\Thunderbird"
comment "get user directories via dosbatch dir command"
Set $profiles$ = getOutStreamFromSection ('dosbatch_profiledir')
comment "loop over the result"
for $x$ in $profiles$ do sub_patch_prefs_file
[comment " simple template for using mozilla nss tools "]
;http://www.mozilla.org/projects/security/pki/nss/tools/
;http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html




[dosbatch_profiledir]
@echo off
dir "%ProfileDir%" /b

[sub_patch_prefs_file]
;Set $akt_profile_ini$ = "%ProfileDir%\"+"$x$"+$AppData$+"\Mozilla\Firefox\profiles.ini"
Set $akt_profile_ini$ = "%ProfileDir%\"+"$x$"+$AppData$+$mozilla_userpath$+"\profiles.ini"
if FileExists($akt_profile_ini$)
	Set $rel_prefs_path$ = GetValueFromInifile($akt_profile_ini$,"Profile0","Path","")
	; try to handle profiles.ini prefs_path absolut not relativ
	; http://kb.mozillazine.org/Profiles.ini_file
	; profiles.ini IsRelative=1 (true) IsRelative=0 (false) for example Path=D:\Mozilla\Firefox\Profiles\sheldon

	Set $dummy$ = GetValueFromInifile($akt_profile_ini$,"Profile0","IsRelative","")
	if ( $dummy$ = "1" )
		comment "relativ path"
		Set $akt_prefs_path$ = "%ProfileDir%\"+"$x$"+$AppData$+"\Mozilla\Firefox\"+$rel_prefs_path$
	else
		comment "absolut path"
		Set $akt_prefs_path$ = $rel_prefs_path$
	endif
	
	if ((NOT (FileExists($akt_prefs_path$+"\key3.db")))     OR  (NOT (FileExists($akt_prefs_path$+"\cert8.db")))) OR (NOT (FileExists($akt_prefs_path$+"\secmod.db")))
        	;Files_copy_default_db
		DosInAnIcon_createNewSecurityDatabase
	endif

	DosInAnIcon_certutil
endif

[DosInAnIcon_createNewSecurityDatabase]
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -N -d "$akt_prefs_path$"

[DosInAnIcon_certutil]
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -d "$akt_prefs_path$"
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -A -n "certifikatOPSISERVER" -t "TC,TC,TC" -i %SCRIPTPATH%\opsiconfd.pem -d "$akt_prefs_path$"
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -A -n "certifikatOPSIclientd" -t "TC,TC,TC" -i "$INST_OpsiclientdCertificateFile$" -d "$akt_prefs_path$"
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -d "$akt_prefs_path$"
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -n "certifikatOPSISERVER" -d "$akt_prefs_path$"
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -n "certifikatOPSIclientd" -d "$akt_prefs_path$"

[Files_copy_default_db]
copy %SCRIPTPATH%\nss-3.12.4\db\*db "$akt_prefs_path$\"


[CertifikatMozillalösung]
https://mail.mozilla.org/pipermail/tb-enterprise/2011-September/000135.html
https://mail.mozilla.org/pipermail/tb-enterprise/2011-September/000139.html

I have noticed modutil with -create option will create a secmod.db,
cert8.db and key3.db (9?) files, unless you specify -nocertdb option.
Well, you also need a binary version of mozilla NSS. You might get it here: http://certificate.fyicenter.com/389_Mo ... indow.html
I have put everything together in a few directories, and I have a thing which works. It's not a very recent version, but at least it works. If anybody wants I can put a .zip online somewhere with that directory.