OPSI configed lässt sich nicht öffnen!

[islam]

Die OPSI Java Applet lässt sich im Web-Browser nicht mehr öffnen.
Die Meldung deutet auf ein abgelaufenes Zertifikat.

java.security.cert.CertPathValidatorException:Response is unreliable: its validity interval is out-of-date

[SisterOfMercy]

Please try to update your opsi-server. There has been an update, released about a week ago. Something to do with a out of date certificate in configed.

You could also try to put the url to your opsi server on the exception list. Control Panel -> Java -> Security -> edit site list. (Sorry, these are windows instructions only)

Or create your own certificate for configed and import that certificate in the java trustedcerts database.

[islam]

Thanks for the fast reply. Can you describe in detail how to do the last part you mentioned

Or create your own certificate for configed and import that certificate in the java trustedcerts database.

Thanks

[SisterOfMercy]

First step, create a certificate. I can't help you much with that, because I used the cacert.org services. That way I only have to import the root certificates of cacert.org. But for a single certificate it will probably work the same way.

Edit /etc/opsi/opsiconfd.conf, and especially these ones:

Code: Alles auswählen

ssl server cert = /etc/opsi/yourcert.pem
ssl server key = /etc/opsi/yourcert.pem

If you don't have certificate in .pem format you might have to convert it, but a lot of sites on the internet tell you how to do that. Maybe OPSI also knows other formats, I don't know about this, I'm not really experienced with this, but at least it works.

Also look here for the entry I created on the opsi wiki a while ago: wiki/userspace:java_runtime

Code: Alles auswählen

; Install cacert.org root certificates in java keystore
"%ProgramFiles64Dir%\Java\jre7\bin\keytool.exe" -noprompt -import -alias cacert-root -keystore "%ProgramFiles64Dir%\Java\jre7\lib\security\cacerts" -trustcacerts -file "%ScriptPath%\files\cacert.org-root.der" -storepass "changeit"
"%ProgramFiles64Dir%\Java\jre7\bin\keytool.exe" -noprompt -import -alias cacert-class3 -keystore "%ProgramFiles64Dir%\Java\jre7\lib\security\cacerts" -trustcacerts -file "%ScriptPath%\files\cacert.org-class3.der" -storepass "changeit"

You could rewrite this as:

Code: Alles auswählen

; Install yourcert certificate in java keystore
"%ProgramFiles64Dir%\Java\jre7\bin\keytool.exe" -noprompt -import -alias yourcert -keystore "%ProgramFiles64Dir%\Java\jre7\lib\security\cacerts" -trustcacerts -file "%ScriptPath%\files\yourcert.der" -storepass "changeit"

Again, you have to find out yourself how to convert the certificate to a .der type, and it probably can be any format, .pem will probably also work, I'm not sure. I only change the certificate once so often
But, you might get a bit further with this.

However, have you tried updating your opsi server?

[ueluekmen]

Hallo,

bitte checke mal ob dein opsiconfd-Zertifikat nicht vielleicht abgelaufen ist. Diese Meldung ist eigentlich die Vorstufe für die eigentliche Jar-Sign-Validation. Die Meldung sieht eher so aus, als wenn dein opsiconfd-Zertifkat abgelaufen wäre.

Der configed im Stable Bereich ist nun wieder gültig Signiert und sollte auch signiert bleiben, selbst wenn das Zertifikat mit welchem signiert wurde ausläuft.

[islam]

However, have you tried updating your opsi server?

I was not able to update the Server, because it had certificate problem updating from the opensuse repository,
which could be resolved by running this command found in opsi docs.

Code: Alles auswählen

wget -O - http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/Debian_7.0/Release.key | apt-key add -

Afterwards the update worked and all is fine again.

Thanks a lot